

Vatra

The Continuous Data Governance Auditor for Your Live Database.

Get Started

docker pull 3squaredcircles/vatra:latest

View Full Documentation arrow_forward

Your Compliance Policy Ends Where the `TEXT` Field Begins.

Your data policies are perfect. Your database schemas are approved. And none of it matters the moment a well-intentioned user pastes an unredacted document into a generic `Notes` field. This is the gap between intention and reality, and it's where your real risk lives. Annual audits are just photographs of a crime scene months after it happened; Vatra is the live security feed.

Vatra answers your critical questions:

How can we be sure that no PII exists in our analytics tables, right now?
How can we detect when users start storing sensitive data in the wrong fields, bypassing our application logic?
How do we shrink the discovery window for a data spill from months to minutes?

Key Business Values:

Achieve Continuous Compliance: Transforms data governance from a periodic, manual audit into an automated, continuous process that provides constant assurance that your data handling policies are being met in your live environment.
Drastically Reduce Time-to-Detection: Instead of discovering a data spillage in a quarterly audit, Vatra can detect violations on a continuous basis, massively reducing your window of risk and the potential blast radius of an incident.
Find Real Violations in Real Data: Vatra doesn't just check schemas; it performs a "hard look" at your actual production data. This allows it to find not just design flaws, but also user-driven violations where sensitive information is being stored in unexpected places.
Create a Living, Auditable Exception Record: The `vatra.exceptions.json` file acts as a version-controlled, auditable record of all accepted risks. When auditors ask a question, the answer is a `git log` away—complete, timestamped, and auditable.

That `varchar(max)` Field Is Not Your Friend.

You built the database correctly. You can't control what users, or a buggy microservice, will dump into it. Every generic text field is a potential data quality time bomb. Vatra is your automated lookout, giving you visibility into the reality of your data, not just its structure.

The "Policy-as-Code" Workflow:

Codify and Manage Your Data Policies: Define your data governance rules as code. A library of regex `patterns` (including a rich set of built-in rules for PII/PHI) are grouped into logical `policies`, which are then applied to specific database tables in your version-controlled `audit.json` file.
Detect Unintended Sensitive Data Exposure: Vatra connects directly to your database and scans the actual data. If it finds an email address in a `Notes` field where it doesn't belong, it flags a violation and can fail the build, preventing further deployments until the data is remediated.
Triage Violations and Track Remediation: Launch the Vatra UI to see all active violations from the latest scan. From the Triage Center, you can add a temporary or permanent exception, or create a work item in JIRA and automatically add a "tracked" exception that is retired when the fix is merged.

The Security Tool That Actually Respects Your Perimeter.

Connecting a tool to your production database is the highest level of trust you can grant. Vatra was engineered for this reality, built on our "Anti-SaaS" philosophy of Zero Trust and Zero External Dependencies. It enhances your security without expanding your attack surface.

Execution Modes:

execute: The primary CI mode. It reads the configuration files from the local repository, scans the live database, generates a report artifact, and returns a pass/fail exit code.
interactive: Starts a local web server that provides an interactive UI for building configuration files, managing policies, and triaging violations.
serve-docs: Starts a lightweight server to display embedded tool documentation for offline and air-gapped environments.

Secure and Resilient by Design

Vatra is a stateless, ephemeral container that runs as a single step in your existing pipeline. It does its job and disappears, minimizing attack surface. It provides a critical data security gate without requiring you to punch holes in your firewall or grant a third-party SaaS vendor access to your production data.

Licensing & Degraded Mode

If a license cannot be acquired, the tool runs in a Degraded Mode. It logs a warning message and exits with a success code (0), skipping all database scanning and reporting operations. This ensures that a licensing issue does not block your pipeline.