Skip to content

Configuration Overview

All operational settings in Mitch‑Risk are managed through the in-app Settings page. There are no YAML config files, no environment variables to tweak after deployment, and no manual database edits required. Every option is configurable via the UI by users with the Settings: manage permission.

The Settings page is organised into 15 tabs. Nine are configuration forms, three are management screens (Users, Roles, API), one is a webhook endpoint manager, one is a read-only audit log, and one is a system health dashboard.


General

Configure your organisation's identity.

SettingDescription
Organisation nameDisplayed in the sidebar, login screen, email signatures, PDF reports, and browser tab titles
Support emailShown in email footers and the footer of every page for user-facing support contact

Appearance

Customise the platform's visual identity to match your brand.

SettingDescription
Primary colourUsed for buttons, links, active navigation, and focus rings
Secondary colourUsed for hover states, accents, and secondary UI elements
LogoUpload a custom logo (PNG, SVG, or JPEG). Displayed in the sidebar and on the login screen
RAG greenColour for green (compliant) scores and indicators
RAG amberColour for amber (needs attention) scores and indicators
RAG redColour for red (non-compliant) scores and indicators
RAG unscoredColour for unscored assessments
Border radiusControls the roundness of cards, buttons, and inputs (0–16px)
Page widthConstrained (centred, max-width) or Full (stretches to browser width)

See Appearance for full details.


Email

Configure SMTP delivery and customise all email templates.

SectionDescription
SMTP serverHost, port, username, password, and sender details (from name and address)
Email templates8 template types with customisable subject lines and body content. Body written in Markdown with a WYSIWYG editor — converted to styled HTML when sent. Supports

See Email Configuration for template token reference and SMTP setup.


Email Tracking

A read-only log of every email sent by the platform. Filter by status (SENT/FAILED), type (invite/reminder/escalation/etc.), recipient, or date range. Click Clear to reset all active filters. Failed sends can be retried. Requires Settings: manage permission.


Scoring

Configure how vendor responses are scored and how findings are generated.

SettingDescription
Risk weightsPoint values for CRITICAL, HIGH, MEDIUM, and LOW question weights
RAG thresholdsScore boundaries for amber (below green threshold) and green (at or above)
Exclude N/AWhen enabled, "Not Applicable" answers are excluded from score calculations

See Scoring Configuration for examples and formula details.


Scheduling

Configure assessment deadlines, reminders, and escalation behaviour.

SettingDefaultDescription
Default due in days21Default deadline for new assessments (can be overridden per assessment)
Reminder offsets7, 1Days before the due date to send automatic reminder emails. Add multiple values (e.g. 7, 3, 1)
Escalation after days3Days past the due date before an escalation email is sent to the support address

Limits

Configure rate limits, session behaviour, file restrictions, and data retention.

SettingDefaultDescription
Login rate limit10/minMaximum login attempts per IP per minute
Session timeout30 minInactivity timer before auto-sign-out (0 = disabled). Enforced via client-side countdown + server-side JWT expiry
Portal page loads30/minMaximum portal questionnaire page loads per IP per minute
Portal uploads10/minMaximum file uploads per IP per minute on the portal
Portal submissions5/minMaximum questionnaire submissions per IP per minute
Password attempts5/minMaximum portal password attempts per token per minute
Password resets1/minMaximum password reset requests per IP per minute
Break-glass attempts10/minMaximum break-glass login attempts per IP per minute
Audit retention days0Days to retain audit log entries (0 = never prune)
Email log retention14Days to retain email notification logs
Max upload size20 MBMaximum allowed file upload size
Allowed extensionspdf, png, jpg, jpeg, docx, xlsxFile extensions permitted for upload

Storage

Configure where evidence files and attachments are stored.

SettingDescription
ProviderLocal disk (default), AWS S3, or Azure Blob Storage
S3 settingsBucket name, region, access key ID, and secret access key
Azure settingsConnection string and container name

See Cloud Storage for detailed setup instructions per provider.


SSO

Configure Single Sign-On for internal staff via Microsoft Entra ID, Google Workspace, or any generic OIDC provider.

SettingDescription
Provider togglesEnable/disable each provider independently
Client credentialsClient ID and secret for each provider (secrets encrypted at rest)
Auto-provision roleRole assigned to users created on first SSO sign-in
Allowed domainRestrict SSO to a specific email domain (e.g. @company.com)
Disable local authHide the email/password login form when SSO is available
Break-glass URLGenerate a 24-hour, single-use emergency login URL

See SSO Configuration for per-provider setup guides.


Users

Manage staff accounts. Create users with email, password (minimum 12 characters), and role assignment. Disable, enable, change roles, reset passwords, and delete users. Before deleting, a summary of affected relations (vendors, assessments, findings, API keys) is shown. Requires Users: manage permission.


Roles

Manage custom roles. Three system roles are built in. Create custom roles with any combination of the 23 fine-grained resource:action permissions. Roles can be duplicated, edited, and deleted. Requires Roles: manage permission.

See RBAC & Roles for the permission catalog and default role definitions.


API

Manage API keys for programmatic access.

FeatureDescription
Enable APIGlobal toggle to enable or disable all API access
Create keyGenerate API keys with optional expiry (30/90/180/365 days or permanent)
IP allowlistingRestrict keys to specific IPv4/IPv6 addresses or CIDR ranges
Permission scopingRestrict keys to specific permission groups (e.g., read-only audit key) or grant full access
RevokeInstantly disable a key without deleting it
AuditAll key lifecycle events (create, revoke, enable, delete) are logged

API authentication supports Bearer tokens and session cookies. Full interactive documentation is available at /docs.


Audit

A read-only, paginated log of all administrative actions. Filter by action type, user, or date range. Click Clear to reset all active filters. Export to CSV (all results or current page). 47 distinct action types are tracked including logins, user management, vendor CRUD, assessment lifecycle, template operations, and settings changes. Requires Audit: view permission.


Webhooks

Configure outbound HTTP callbacks that fire when key events occur. Each endpoint gets a unique signing secret for HMAC-SHA256 payload verification. Platform presets (Slack, Microsoft Teams, Discord) auto-format messages for direct delivery — no middleware needed.

FeatureDescription
URLThe HTTPS endpoint that receives POST requests with JSON payloads
PlatformPreset message format: Generic (HTTP with HMAC), Slack (Block Kit), Microsoft Teams (Adaptive Card), or Discord (Embed)
EventsAssessment submitted, assessment overdue, finding created, finding resolved, certification expiring
Enable/DisableToggle endpoints on or off without deleting
SecretRandomly generated per-endpoint signing secret

Requires Webhooks: manage permission (Admin by default).


Health

System diagnostics for operators. Shows current application status (running), version, commit hash, build time, uptime, and memory usage. The Database section shows whether the connection is healthy. Requires Settings: manage permission.

Open-source, self-hosted third party vendor risk management.