Auditree

Auditree is an opinionated set of tools to enable the digital transformation of compliance activities. It is designed to be familiar to DevOps teams and software engineers, using tools they are likely already interacting with daily.

Auditree allows you to collect and verify evidence, and build up a long term store of evidence in an “evidence locker”. The collection of evidence is done by “fetchers”, the verification by “checks”. These are implemented as Python unit tests. The locker is backed by a git repository. Notification of issues can be configured via Slack, PagerDuty, issue trackers and similar tools.

Key concepts

Auditree aims to be opinionated in how you work, but flexible in what work you do.

Everything revolves around evidence. Simple programs called fetchers retrieve evidence from sources (API’s, URL’s, command line invocations) and store that evidence in a locker. This is a git repository (so efficient, tamper evident and versioned for storing evidence) with some additional controls & metadata inserted by the supporting framework. Evidence can then be verified by checks; simple unit tests against your evidence.

Your checks can be use to assert an operational posture, implement secondary controls or be a primary control in your compliance posture.

Notification of check status can be sent to issues in a tracker, Slack, PagerDuty, or even stored alongside evidence. Playbooks for how to respond to check warnings or failures can be linked to from these notificiations.

The tools

The Auditree system is designed to be extensible by those using it. It provides a framework in which to build & run fetchers & checks, defines an operational model for approaching compliance activities and supplies ancillary tools to facilitate a workflow around that operational model.

The framework, fetchers & checks and associated tools are all Apache licensed, and open source for you and your auditors to review.