Open-source compliance automation toolkit for SOC 2, ISO 27001, and GDPR
Documentation Β· Website Β· Community Β· Blog
A comprehensive collection of 50+ open-source tools designed to automate compliance workflows, collect evidence, and maintain continuous compliance for SOC 2, ISO 27001, GDPR, HIPAA, and other security frameworks.
Built by compliance practitioners who were tired of:
- β Manual screenshot collection
- β Spreadsheet-based evidence tracking
- β Last-minute audit scrambling
- β Expensive compliance consultants for basic tasks
LowerPlane Compliance Toolkit is:
- β Free & Open Source - MIT licensed
- β Production Ready - Used by companies managing $200M+ in deals
- β Framework Agnostic - Works with any compliance framework
- β Privacy First - Run everything locally or self-hosted
- β Integration Rich - 100+ integrations with cloud providers and SaaS tools
# Clone the repository
git clone https://github.com/lowerplane/compliance-toolkit.git
cd compliance-toolkit
# Build all CLI tools using Makefile
make build-cli
# Or build individual tools
cd tools/cli/soc2-check
go build -o soc2-check ./cmd
cd ../mfa-status
go build -o mfa-status ./cmd
cd ../public-bucket
go build -o public-bucket ./cmd
# Or use the build script for all 33 CLI tools
./BUILD_ALL.sh# macOS/Linux via Homebrew
brew tap lowerplane/tap
brew install lowerplane-toolkit
# Verify installation
soc2-check --version
mfa-status --version
public-bucket --version# Check SOC 2 readiness
./soc2-check --provider aws --region us-east-1
# Check MFA status across all services
./mfa-status --all
# Find public S3 buckets
./public-bucket --provider all# Start PolicyHub
cd tools/cloud/policy-hub
docker-compose up -d
# Frontend: http://localhost:5173
# Backend: http://localhost:3001
# Start AccessReview
cd tools/cloud/access-review
docker-compose up -d
# Backend: http://localhost:3002
# Start VendorRisk
cd tools/cloud/vendor-risk
docker-compose up -d
# Backend: http://localhost:3003
# Start CloudScanner
cd tools/cloud/cloud-scanner
docker-compose up -d
# Backend: http://localhost:3004
# All cloud tools available:
# - PolicyHub, AccessReview, VendorRisk, CloudScanner
# - FrameworkMapper, AuditTrail, TrainingTracker
# - ChangeLog, IncidentResponse, PentestPortalTier 1: High-Impact Security Checks
| Tool | Description | Use Case |
|---|---|---|
soc2-check |
SOC 2 compliance scanner for AWS/GCP/Azure | Pre-audit readiness assessment |
mfa-status |
MFA coverage across all platforms | Verify logical access controls |
public-bucket |
Find publicly accessible cloud storage | Prevent data breaches |
compliance-ci |
CI/CD compliance checks | Shift-left compliance |
api-key-scanner |
Detect exposed secrets in code | Prevent credential leaks |
Tier 2: Evidence Collection
| Tool | Description | Use Case |
|---|---|---|
evidence-cli |
Automated evidence collection | Continuous compliance |
access-last-used |
Find stale accounts | Access review automation |
admin-access |
Audit privileged accounts | Least privilege verification |
audit-export |
Export audit-ready reports | Auditor deliverables |
evidence-hash |
Tamper-proof evidence | Evidence integrity |
Tier 3: Control Testing
| Tool | Description | Use Case |
|---|---|---|
password-policy |
Validate password requirements | CC6.1 compliance |
encrypt-check |
Verify encryption at rest/transit | CC6.1 compliance |
log-retention |
Check log retention periods | CC7.2 compliance |
backup-test |
Verify backup configurations | CC7.5 compliance |
ssl-expiry |
Monitor SSL certificates | Prevent outages |
Tier 4: Specialized Checks
| Tool | Description | Use Case |
|---|---|---|
email-security |
Verify SPF/DKIM/DMARC | Email authentication |
db-encryption |
Check database encryption | Data protection |
container-scan |
Scan containers for CVEs | Supply chain security |
firewall-rules |
Audit firewall changes | Change management |
patch-status |
