Loading…
Loading…
Scorifya Controls · Setup guide
Eight steps, from finding this page to a live deployment. This page is the whole path — every command, every credential, in order. Nothing here requires a sales call.
Purchase, license key, install, creating the AWS and GitHub credentials, first check run, and going live on a server — the complete setup, nothing skipped, in about three minutes.
Have these ready and the setup is one uninterrupted pass:
Where should it run — laptop or server?
Both, in that order. Your laptop is perfect for today's evaluation — every step below works at localhost:3000. Before your audit observation window starts, move it to any always-on server (a $5/month VPS is plenty) with a hostname like controls.yourcompany.com: scheduled checks need a machine that's awake to run daily, and the read-only link you'll send your auditor has to be reachable from their browser. The compose file is identical in both places, and your data moves with the Docker volume.
Go to scorifya.com/controls and choose a tier. Every tier includes all five frameworks (SOC 2, PCI DSS, ISO 27001, HIPAA, CMMC L1); the tiers differ in which cloud providers are checked and how many domains you can register. One thing to get right here: Starter covers AWS and GitHub checks only — if your infrastructure runs on GCP or Azure, pick Pro or Team, which cover all four clouds. Checkout is a standard card form.
Not ready to buy? The live demo is the full product with fictional data. No email, no signup.
When checkout completes you land on a confirmation page showing your license key (format SC-…). The same key is emailed to you, and the email links back to the confirmation page.
On that page, click Download docker-compose.yml (pre-filled). Your license key and a freshly generated session secret are already inside — there is nothing to edit for a localhost trial.
# Setting up by hand instead? Download the template and fill in:
curl -O https://www.scorifya.com/docker-compose.yml
# SESSION_SECRET — generate one:
openssl rand -base64 32
# LICENSE_KEY — from your email or the confirmation page
Lost the key? Recover it any time at /controls/license-recovery using your purchase email.
In the folder where the compose file landed:
docker compose up -d
The container starts in about 30 seconds. On first boot the database is seeded with all automated checks and manual controls — no migrations to run, nothing else to install. It runs on your infrastructure; your credentials and evidence stay local.
Requirements: Docker 24+ with Compose V2. The image is published to ghcr.io/scorifya/controls:latest; pin a semver tag for production.
Open http://localhost:3000 (or your configured domain). You'll see a single setup screen: organization name, admin email, and a password. That's the whole account setup.
If you used the pre-filled compose file, your license is already active. If you set things up by hand, paste your key under Settings → License and click Save & validate.
This is the one step that happens outside Controls, in your providers' consoles. Connect whichever providers you actually use — any one is enough to start, and the others can be added any time. AWS and GitHub are shown first because they're the most common stack; GCP and Azure are first-class on Pro and Team. Controls only ever reads — no write permissions are requested or used anywhere.
AWS: create the IAM user and access key
AWS Console → IAM → Users → Create user (name it something like controls-audit) → attach the AWS-managed SecurityAudit policy (read-only) → open the user's Security credentials tab → Create access key. Copy the Access Key ID and Secret Access Key.
GitHub: create the token
GitHub → Settings → Developer settings → Personal access tokens → Generate new token (classic) with repo, read:org, admin:org, and security_events scopes. Copy the ghp_… token.
GCP and Azure (Pro and Team tiers)
On GCP: create a service account with the Security Reviewer role and download its JSON key. On Azure: an app registration with Reader + Security Reader on the subscription (Tenant ID, Client ID, Client Secret, Subscription ID). If these are your clouds, they're your step 5 — AWS and GitHub aren't prerequisites. Whatever you leave unconfigured shows as error, not fail, so it never drags your score down.
Back in Controls, go to Integrations. For AWS enter the Access Key ID, Secret Access Key, and your primary region; for GitHub the token and your organization slug. Click Test connection on each — a green check means the credentials work and the scopes are right — then Save.
Click Run Checks on the dashboard. A full run takes 30–90 seconds depending on the size of your cloud accounts. When it finishes you get a posture score, pass/fail counts, and — for every failing check — inline remediation instructions.
Start with the criticals (MFA, CloudTrail, GuardDuty, public S3 access): they're the items auditors look at first.
Your laptop was fine for the evaluation. For the real observation window, Controls needs a machine that's always awake — so scheduled checks run daily and the link you'll send your auditor is reachable. Any $5/month VPS or small cloud instance works.
# On the server: copy over your docker-compose.yml and data volume, then
docker compose up -d
# Point a hostname (e.g. controls.yourcompany.com) at the server and set it
# as NEXT_PUBLIC_BASE_URL in the compose file.
Your license binds to the domain automatically the first time it validates there. Moved domains later? Rebind any time at /controls/change-domain. The data lives in the Docker volume, so it moves when the volume moves.
The eight steps above get you to continuous automated checking. These four follow-ups turn it into an audit-ready evidence trail:
Schedule recurring runs
Point a cron job at the check-run endpoint for continuous monitoring, with optional Slack digests. The full schedule is in the in-app docs.
Fix the criticals first
MFA, CloudTrail, GuardDuty, and public S3 access are the items auditors look at first — each failing check ships its own remediation steps.
Automated checks are half the audit. The other half is the 49 manual controls — training, access reviews, policies — each attested with evidence files and stamped with an RFC 3161 cryptographic timestamp the moment you save. This walkthrough shows the whole loop:
Settings → Audit Access generates a revocable, expiring, read-only portal — no login for your CPA firm. Send them this video along with the link; it walks them through what they're seeing and how to verify the timestamps themselves with two OpenSSL commands:
The full evidence-integrity model is documented at /controls/trust.
The help page covers the common questions, license recovery re-sends your key, and contact reaches a human. Ready to start? Pick a tier →