CloudGuard
A multi-tenant SaaS control plane for security scanning, with live billing.
CloudGuard is a multi-tenant SaaS control plane for security scanning. It doesn't run scans itself — it orchestrates them: tenants sign in with Google SSO, manage members and roles, and pay via Razorpay, while the platform dispatches scans to external scanner services over HMAC-signed HTTP and ingests signed result callbacks. Tenant credentials live in HashiCorp Vault (the database stores only metadata and a vault path), results are normalized into findings, and the dashboard surfaces scan history, findings, billing and audit logs with realtime updates over WebSocket. Built as a pnpm monorepo — a NestJS + Prisma + Redis/BullMQ backend and a Vite + React + shadcn/ui dashboard sharing a typed wire-contract — and deployed on DigitalOcean.
Highlights
- Orchestration model — dispatches scans to external scanner services over HMAC-signed HTTP and ingests signed result callbacks; the control plane never runs scans itself.
- Multi-tenancy with Google SSO, roles/permissions, and plan-based access gating which scanners each tenant can use.
- Live Razorpay billing with subscription plans.
- HashiCorp Vault for tenant credentials (DB stores only metadata + a vault path), plus findings normalization, audit logs and realtime dashboard updates over WebSocket.
- Flow-diagram-first monorepo where every backend module maps to a frontend feature, sharing a typed wire contract (DTOs, enums, events).