Check system patch levels | Vulnerability management |
| Tool | Description | Tech Stack |
|---|---|---|
| PolicyHub | Security policy management with version control | React/Node.js/PostgreSQL |
| AccessReview | Automated quarterly access reviews | React/Node.js/PostgreSQL |
| VendorRisk | Third-party vendor risk assessment | React/Node.js/PostgreSQL |
| CloudScanner | Real-time cloud compliance monitoring | React/Node.js/PostgreSQL |
| FrameworkMapper | Map controls across compliance frameworks | React/Node.js/PostgreSQL |
| AuditTrail | Centralized audit logging | React/Node.js/PostgreSQL |
| TrainingTracker | Security awareness training management | React/Node.js/PostgreSQL |
| ChangeLog | Change management tracking | React/Node.js/PostgreSQL |
| IncidentResponse | Security incident management | React/Node.js/PostgreSQL |
| PentestPortal | Penetration testing management | React/Node.js/PostgreSQL |
| Tool | Description | Platform |
|---|---|---|
| ComplianceDesktop | Evidence collection agent | Windows/macOS/Linux |
| SecureClipboard | Compliance screenshot tool | Windows/macOS/Linux |
| BackupVerifier | Backup integrity testing | Windows/macOS/Linux |
| EncryptionChecker | Local encryption audit | Windows/macOS/Linux |
| PasswordAuditor | Password security auditor | Windows/macOS/Linux |
| AssetInventory | IT asset discovery | Windows/macOS/Linux |
| ComplianceSync | Background evidence sync | Windows/macOS/Linux |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LowerPlane Compliance Toolkit β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββΌββββββββββββββββ
β β β
βββββββββΌβββββββ βββββββΌββββββ ββββββββΌβββββββ
β CLI Tools β β Cloud Toolsβ βDesktop Toolsβ
β (Go/Rust) β β(React/Node)β β (Electron) β
βββββββββ¬βββββββ βββββββ¬ββββββ ββββββββ¬βββββββ
β β β
βββββββββΌββββββββββββββββΌββββββββββββββββΌβββββββ
β Integration Layer (APIs) β
βββββββββββββββββββββ¬ββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββββββββββ
β AWS β GCP β Azure β Okta β GitHub β ... β
βββββββββββββββββββββββββββββββββββββββββββββββββ
CLI Tools:
- Language: Go 1.21+
- Libraries: cobra, aws-sdk-go-v2, google-cloud-go
- Distribution: Homebrew, apt, yum, winget
Cloud Tools:
- Frontend: React 18, TypeScript, Tailwind CSS
- Backend: Node.js 18, Express, TypeScript
- Database: PostgreSQL 15
- Container: Docker, Docker Compose
Desktop Tools:
- Framework: Electron 28
- Backend: Go (for system access)
- Distribution: DMG (macOS), MSI (Windows), AppImage (Linux)
# Scan AWS infrastructure
soc2-check --provider aws --region us-east-1 --output report.html
# Result: Compliance score 67/100
# - 2 Critical issues (Root MFA, CloudTrail)
# - 8 High issues (S3 encryption, IAM)
# - 10 Medium issues# Check MFA across all services
mfa-status --all --output mfa-report.csv
# Result: 96.8% coverage across 222 users
# - AWS: 89.4% (5 users missing MFA)
# - Okta: 98.7% (2 users missing MFA)
# - GitHub: 100% β
# Find public S3/GCS/Azure buckets
public-bucket --provider all
# Result: Found 5 public buckets
# - 1 Critical (public write access)
# - 2 High (public read with data)
# - 2 Medium (public read, empty)# .github/workflows/compliance.yml
name: Compliance Check
on: [push, pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install LowerPlane CLI
run: |
curl -sSL https://get.lowerplane.com/install | bash
- name: Run Compliance Checks
run: |
compliance-ci --config .compliance.yml
- name: Upload Results
uses: actions/upload-artifact@v3
with:
name: compliance-report
path: compliance-report.html# Start PolicyHub
cd tools/cloud/policy-hub
docker-compose up -d
# Access at http://localhost:3001
# Create policies, track versions, manage approvals- Local Execution - No data leaves your environment
- Self-Hosted - Deploy on your own infrastructure
- Open Source - Audit the code yourself
- No Phone-Home - Zero telemetry by default
- β SOC 2 Type I & II
- β ISO 27001
- β GDPR
- β HIPAA
