Your compliance data.
On your infrastructure.
Karko is a self-hosted GRC platform that automates evidence collection across your systems. No cloud dependency, no data leaving your network, no vendor lock-in.
Self-hosted by design
Karko runs entirely on your own servers. The server, the database, and all collected evidence stay inside your network. There is no SaaS backend, no telemetry, and no call-home necessary for air-gapped deployments.
This makes Karko well suited for regulated industries, air-gapped environments, and any organization that treats infrastructure access as a hard boundary.
- Deploy with Docker Compose in minutes
- Full air-gap support. No outbound network access required
- PostgreSQL stores all evidence on your hardware
- License validation happens locally, no license server
- Open-source core under AGPL v3
Deployment topology
All components run inside your network. Nothing phones home.
Flexible evidence collection
Karko supports two ways to get evidence in. Deploy the lightweight agent binary on your systems for fully automated, scheduled collection. Or skip the agent entirely and push evidence from your own scripts or tools via the REST API.
Both paths feed into the same evaluation pipeline. You can mix them across controls and systems as needed.
Scheduled collection
Define a frequency per control. The scheduler creates tasks automatically, the agent picks them up on its next poll.
Offline buffering
If the server is unreachable, the agent writes evidence to a local disk buffer and retries when connectivity is restored.
Evidence integrity
Every piece of evidence is stored with a SHA256 checksum. Tampering or corruption is detectable at any point in the audit trail.
OS and service collectors
Built-in collectors for OS info, open ports, disk usage, TLS configuration, HTTP health checks, and arbitrary shell commands.
Cross-platform
The agent runs on Linux and Windows. Collector availability adapts to the host platform automatically.
Token-based auth
Each installation gets a 64-character token shown once at creation. Tokens are stored as SHA256 hashes, never in plaintext.
Bring your own collector
Not a fan of running an agent? Push evidence from any script, CI job, or internal tool directly to the API. No agent required.
How a collection cycle works
- 1Scheduler creates a pending task for each due control assignment (1-minute tick)
- 2Agent polls GET /api/v1/tasks/next at its configured interval (default 5 min)
- 3Agent runs the assigned collector and captures structured or unstructured output
- 4Agent posts evidence with SHA256 checksum to POST /api/v1/evidence
- 5Server stores evidence and triggers the evaluator (rule, LLM, or manual)
- 6ControlResult is created with a verdict: pass, fail, or inconclusive
Three ways to evaluate evidence
Not all compliance checks are the same. Karko supports automated rule evaluation for structured data, manual review for judgment calls, and optional LLM-assisted analysis for unstructured output.
Automated rules
Define JSON-path rules against collected data. Operators include equals, contains, greater than, list membership, length checks, and more. All rules must pass for a control to be marked compliant.
field: "tls.protocols"
operator: contains_item
value: "TLSv1.3"
Manual review
For controls that require human judgment, a reviewer reads the collected evidence and submits a verdict with notes. The audit trail records who reviewed what and when.
LLM-assisted (optional)
Connect a local LLM to analyze unstructured evidence. The server sends the evidence and control description to your LLM endpoint and records the verdict. Your data never reaches an external AI service.
Local LLM. Your terms.
Some evidence is hard to evaluate with simple rules: free-text log output, policy documents, configuration descriptions. Karko can optionally use a language model to analyze this kind of evidence and produce a structured verdict.
The LLM integration is entirely optional and disabled by default. When enabled, it points to an endpoint you control, such as Ollama running on your own hardware. No evidence is ever sent to an external API.
Any OpenAI-compatible endpoint works: Ollama, vLLM, LM Studio, or a private deployment of any open-weight model.
- Disabled by default. Opt-in per control
- Compatible with Ollama, vLLM, and any OpenAI-compatible API
- Evidence stays on your network
- Verdicts recorded with "determined by: llm" for full traceability
config.yaml
llm: enabled: true base_url: "http://localhost:11434/v1" model: "llama3.2" api_key: "ollama" timeout: 60s
Point to any OpenAI-compatible endpoint. Ollama runs on the same host or anywhere in your network.
Compliance frameworks
Karko ships with support for common regulatory frameworks and lets you define your own. The data model maps cleanly to how auditors think: frameworks contain policies, policies contain controls, controls are assigned to systems.
NIS2
EU Network and Information Security Directive. Required for operators of essential and important entities.
ISO 27001
International standard for information security management systems.
DORA
EU Digital Operational Resilience Act for financial sector ICT risk management.
Custom
Define your own framework, policies, and controls to match internal security requirements or other standards.
Data hierarchy
Role-based access control
Four built-in roles cover the typical compliance team. Enterprise plans add SSO via OIDC so you can manage access through your existing identity provider.
Admin
Full access. Manages users, frameworks, systems, and configuration.
Compliance Manager
Creates and manages frameworks, policies, controls, and system assignments.
Reviewer
Reviews evidence and submits manual verdicts. Read access to frameworks and systems.
Stakeholder
Read-only access to compliance status and reports. Suitable for auditors and leadership.
SSO via OIDC available on Enterprise. See pricing.
Ready to take control of your compliance data?
Starter tier is free forever, up to 3 systems. No credit card required.