Platform Overview
The Trusera platform is a SaaS application that extends the open-source AI-BOM scanner with team collaboration, compliance automation, policy enforcement, and continuous monitoring.
Architecture
The platform consists of three main components:
+-------------------+
| Next.js Frontend |
| (Web App) |
+--------+----------+
|
| HTTPS
|
+--------v----------+
| Go Fiber API |
| (REST + WebSocket)|
+--+------+------+--+
| | |
+--------+ +---+---+ +--------+
| | | |
+-----v----+ +---v---+ +-v----------+
| PostgreSQL| | Redis | | Python |
| (pgxpool) | | Cache | | Scanner |
+-----------+ +-------+ +------------+
Go API
- Built with Fiber v2 (Express-inspired Go web framework)
- PostgreSQL via
pgxpoolconnection pool - Redis for session caching and rate limiting
- WebSocket support for real-time scan progress
- Structured logging with
slog
Next.js Frontend
- React-based dashboard
- Real-time scan progress via WebSocket
- Interactive compliance reports
- Dependency graph visualization
Python Scanner Service
- Runs the AI-BOM scanner engine
- Receives scan requests from the API
- Returns structured scan results
Authentication
The platform supports two authentication methods:
JWT authentication
Standard email/password authentication with JWT tokens:
- Login returns an access token and refresh token
- Access tokens expire after a configurable period
- Refresh tokens allow obtaining new access tokens
- Tokens are validated on every protected API request
API key authentication
For programmatic access and CI/CD integration:
- API keys use the
tsk_prefix for identification - Keys are SHA-256 hashed before storage
- Keys can be scoped to specific operations
- Create, list, revoke, and delete keys via the API
SSO / OIDC
Enterprise single sign-on via OpenID Connect:
- Configurable per organization
- Client secrets encrypted with AES-256-GCM in the database
- CSRF state stored in cookies
- Supports Google, Okta, Auth0, and any OIDC-compliant provider
Role-Based Access Control (RBAC)
Four permission levels control access to platform features:
| Role | Level | Capabilities |
|---|---|---|
| Admin | 4 | Full access - user management, SSO config, webhooks, audit log, policy deletion |
| Editor | 3 | Create/update scans, compliance rules, policies, schedules, connectors |
| Analyst | 2 | Create scans, evaluate policies, acknowledge/resolve alerts, test connectors |
| Viewer | 1 | Read-only access to scans, compliance results, dashboards |
Key features
Scan management
- Create scans from the UI or API
- View scan history with component counts and severity breakdowns
- Compare two scans side-by-side (diff view)
- Export scans in CycloneDX, SARIF, SPDX, HTML, CSV formats
Compliance automation
- Evaluate scans against compliance frameworks (OWASP LLM Top 10, EU AI Act, OWASP Agentic Security Top 10)
- Create custom compliance rules (v2)
- Track compliance posture over time
Policy enforcement
- Define policies with severity thresholds and blocklists
- Evaluate scans against policies
- Track policy violations across scans
Scheduled scans
- Configure recurring scans on a schedule
- Automated scanning of connected repositories
Alerts and webhooks
- Define alert rules based on scan results
- Receive webhook notifications for scan events
- Webhook delivery tracking with retry logic
Audit logging
- All API actions logged with user, timestamp, and details
- Admin-only access to audit log
- Configurable retention and cleanup
Connectors
- n8n credential management for scanning n8n instances
- Test connectivity before saving
Deployment
The platform runs as a Docker Compose stack:
docker-compose up -d
Services:
api- Go API serverweb- Next.js frontendscanner- Python scanner servicepostgres- PostgreSQL databaseredis- Redis cache
Next steps
- API Reference - Complete endpoint documentation
- Compliance Frameworks - Supported frameworks and custom rules