▶ Live demo · Documentation · Sample PDF
Compliance policy management for small and mid-size teams — write policies in Markdown, version them in Git, publish a branded static site, and generate audit-ready PDFs, all from a single GitHub Action.
PolicyPress is built on Zola and Typst. You host it yourself in your own Git repository — PolicyPress is the theme and toolchain, not the content, so your policies never leave your infrastructure. Consultants and MSPs can just as easily run it on behalf of their clients.
| A policy page | Automatic compliance coverage |
|---|---|
![]() |
![]() |
Browse the live demo, or open a sample redacted PDF straight from the pipeline.
"I run a small business. My employees need an acceptable use policy, a data handling policy, maybe an employee handbook - right now it's a Word doc someone emailed around and nobody knows which version is current. I want something that looks professional, is always current, and doesn't require SharePoint."
PolicyPress is for that person. If you are comfortable enough with GitHub to click a button and edit a text file, you can have a professional policy library with version-controlled PDFs in an afternoon. You do not need to know anything about web development, LaTeX, or compliance frameworks.
What you get:
- A policy website your employees can bookmark
- A PDF for every policy, named by title and version, ready to hand to an auditor or attach to a vendor questionnaire
- A full revision history: who approved what, and when
- Draft watermarks for policies under review
- Redaction tags for internal notes that should not appear in distributed copies
Most teams manage policies in one of three ways, and each leaves a gap PolicyPress fills:
| Instead of… | The gap | With PolicyPress |
|---|---|---|
| Notion / Confluence / SharePoint | No real version history, no audit-ready PDFs, not Git-native | Every change is a Git commit; each policy exports a versioned PDF |
| Drata / Vanta and other GRC SaaS | Heavyweight, cloud-only, subscription-priced; your data lives in their platform | Runs from your own repo with no subscription; your data never leaves your infrastructure |
| Plain Zola / MkDocs | A website, but no PDFs, no compliance-control mapping, no draft/redaction workflow | Site and PDFs from one source, with SCF/SOC 2 coverage reports and redaction built in |
Self-hosted, Git-native, and free for noncommercial use — no SaaS lock-in.
- Your policies live in a Git repository as Markdown files
- On every push, the
sc2in/policypressGitHub Action builds the policy site and generates PDFs - The site deploys to GitHub Pages; PDFs are uploaded as artifacts for download
The fastest path: use the policypress-template repository. Click Use this template → Create a new repository, edit config.toml with your organization name and brand color, replace the logo, enable GitHub Pages, and push.
If you need Azure DevOps or a custom setup, see the Installation guide.
Every policy file starts with a YAML metadata block:
---
title: "Acceptable Use Policy"
description: "Policy governing acceptable use of company resources"
weight: 10
taxonomies:
SCF:
- HRS-05
TSC2017:
- CC2.1
extra:
owner: Jane Smith
last_reviewed: "2025-01-15"
major_revisions:
- date: "2025-01-15"
description: Annual review.
revised_by: Jane Smith
approved_by: John Doe
version: "1.2"
---
Policy content goes here.
{% redact() %}
Internal notes - stripped from redacted PDFs.
{% end %}| Input | Default | Description |
|---|---|---|
config_path |
config.toml |
Path to Zola config file |
output_dir |
public |
Output directory for the build |
draft_mode |
false |
Stamp PDFs with a DRAFT watermark |
redact_mode |
false |
Strip content inside redaction tags |
| Output | Description |
|---|---|
pdf_path |
Directory containing generated PDFs |
site_path |
Directory containing built static site (public/) |
report_path |
Directory containing compliance reports |
PDFs are named {Title}_-_v{version}.pdf. With redact_mode: true, the name becomes {Title}_(Redacted)_-_v{version}.pdf. With draft_mode: true, it becomes {Title}_(Draft)_-_v{version}.pdf.
PDFs are generated with Typst: markdown is rendered to Typst markup in-process (zigmark), mermaid diagrams become inline SVG via pozeiden, and the layout matches the classic Eisvogel look. The only external tool is the typst binary (bundled in the devshell and GitHub Action; on Windows install it with winget install Typst.Typst - without the Source Sans 3 font typst falls back to its embedded fonts, a cosmetic difference only).
Keep policies in pure Markdown. Raw or inline HTML renders on the website but the PDF pipeline silently drops it, so the two artifacts would diverge. The build flags raw HTML in any policy body as audit-critical - a warning by default, fatal with --strict. To show HTML as an example, put it in a fenced code block or inline code. Site-only pages (such as the guides on this site) may use HTML freely; only the policy directory is rendered to PDF.
The site includes optional compliance coverage views. To enable them, add your control data files and configure the paths:
[extra.policypress]
scf_controls = "templates/opencontrols/standards/SCF.yml"
tsc2017_controls = "templates/opencontrols/standards/TSC-2017 (SOC2).yml"
scf_report_page = "@/reports/scf.md"
soc2_report_page = "@/reports/soc2.md"Control data files are customer-supplied - PolicyPress does not ship them. The format matches the OpenControl standard.
Requires Nix.
# Live preview with hot reload (recommended)
nix run github:sc2in/policypress#serve
# Generate PDFs only
nix run github:sc2in/policypress -- -c config.toml -o public
# Generate redacted PDFs
nix run github:sc2in/policypress -- -c config.toml -o public/redacted --redact
# Verbose output (shows typst invocations)
nix run github:sc2in/policypress -- -v -c config.toml -o public
# CI-friendly JSON log output
nix run github:sc2in/policypress -- --json -c config.toml -o publicgit clone https://github.com/sc2in/policypress
cd policypress
nix develop
zig build
zig build test| Dependency | Purpose |
|---|---|
| Zola | Static site generator |
| Typst | PDF compilation |
| zigmark | Markdown parsing + Typst rendering |
| pozeiden | Mermaid diagrams to SVG |
| tomlz | TOML config parsing |
| clap | CLI argument parsing |
| mvzr | Regex for markdown transforms |
| zig-datetime | Date handling |
PolicyPress is developed and maintained by Star City Security Consulting, LLC (SC2).
Primary contributors:
- Ben Craton - architecture, implementation, security design
With assistance from:
- Perplexity.ai - research assistance
- Github Copilot - pair programming and code review
- Claude (Anthropic) - pair programming and code review
Built on:
- Zola - static site generator
- Typst - PDF typesetting
- Eisvogel by Pascal Wagler - the PDF layout PolicyPress reproduces
- Secure Controls Framework (SCF) - control taxonomy
- AICPA Trust Services Criteria (TSC) - SOC 2 control framework
PolicyPress is released under the PolyForm Noncommercial License 1.0.0 — free and open for noncommercial use, including personal projects, research, education, nonprofits, and government. The source is public: read it, run it, modify it, and self-host it for any noncommercial purpose.
Commercial use — using PolicyPress in or for a for-profit business — requires a commercial license. Contact sc2.in.
Copyright © 2026 Star City Security Consulting, LLC (SC2) - sc2.in


