Sundown
Apache 2.0 · self-hosted · read-only

The sun has set on that employee.
Has it set on their accounts?

Sundown cross-references your HRIS terminations against every IdP and SaaS in your stack and shows you the accounts that are still active for people who don't work at your company anymore.

Run it in 30 seconds → Star on GitHub

No remediation. No write access. Sundown can't change a thing — only show you what to.

sundown.local · /ghosts
Critical
7
High
14
Medium
3
SevPersonWhereDays
critical edsger@acme.comOkta · GitHub14
critical ken@acme.comOkta · GitHub · Slack35
high margaret@acme.comOkta3
medium don@acme.comOkta0
📋

An auditor will ask in Q1.

SOC 2 CC6.2, ISO 27001 A.5.18, HIPAA §164.308(a)(3)(ii)(C), PCI 8.1.3 — every framework wants timely deprovisioning evidence. Sundown gives you a cryptographically-hashed report on demand.

⚠️

Most of your breaches start here.

63% of insider incidents involve former employees with lingering access (Verizon DBIR). Off-boarding processes drift. Sundown is the cross-check that catches what your runbook missed.

🛡️

Read-only by design.

Sundown asks for the smallest possible scopes, never deprovisions anything itself, and stores connector secrets AES-256 encrypted on your disk. It's safer to install than the runbook it audits.

How it works

  1. 01 / source-of-truth
    Connect your HRIS

    BambooHR or Rippling. Sundown pulls the list of currently-terminated employees with their work email, secondary emails, and SSO subject.

  2. 02 / blast radius
    Connect your destinations

    Okta, Google Workspace, GitHub, Slack. Sundown lists active principals on each — read-only.

  3. 03 / matching
    Cross-reference

    Email → alias → SSO subject → fuzzy. Every match records the exact rule, so explainability is built in.

  4. 04 / report
    Export evidence

    JSON, CSV, or printable PDF. Each report carries a SHA-256 over the data — drop it straight into your audit binder.

Run it in 30 seconds

SQLite by default. Postgres when you outgrow it. No accounts. No telemetry.

~ / sundown setup
$ docker run --rm -p 8000:8000 \
    -e SUNDOWN_SECRET_KEY=$(openssl rand -hex 32) \
    -e SUNDOWN_BOOTSTRAP_ADMIN_EMAIL=you@yourco.com \
    -e SUNDOWN_BOOTSTRAP_ADMIN_PASSWORD=changeme \
    -v sundown_data:/data \
    ghcr.io/sundown-sh/sundown:latest serve

✓ schema migrated
✓ admin user created
✓ scheduler started
→ open http://localhost:8000
Need a Postgres-backed deploy? docker compose up ships one for you.

Connectors

Read-only scopes only. Plugin framework for the rest.

🌿
BambooHR
HRIS
🌊
Rippling
HRIS
🔐
Okta
IdP
G
Google Workspace
IdP
🐙
GitHub
SaaS
💬
Slack
SaaS

Need Workday, Notion, AWS IAM, or your homegrown thing? Connectors are ~80 lines of Python.

Why operators trust it

  • Read-only by design. Sundown requests view scopes, refuses anything else, and has no remediation pathway. Worst case is it tells you something wrong; it cannot do something wrong.
  • Hash-chained audit log. Every Sundown action — every login, every config change, every report download — is appended to a chain you can independently verify.
  • No telemetry, no callhome. Sundown is a single Docker image. It does not phone home, does not collect metrics, and has no managed component.
  • Apache 2.0. Fork it, vendor it, ship it inside an airgapped network. We'll still be here.
"We had a runbook. We had Jira tickets. We still found 11 active GitHub accounts belonging to people who'd left over a year prior. Sundown found them in 90 seconds."