Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

01.01 System Requirements

The operating-environment prerequisites for SimpleRisk — PHP version, MySQL version and required SQL modes, the 12 PHP extensions, web server options, hardware sizing guidance, and the directory-permission requirements.

Why this matters

SimpleRisk's installer is permissive about what infrastructure you bring; it's strict about that infrastructure satisfying its prerequisites. The installer's first substantive screen is the Health Check, which validates PHP version, the required PHP extensions, directory permissions, web connectivity, and the MySQL SQL-mode configuration. Failing the health check is the single most common reason first-time installs stall — the operator gets the error message but doesn't know which package or configuration line to add to fix it.

This article is the comprehensive prerequisite reference. Read it before downloading SimpleRisk; install the missing pieces; then run the installer expecting the Health Check to pass on the first try. The fifteen minutes of upfront preparation save hours of "why won't the installer move past Step 2."

The other thing worth knowing: SimpleRisk runs on commodity LAMP-stack infrastructure. There's no exotic dependency, no proprietary runtime, no specialized hardware. If your team can run a typical PHP application, you can run SimpleRisk. The list below is detailed but not unusual for a PHP/MySQL web application of SimpleRisk's scope.

Reference content

PHP version

Required: PHP 8.1.0 or newer.

The version requirement is enforced by composer.json (the require.php field, set to ^8.1, and the config.platform.php field set to 8.1.0). The installer's Health Check verifies this; running on a PHP version older than 8.1 produces a clear error and blocks installation.

For ongoing operation, stay current with PHP point releases for security updates. SimpleRisk is tested against actively-supported PHP versions; running on a PHP version that's reached end-of-life leaves both PHP and SimpleRisk on the security-update treadmill the wrong way around.

MySQL version and configuration

Required: MySQL. SimpleRisk uses standard MySQL features and runs against current MySQL releases.

A note on MariaDB: earlier versions of SimpleRisk treated MariaDB as a supported MySQL-protocol-compatible alternative, and many customers ran it that way for years. We've since narrowed support back to MySQL only. Small differences in how MariaDB handled certain data types and query results produced inconsistencies that weren't worth maintaining a second supported path. If you're currently running on MariaDB, you can keep operating, but plan a migration to MySQL — new development and testing target MySQL exclusively, and we don't intend to chase MariaDB-specific behavior going forward.

The installer's Health Check validates the MySQL connection during Step 3 (Database Credentials) and explicitly checks for problematic SQL modes. Three SQL modes must be disabled for SimpleRisk to operate:

  • STRICT_TRANS_TABLES — strict trans-table mode interferes with SimpleRisk's INSERT and UPDATE patterns. Disable.
  • NO_ZERO_DATE — SimpleRisk uses zero-date sentinels in some columns; this mode rejects them. Disable.
  • ONLY_FULL_GROUP_BY — SimpleRisk's reporting queries don't always include every non-aggregated column in the GROUP BY clause; this mode rejects those queries. Disable.

These modes are often enabled by default on fresh MySQL installations. Either configure them off in your MySQL server's my.cnf (the [mysqld] section's sql_mode setting), or set them off per-session for the SimpleRisk user. The installer's Health Check tests for them and fails the install if any of the three are enabled — fix at the MySQL level rather than working around it.

The installer also creates a restricted MySQL user during Step 6 with the minimum privileges SimpleRisk needs: SELECT, INSERT, UPDATE, ALTER, DELETE, CREATE, DROP, INDEX, REFERENCES on the SimpleRisk database. The user's host pattern is configurable in Step 4 (defaults to localhost; supports comma-separated lists for multi-instance deployments).

Required PHP extensions

The installer's Health Check verifies twelve PHP extensions. All must be installed and enabled before the installer will proceed past Step 2.

  • pdo: The PHP Data Objects abstraction layer SimpleRisk uses for all database access.
  • pdo_mysql: The MySQL driver for PDO.
  • json: JSON encoding and decoding (used throughout for API responses, configuration storage).
  • phar: PHP archive support (used by some Composer dependencies and by Extras that ship as packaged archives).
  • zlib: Compression (used for archive handling and some output compression).
  • mbstring: Multi-byte string handling (required for the multi-language UI).
  • ldap: LDAP authentication support (required even when LDAP isn't in active use).
  • dom: XML/DOM manipulation (used by the SAML SSO Authentication Extra and by import/export functionality).
  • curl: HTTP client (used during installation to fetch the database schema, by the Vulnerability Management Extra to talk to scanners, by the AI Extra to talk to providers, etc.).
  • posix: POSIX functions (used by cron-related code paths).
  • zip: ZIP archive support (used by the Import/Export Extra and by some content delivery paths).
  • gd: The GD graphics library (used for QR code generation in MFA enrollment, image manipulation in dashboards).

On Debian/Ubuntu systems, install the missing extensions with apt install php8.1- (for example, php8.1-curl, php8.1-mbstring, etc.). On RHEL/CentOS/Rocky, use dnf install php- with the appropriate Remi or EPEL repositories enabled.

After installing extensions, restart your web server (systemctl restart apache2 or systemctl restart php8.1-fpm plus systemctl restart nginx) so the new extensions become available to PHP processes.

Web server options

SimpleRisk runs on any web server that can serve PHP. The two common deployments:

  • Apache HTTP Server with mod_php — historically the most common SimpleRisk deployment. The web server's document root is set to the simplerisk/ directory. URL rewriting is generally not required (SimpleRisk uses direct PHP file paths), but .htaccess-style overrides are supported.
  • Nginx with PHP-FPM — increasingly common, especially in containerized deployments. The PHP-FPM upstream handles the PHP execution; Nginx serves static content directly. Standard PHP-FPM/Nginx configuration patterns apply.

