Auditree is an opinionated set of tools to enable the digital transformation
of compliance activities. It is designed to be familiar to DevOps teams and
software engineers, using tools they are likely already interacting with
Auditree allows you to collect and verify evidence, and build up a long term
store of evidence in an “evidence locker”. The collection of evidence is done
by “fetchers”, the verification by “checks”. These are implemented as Python
unit tests. The locker is backed by a git repository. Notification of issues
can be configured via Slack, PagerDuty, issue trackers and similar tools.
Auditree aims to be opinionated in how you work, but flexible in what work
Everything revolves around evidence. Simple programs called fetchers
retrieve evidence from sources (API’s, URL’s, command line invocations) and
store that evidence in a locker. This is a git repository (so efficient,
tamper evident and versioned for storing evidence) with some additional
controls & metadata inserted by the supporting framework. Evidence can then be
verified by checks; simple unit tests against your evidence.
Your checks can be use to assert an operational posture, implement secondary
controls or be a primary control in your compliance posture.
Notification of check status can be sent to issues in a tracker, Slack,
PagerDuty, or even stored alongside evidence. Playbooks for how to respond to
check warnings or failures can be linked to from these notificiations.
The Auditree system is designed to be extensible by those using it. It
provides a framework in which to build & run fetchers & checks, defines an
operational model for approaching compliance activities and supplies ancillary
tools to facilitate a workflow around that operational model.
- Auditree framework - the core of the system, responsible for managing evidence in the locker, running fetchers & checks, notification and reporting. You can also read the documentation site.
- Arboretum - a library of open fetchers & checks for you to use & contribute to.
- Harvest - collate evidence over time, run reports & analysis over the contents of the locker.
- Plant - place manually gathered evidence into the locker.
- Prune - correctly manage the retirement of evidence.
The framework, fetchers & checks and associated tools are all Apache licensed,
and open source for you and your auditors to review.