Auditree is an opinionated set of tools to enable the digital transformation of compliance activities. It is designed to be familiar to DevOps teams and software engineers, using tools they are likely already interacting with daily.
Auditree allows you to collect and verify evidence, and build up a long term store of evidence in an “evidence locker”. The collection of evidence is done by “fetchers”, the verification by “checks”. These are implemented as Python unit tests. The locker is backed by a git repository. Notification of issues can be configured via Slack, PagerDuty, issue trackers and similar tools.
Key concepts
Auditree aims to be opinionated in how you work, but flexible in what work you do.
Everything revolves around evidence. Simple programs called fetchers retrieve evidence from sources (API’s, URL’s, command line invocations) and store that evidence in a locker. This is a git repository (so efficient, tamper evident and versioned for storing evidence) with some additional controls & metadata inserted by the supporting framework. Evidence can then be verified by checks; simple unit tests against your evidence.
Your checks can be use to assert an operational posture, implement secondary controls or be a primary control in your compliance posture.
Notification of check status can be sent to issues in a tracker, Slack, PagerDuty, or even stored alongside evidence. Playbooks for how to respond to check warnings or failures can be linked to from these notificiations.
The tools
The Auditree system is designed to be extensible by those using it. It provides a framework in which to build & run fetchers & checks, defines an operational model for approaching compliance activities and supplies ancillary tools to facilitate a workflow around that operational model.
- Auditree framework - the core of the system, responsible for managing evidence in the locker, running fetchers & checks, notification and reporting. You can also read the documentation site.
- Arboretum - a library of open fetchers & checks for you to use & contribute to.
- Harvest - collate evidence over time, run reports & analysis over the contents of the locker.
- Plant - place manually gathered evidence into the locker.
- Prune - correctly manage the retirement of evidence.
The framework, fetchers & checks and associated tools are all Apache licensed, and open source for you and your auditors to review.