Either web server works. The installer doesn't require a specific server choice.

Operating system

Supported: Linux. SimpleRisk's supported deployments run on Linux. The patterns customers use most:

  • Linux on bare metal or VM (Ubuntu LTS, Debian stable, RHEL/CentOS/Rocky/Alma) — the standard production deployment. See Installing on Linux for the step-by-step.
  • Docker — the containerized deployment, with the container images maintained in the separate simplerisk/docker repository. See Installing via Docker.
  • Cloud-managed images — AWS Marketplace AMIs and similar pre-built images are available for several major cloud providers. See Installing on Cloud.

Windows and macOS are not supported as the host OS. PHP and MySQL technically run on both, but we don't test or support SimpleRisk against either as a runtime. If the only hardware you have is a Windows or macOS machine, run SimpleRisk inside a supported Linux environment on top of it — Docker Desktop, WSL2 with a supported Linux distribution, or a virtual machine (VirtualBox, Hyper-V, VMware, Parallels) running a supported Linux distribution. The SimpleRisk install lives inside the Linux environment; the Windows or macOS host is just the substrate the Linux environment runs on. Don't attempt to run SimpleRisk against PHP and MySQL installed directly on Windows or macOS — you'll hit path, permission, and service-control differences that aren't covered by our installer or support.

Hardware sizing

SimpleRisk's hardware needs scale with the program's data volume. There's no hard minimum; reasonable starting points:

  • Small deployment (single team, fewer than 100 risks, fewer than 5 frameworks installed): 1–2 vCPU, 2 GB RAM, 20 GB disk. A single VM or container handles Apache/Nginx, PHP, and MySQL together.
  • Mid-size deployment (multi-team, hundreds of risks, multiple frameworks, the Vulnerability Management Extra producing scanner imports): 2–4 vCPU, 4–8 GB RAM, 50–100 GB disk. Often still single-VM but with attention to MySQL tuning.
  • Large deployment (enterprise, thousands of risks, the SCF or UCF Extra ingesting hundreds of frameworks, heavy concurrent user load): split MySQL onto its own host, give the web tier room for multiple PHP-FPM workers, plan disk for the multi-year audit-trail accumulation. 4+ vCPU per tier, 8+ GB RAM per tier, 200+ GB disk for the database.

Scale through the typical PHP-application levers: more PHP-FPM workers for concurrent request volume, more MySQL memory for query caching, faster disk for the database. SimpleRisk doesn't have unusual scaling characteristics; apply standard PHP/MySQL tuning practice.

Directory permissions

The web server user (typically www-data on Debian/Ubuntu, apache on RHEL family, the configured user on custom deployments) needs read and write access to the entire simplerisk/ directory tree. The installer's Health Check recursively verifies this; SimpleRisk needs write access for several runtime patterns:

  • Configuration: the installer writes simplerisk/includes/config.php during Step 6.
  • Logs: SimpleRisk writes operational logs to simplerisk/logs/ during normal operation.
  • File uploads: evidence files, document attachments, and other uploaded content land in writable directories.
  • Cache: some Composer dependencies and SimpleRisk components cache compiled output.

Standard ownership pattern: chown -R www-data:www-data simplerisk/ (adjust user/group for your distribution) followed by chmod -R u+rw simplerisk/. Restrict group/world permissions per your security policy; the web server user needs read/write, others can be more restrictive.

Network connectivity

SimpleRisk needs outbound HTTPS for several install-time and runtime operations:

  • During installation: outbound HTTPS to raw.githubusercontent.com to fetch the database schema (the schema URL is https://raw.githubusercontent.com/simplerisk/database/{branch}/simplerisk-{language}-{version}.sql).
  • During runtime: outbound HTTPS for several Extras (Vulnerability Management Extra to scanner APIs, AI Extra to provider APIs, ComplianceForge SCF Extra to its content sources, the Notification Extra for outbound email if SMTP is over the public internet, etc.).
  • For framework installation: outbound HTTPS to the SimpleRisk content GitHub repository when adding frameworks via the GitHub install path.

Air-gapped or heavily-firewalled deployments need to plan for these dependencies — either an outbound proxy that whitelists the relevant hosts, or alternative content paths (manual schema load, manual framework installation, self-hosted AI gateway). The installation itself can be completed on an air-gapped server only if the schema SQL is staged locally before Step 6.

Related

Reference

  • Permission required: Server-side: filesystem write to simplerisk/, MySQL admin to create the database and user. SimpleRisk-side: not applicable (pre-installation).
  • Implementing files: composer.json (PHP version + dependencies); simplerisk/includes/install.php (installer_check_php_extensions() line 1613, installer_check_directories() line 1637); simplerisk/index.php (the SIMPLERISK_INSTALLED bootstrap check).
  • Database tables: settings (created during install, holds simplerisk_base_url, default_language, instance_id, schedule_cron_ping, and many more after install).
  • config_settings keys: None pre-installation. Post-install: simplerisk_base_url, ssl_certificate_check_simplerisk, default_language, instance_id, schedule_cron_ping (set during Step 6).
  • External dependencies: PHP 8.1+ with 12 extensions; MySQL with STRICT_TRANS_TABLES/NO_ZERO_DATE/ONLY_FULL_GROUP_BY SQL modes off; outbound HTTPS to raw.githubusercontent.com during install.