Compliance as Code

Generating Audit Artifacts

Define output rules to auto-generate static audit reports in Markdown or OSCAL format from your compliance graph.

Edit this page on GitHub

Generating Audit Artifacts (Output Modules)

While GraphQL is great for interactive exploration, auditors often require static, structured reports. You can define [[output]] rules in data/output/*.toml to automatically generate these artifacts as part of the pipeline.

Example: Output as Markdown

You can generate a human-readable Markdown report that summarizes the compliance state of your entire environment.

# data/output/audit_markdown.toml
origin_resource = "audit"

[[output]]
resource_type = "compliance_report_md"
name = "report-{{ origin_resource.name }}"
filename = "{{ origin_resource.name }}-report.md"
mimetype = "text/markdown"
template = """
# Compliance Report: {{ origin_resource.audit_name }}

{% for ctrl in origin_resource.control %}
## {{ ctrl.control_name }} (`{{ ctrl.name }}`)
{{ ctrl.description }}

**Evidence Summary:**
{{ ctrl.evidence_summary | default(value="{}") | json_encode | safe }}
{% endfor %}
"""

Example: Output in OSCAL Format

For machine-readable, standardized compliance artifacts, you can output directly into the OSCAL (Open Security Controls Assessment Language) JSON format. This allows seamless integration with specialized GRC platforms.

# data/output/audit_oscal.toml
origin_resource = "audit"

[[output]]
resource_type = "oscal_ssp"
name = "oscal-ssp-{{ origin_resource.name }}"
filename = "{{ origin_resource.name }}-ssp.json"
mimetype = "application/json"
jsonnet = '''
{
  "system-security-plan": {
    metadata: {
      title: "System Security Plan for " + std.extVar('origin_resource').audit_name,
    },
    "control-implementation": {
      "implemented-requirements": [
        {
          "control-id": ctrl.name,
          description: std.get(ctrl, 'evidence_summary', {}),
        }
        for ctrl in std.get(std.extVar('origin_resource'), 'control', [])
      ],
    },
  },
}
'''