- β PCI-DSS
- β NIST CSF
- β Custom frameworks
Cloud Providers: AWS, GCP, Azure, DigitalOcean, Linode
Identity: Okta, Azure AD, Google Workspace, Auth0, OneLogin
DevOps: GitHub, GitLab, BitBucket, Jenkins, CircleCI
Monitoring: CloudWatch, Stackdriver, DataDog, Splunk
More: Slack, Jira, PagerDuty, 1Password, and 50+ more
- Automated evidence collection
- Real-time monitoring
- Drift detection
- Scheduled scans
- Webhook notifications
- CLI Tools: Go 1.21+ (optional, pre-built binaries available)
- Cloud Tools: Docker 24.0+, Docker Compose 2.0+
- Desktop Tools: Node.js 18+ (for building from source)
# Add LowerPlane tap
brew tap lowerplane/tap
# Install CLI tools
brew install lowerplane-toolkit
# Install desktop apps
brew install --cask lowerplane-desktop
brew install --cask lowerplane-clipboard# Linux/macOS
curl -sSL https://get.lowerplane.com/install | bash
# Windows (PowerShell)
iwr -useb https://get.lowerplane.com/install.ps1 | iex# Debian/Ubuntu
wget -qO- https://apt.lowerplane.com/gpg.key | sudo apt-key add -
echo "deb https://apt.lowerplane.com stable main" | sudo tee /etc/apt/sources.list.d/lowerplane.list
sudo apt update && sudo apt install lowerplane-toolkit
# RHEL/CentOS
sudo yum-config-manager --add-repo https://yum.lowerplane.com/lowerplane.repo
sudo yum install lowerplane-toolkit
# Windows
winget install LowerPlane.ComplianceToolkit# Pull all cloud tools
docker pull lowerplane/policy-hub
docker pull lowerplane/access-review
docker pull lowerplane/vendor-risk
# Or use Docker Compose
git clone https://github.com/lowerplane/compliance-toolkit.git
cd compliance-toolkit
docker-compose up -d# Clone repository
git clone https://github.com/lowerplane/compliance-toolkit.git
cd compliance-toolkit
# Build CLI tools
make build-cli
# Build cloud tools
make build-cloud
# Build desktop tools
make build-desktop
# Install locally
make installProblem: You have a SOC 2 audit in 3 months and don't know where you stand.
Solution:
# Run comprehensive scan
soc2-check --provider aws,gcp --output pre-audit-report.html
# Review findings
open pre-audit-report.html
# Fix critical issues
public-bucket --auto-fix
mfa-status --all --enforce
# Track progress
compliance-score --framework soc2Problem: Your compliance drifts between annual audits.
Solution:
# Set up continuous monitoring
compliance-ci --continuous --interval 24h --webhook https://slack.com/...
# Automated evidence collection
evidence-cli --schedule daily --export lowerplane
# Real-time alerts
cloud-scanner --monitor --alert critical,highProblem: Quarterly access reviews take 40+ hours of manual work.
Solution:
# Deploy AccessReview tool
cd tools/cloud/access-review
docker-compose up -d
# Connect integrations (AWS, Google Workspace, Okta)
# Generate access reports automatically
# Email managers for review
# Track approvals and revocationsProblem: You need to vet 50+ vendors for security compliance.
Solution:
# Deploy VendorRisk tool
cd tools/cloud/vendor-risk
docker-compose up -d
# Send security questionnaires
# Collect SOC 2 reports
# Track certifications
# Generate risk scoresProblem: Security issues reach production.
Solution:
# .github/workflows/security.yml
- name: Run Compliance Checks
run: |
compliance-ci --fail-on critical,high
container-scan --image ${{ env.IMAGE }}
api-key-scanner --path .We love contributions! LowerPlane Compliance Toolkit is built by the community, for the community.
- π Report Bugs - Open an issue
- β¨ Request Features - Start a discussion
- π Improve Docs - Documentation PRs always welcome
- π§ Submit PRs - See CONTRIBUTING.md
- β Star the Repo - Help us reach more people
- π¬ Join Community - Slack | Discord
# Fork and clone
git clone https://github.com/YOUR_USERNAME/compliance-toolkit.git
cd compliance-toolkit
# Install dependencies
make deps
# Run tests
make test
# Build everything
make build
# Run locally
make devSee CONTRIBUTING.md for detailed guidelines.
