Skip to content

This repository automates the collection and management of evidence from various tools and sources, committing the data for transparency and traceability. It's designed to gather evidence that tools like Vanta and others aren't built to collect.

Notifications You must be signed in to change notification settings

austinsonger/AutoPilot-Audit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AuditBuddy

This GitHub Action automates evidence collection for compliance frameworks like SOC 2, ISO 27001, FedRAMP, and PCI DSS. It integrates with various cloud providers (AWS, Azure, GCP) and security tools (Okta, Tenable, etc.) to extract relevant data based on the chosen framework and control. The collected evidence is then formatted and committed to a designated location within the user's GitHub repository, simplifying compliance audits.

Framework Requirements:

  • Framework Specificity:
    • Each framework has control objectives and corresponding controls with evidence types (e.g., policies, procedures, logs).
  • Mapping Framework Controls to Evidence:
    • Create a mapping between specific framework controls and the type of evidence they require (e.g., Population for user access controls, Configurations for security settings).

Language and Configuration Files

  • Python
  • YAML
  • json

Integration with Cloud Providers and Security Tools

Evidence Collection Logic

  • Framework Selection:
    • Allow users to specify the framework they're targeting within the Github Action workflow.
  • Control Mapping:
    • Based on the chosen framework and control being assessed, use the mapping created earlier to identify the type of evidence needed.
  • Data Extraction:
    • Leverage the SDKs/APIs to extract relevant data from each cloud provider and security tool based on the control objective.
  • Data Formatting:
    • Format the extracted data according to your defined structure (Populations, Configurations, Rules, Samples).

Evidence Collection

Tools

  • Amazon Web Services
  • Atlassian
  • Okta
  • Jumpcloud
  • Tenable
  • SentinelOne
  • Splunk
  • Cloudflare

Evidence Mapping

  • - Private Sector
  • - Federal

Federal

Frequency Auditor Evidence ID # Evidence Github Action Evidence Output FedRAMP Mapping NIST Mapping

Private Sector

Frequency Auditor Evidence ID # Evidence Github Action Evidence Output SOC2 Mapping NIST Mapping

Commit and Push Evidence

  • Version Control:
    • Use Git commands within the Github Action workflow to commit the collected evidence files to a dedicated branch.
  • Push Automation
    • Configure the workflow to automatically push the committed evidence to the desired location in the repository.

About

This repository automates the collection and management of evidence from various tools and sources, committing the data for transparency and traceability. It's designed to gather evidence that tools like Vanta and others aren't built to collect.

Topics

Resources

Security policy

Stars

Watchers

Forks

Releases

No releases published