Overview
Compliance as Code
Proof-of-concept for managing compliance documents as code. Motivation and discussion of the "compliance as code" approach can be found in the Architecture/POC write-up. It is written in an architectural decision record (ADR) format, which we use at work.
Outputs
Compliance documents
📦 Download Latest Documents (automatically updated on every commit to main):
- CE Declaration (PDF) - EU conformity declaration
- Risk Assessment (PDF) - CRA cybersecurity risk assessment
- Manual (PDF) - User manual
- SBOM (PDF) - Software Bill of Materials (compliance document; not a replacement for CI-generated CycloneDX/SPDX SBOMs)
Secondary Outputs
- Documentation Site (Docusaurus) - Web companion generated from the same YAML source data
- JSON Schemas - JSON schemas for IDE validation (e.g., YAML autocomplete/validation of risk_model.yaml in VS Code)
Quick Start
# Build all Typst/PDF documents
uv run main.py # or python main.py (if not using the uv package manager)
# Build single document in watch mode
uv run main.py ce
uv run main.py risk
uv run main.py manual
uv run main.py sbom
# Build static Docusaurus site (auto-generates markdown from YAML)
uv run main.py --web
uv run main.py --web-watch # (dev server + auto-generate at startup)
# Build without validation or schema export
uv run main.py --skip-validate --skip-export-schemas
# Run tests
uv run pytest tests/
Project Structure
docs/ # Typst document sources
model/ # YAML data files and Pydantic schemas
model/schemas.py # Pydantic schema definitions
website/ # Docusaurus docs site
website/scripts/ # Utility scripts (YAML -> web docs)
schemas-generated/ # JSON schemas for VS Code
main.py # Build tool
tests/ # Tests
Tooling / Frameworks
- Python + Pydantic - Build orchestration, YAML validation, and risk modeling
- Typst - Document compilation
- Docusaurus - Web documentation site
- GitHub Pages - Automatic docs site deployment
- UV - Python package management