- v1.0.0 (Current) - Initial release with 50+ tools
- v1.1.0 (Q2 2025) - Additional integrations, improved UI
- v1.2.0 (Q3 2025) - Advanced reporting, AI-powered recommendations
- v2.0.0 (Q4 2025) - Multi-tenant support, compliance automation engine
- CLI tools for AWS/GCP/Azure
- Cloud tools (PolicyHub, AccessReview, VendorRisk)
- Desktop applications
- Docker deployment
- Kubernetes deployment
- Terraform modules
- Advanced reporting engine
- AI-powered risk assessment
- Mobile applications
- Slack/Teams bots
Used by 500+ companies to manage $200M+ in enterprise deals
While we can't name all our users (NDAs!), our toolkit is used by:
- π Startups - Getting SOC 2 compliant to close enterprise deals
- π’ Scale-ups - Maintaining compliance as they grow
- π Enterprises - Automating compliance across hundreds of systems
- π Educational Institutions - Teaching compliance best practices
- ποΈ Government Agencies - Meeting NIST and FedRAMP requirements
Compliance shouldn't be locked behind enterprise paywalls.
We believe that:
- π Security is a right - Every company deserves good security
- π Transparency builds trust - Open source = auditable
- π€ Community drives innovation - Best ideas come from practitioners
- π Knowledge should be shared - Help the next generation
- Website: https://lowerplane.com
- Documentation: https://docs.lowerplane.com
- Blog: https://lowerplane.com/blog
- Community: https://community.lowerplane.com
- Slack: https://lowerplane.com/slack
- Discord: https://lowerplane.com/discord
- Twitter: https://twitter.com/lowerplane
- LinkedIn: https://linkedin.com/company/lowerplane
LowerPlane Compliance Toolkit is open source software licensed under the MIT License.
MIT License
Copyright (c) 2025 LowerPlane, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Built with β€οΈ by the LowerPlane team and contributors worldwide.
Special thanks to:
- Our amazing open source contributors
- The compliance and security community
- Companies who trusted us early
- Everyone who gave feedback and reported issues
- π Documentation
- π¬ Community Forum
- π‘ GitHub Discussions
- π Issue Tracker
- π― Priority support
- π Phone & video support
- π’ Custom integrations
- π Training & onboarding
- π Security consulting
Contact: enterprise@lowerplane.com
β If you find this project useful, please consider giving it a star! β
Made with β€οΈ by LowerPlane
- Project structure and folder organization
- All 33 CLI tools implementation with Go
- All 10 cloud tools with Express/TypeScript backends
- All 7 desktop applications with Electron
- PolicyHub React frontend
- Shared Go packages (logger, config, reporter, background)
- Docker Compose setup for all cloud tools
- Basic documentation for all tools
- .gitignore and development setup
- Makefile with build targets
- Integration testing
- CI/CD pipelines
- Cloud tool React frontends (except PolicyHub)
- Homebrew tap setup
- Package distributions (deb, rpm, msi)
- Documentation website
- Example configurations
- Video tutorials
- Kubernetes deployment
- Real cloud provider integrations (AWS/GCP/Azure SDKs)
compliance-toolkit/
βββ .github/
β βββ workflows/
β β βββ ci.yml # CI/CD pipeline
β β βββ release.yml # Release automation
β β βββ security.yml # Security scanning
β β βββ docs.yml # Documentation deployment
β βββ ISSUE_TEMPLATE/
β β βββ bug_report.md
β β βββ feature_request.md
β β βββ question.md
β βββ PULL_REQUEST_TEMPLATE.md
β βββ CODEOWNERS
β βββ dependabot.yml
β
βββ docs/
β βββ assets/
β β βββ logo.png
β β βββ screenshots/
β β βββ diagrams/
β βββ frameworks/
β β βββ SOC2.md
β β βββ ISO27001.md
β β βββ GDPR.md
β β βββ HIPAA.md
β β βββ NIST.md
β βββ guides/
β β βββ getting-started.md
