Skip to content

sc2in/PolicyPress

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

344 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PolicyPress

CI Latest Release License: PolyForm Noncommercial

Live demo · Documentation · Sample PDF

Compliance policy management for small and mid-size teams — write policies in Markdown, version them in Git, publish a branded static site, and generate audit-ready PDFs, all from a single GitHub Action.

PolicyPress is built on Zola and Typst. You host it yourself in your own Git repository — PolicyPress is the theme and toolchain, not the content, so your policies never leave your infrastructure. Consultants and MSPs can just as easily run it on behalf of their clients.

See it in action

PolicyPress homepage showing the hero and feature overview

A policy page Automatic compliance coverage
A policy page with version, last-reviewed date, and PDF download A SOC 2 control-coverage report generated from policy tags

Browse the live demo, or open a sample redacted PDF straight from the pipeline.

Who this is for

"I run a small business. My employees need an acceptable use policy, a data handling policy, maybe an employee handbook - right now it's a Word doc someone emailed around and nobody knows which version is current. I want something that looks professional, is always current, and doesn't require SharePoint."

PolicyPress is for that person. If you are comfortable enough with GitHub to click a button and edit a text file, you can have a professional policy library with version-controlled PDFs in an afternoon. You do not need to know anything about web development, LaTeX, or compliance frameworks.

What you get:

  • A policy website your employees can bookmark
  • A PDF for every policy, named by title and version, ready to hand to an auditor or attach to a vendor questionnaire
  • A full revision history: who approved what, and when
  • Draft watermarks for policies under review
  • Redaction tags for internal notes that should not appear in distributed copies

Why PolicyPress

Most teams manage policies in one of three ways, and each leaves a gap PolicyPress fills:

Instead of… The gap With PolicyPress
Notion / Confluence / SharePoint No real version history, no audit-ready PDFs, not Git-native Every change is a Git commit; each policy exports a versioned PDF
Drata / Vanta and other GRC SaaS Heavyweight, cloud-only, subscription-priced; your data lives in their platform Runs from your own repo with no subscription; your data never leaves your infrastructure
Plain Zola / MkDocs A website, but no PDFs, no compliance-control mapping, no draft/redaction workflow Site and PDFs from one source, with SCF/SOC 2 coverage reports and redaction built in

Self-hosted, Git-native, and free for noncommercial use — no SaaS lock-in.

How it works

  1. Your policies live in a Git repository as Markdown files
  2. On every push, the sc2in/policypress GitHub Action builds the policy site and generates PDFs
  3. The site deploys to GitHub Pages; PDFs are uploaded as artifacts for download

Quick start

The fastest path: use the policypress-template repository. Click Use this template → Create a new repository, edit config.toml with your organization name and brand color, replace the logo, enable GitHub Pages, and push.

If you need Azure DevOps or a custom setup, see the Installation guide.

Policy front matter

Every policy file starts with a YAML metadata block:

---
title: "Acceptable Use Policy"
description: "Policy governing acceptable use of company resources"
weight: 10

taxonomies:
  SCF:
    - HRS-05
  TSC2017:
    - CC2.1

extra:
  owner: Jane Smith
  last_reviewed: "2025-01-15"
  major_revisions:
    - date: "2025-01-15"
      description: Annual review.
      revised_by: Jane Smith
      approved_by: John Doe
      version: "1.2"
---

Policy content goes here.

{% redact() %}
Internal notes - stripped from redacted PDFs.
{% end %}

Action inputs

Input Default Description
config_path config.toml Path to Zola config file
output_dir public Output directory for the build
draft_mode false Stamp PDFs with a DRAFT watermark
redact_mode false Strip content inside redaction tags

Action outputs

Output Description
pdf_path Directory containing generated PDFs
site_path Directory containing built static site (public/)
report_path Directory containing compliance reports

PDF output

PDFs are named {Title}_-_v{version}.pdf. With redact_mode: true, the name becomes {Title}_(Redacted)_-_v{version}.pdf. With draft_mode: true, it becomes {Title}_(Draft)_-_v{version}.pdf.

PDFs are generated with Typst: markdown is rendered to Typst markup in-process (zigmark), mermaid diagrams become inline SVG via pozeiden, and the layout matches the classic Eisvogel look. The only external tool is the typst binary (bundled in the devshell and GitHub Action; on Windows install it with winget install Typst.Typst - without the Source Sans 3 font typst falls back to its embedded fonts, a cosmetic difference only).

Keep policies in pure Markdown. Raw or inline HTML renders on the website but the PDF pipeline silently drops it, so the two artifacts would diverge. The build flags raw HTML in any policy body as audit-critical - a warning by default, fatal with --strict. To show HTML as an example, put it in a fenced code block or inline code. Site-only pages (such as the guides on this site) may use HTML freely; only the policy directory is rendered to PDF.

Compliance reports

The site includes optional compliance coverage views. To enable them, add your control data files and configure the paths:

[extra.policypress]
scf_controls     = "templates/opencontrols/standards/SCF.yml"
tsc2017_controls = "templates/opencontrols/standards/TSC-2017 (SOC2).yml"
scf_report_page  = "@/reports/scf.md"
soc2_report_page = "@/reports/soc2.md"

Control data files are customer-supplied - PolicyPress does not ship them. The format matches the OpenControl standard.

Local development

Requires Nix.

# Live preview with hot reload (recommended)
nix run github:sc2in/policypress#serve

# Generate PDFs only
nix run github:sc2in/policypress -- -c config.toml -o public

# Generate redacted PDFs
nix run github:sc2in/policypress -- -c config.toml -o public/redacted --redact

# Verbose output (shows typst invocations)
nix run github:sc2in/policypress -- -v -c config.toml -o public

# CI-friendly JSON log output
nix run github:sc2in/policypress -- --json -c config.toml -o public

Building from source

git clone https://github.com/sc2in/policypress
cd policypress
nix develop
zig build
zig build test

Dependencies

Dependency Purpose
Zola Static site generator
Typst PDF compilation
zigmark Markdown parsing + Typst rendering
pozeiden Mermaid diagrams to SVG
tomlz TOML config parsing
clap CLI argument parsing
mvzr Regex for markdown transforms
zig-datetime Date handling

Credits

PolicyPress is developed and maintained by Star City Security Consulting, LLC (SC2).

Primary contributors:

  • Ben Craton - architecture, implementation, security design

With assistance from:

Built on:

License

PolicyPress is released under the PolyForm Noncommercial License 1.0.0 — free and open for noncommercial use, including personal projects, research, education, nonprofits, and government. The source is public: read it, run it, modify it, and self-host it for any noncommercial purpose.

Commercial use — using PolicyPress in or for a for-profit business — requires a commercial license. Contact sc2.in.

Copyright © 2026 Star City Security Consulting, LLC (SC2) - sc2.in

About

Compliance policies in Git, audit-ready PDFs on every push — free for noncommercial use.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

2 stars

Watchers

1 watching

Forks

Contributors