β β βββ deployment.md
β β βββ integrations.md
β β βββ best-practices.md
β βββ INSTALLATION.md
β βββ QUICK_START.md
β βββ CLI_TOOLS.md
β βββ CLOUD_TOOLS.md
β βββ DESKTOP_TOOLS.md
β βββ ARCHITECTURE.md
β βββ ARCHITECTURE_DEEP_DIVE.md
β βββ API.md
β βββ FAQ.md
β βββ TROUBLESHOOTING.md
β βββ USERS.md
β
βββ tools/
β βββ cli/
β β βββ soc2-check/
β β β βββ cmd/
β β β β βββ soc2-check/
β β β β βββ main.go
β β β βββ pkg/
β β β β βββ scanner/
β β β β β βββ aws.go
β β β β β βββ gcp.go
β β β β β βββ azure.go
β β β β βββ checks/
β β β β β βββ encryption.go
β β β β β βββ access.go
β β β β β βββ logging.go
β β β β βββ report/
β β β β βββ report.go
β β β βββ internal/
β β β β βββ models/
β β β βββ configs/
β β β βββ go.mod
β β β βββ go.sum
β β β βββ README.md
β β β βββ Makefile
β β β βββ Dockerfile
β β β
β β βββ mfa-status/
β β β βββ cmd/
β β β βββ pkg/
β β β βββ internal/
β β β βββ go.mod
β β β βββ README.md
β β β βββ Makefile
β β β
β β βββ public-bucket/
β β β βββ cmd/
β β β βββ pkg/
β β β βββ internal/
β β β βββ go.mod
β β β βββ README.md
β β β βββ Makefile
β β β
β β βββ compliance-ci/
β β βββ evidence-cli/
β β βββ password-policy/
β β βββ ssl-expiry/
β β βββ log-retention/
β β βββ training-status/
β β βββ email-security/
β β βββ access-last-used/
β β βββ admin-access/
β β βββ encrypt-check/
β β βββ backup-test/
β β βββ api-key-scanner/
β β βββ firewall-rules/
β β βββ patch-status/
β β βββ network-scan/
β β βββ gdpr-check/
β β βββ vendor-cert/
β β βββ policy-version/
β β βββ incident-time/
β β βββ db-encryption/
β β βββ container-scan/
β β βββ dns-security/
β β βββ session-timeout/
β β βββ data-classification/
β β βββ compliance-score/
β β βββ control-test/
β β βββ risk-calculator/
β β βββ audit-prep/
β β βββ evidence-hash/
β β βββ audit-export/
β β
β βββ cloud/
β β βββ policy-hub/
β β β βββ frontend/
β β β β βββ src/
β β β β β βββ components/
β β β β β βββ pages/
β β β β β βββ hooks/
β β β β β βββ utils/
β β β β β βββ types/
β β β β β βββ App.tsx
β β β β β βββ main.tsx
β β β β βββ public/
β β β β βββ package.json
β β β β βββ tsconfig.json
β β β β βββ vite.config.ts
β β β β βββ tailwind.config.js
β β β βββ backend/
β β β β βββ src/
β β β β β βββ controllers/
β β β β β βββ models/
β β β β β βββ routes/
β β β β β βββ middleware/
β β β β β βββ services/
β β β β β βββ utils/
β β β β β βββ server.ts
β β β β βββ migrations/
β β β β βββ seeds/
β β β β βββ package.json
β β β β βββ tsconfig.json
β β β β βββ .env.example
β β β βββ docker-compose.yml
β β β βββ Dockerfile.frontend
β β β βββ Dockerfile.backend
β β β βββ README.md
β β β βββ Makefile
β β β
β β βββ access-review/
β β β βββ frontend/
β β β βββ backend/
β β β βββ docker-compose.yml
β β β βββ README.md
β β β
β β βββ vendor-risk/
β β βββ cloud-scanner/
β β βββ framework-mapper/
β β βββ audit-trail/
β β βββ training-tracker/
β β βββ change-log/
β β βββ incident-response/
β β βββ pentest-portal/
β β
β βββ desktop/
β βββ compliance-desktop/
β β βββ src/
β β β βββ main/
β β β β βββ main.ts # Electron main process
β β β β βββ preload.ts # Preload scripts
β β β β βββ ipc/ # IPC handlers
β β β βββ renderer/
β β β β βββ components/
β β β β βββ pages/
β β β β βββ hooks/
β β β β βββ App.tsx
β β β β βββ index.tsx
β β β βββ shared/
β β β βββ types/
β β β βββ utils/
β β βββ assets/
β β βββ package.json
β β βββ electron-builder.yml
β β βββ tsconfig.json
β β βββ README.md
β β
β βββ secure-clipboard/
β βββ backup-verifier/
β βββ encryption-checker/
β βββ password-auditor/
β βββ asset-inventory/
β βββ compliance-sync/
β
βββ shared/
β βββ go/
β β βββ auth/ # Shared authentication
β β βββ config/ # Configuration management
β β βββ logger/ # Logging utilities
β β βββ errors/ # Error handling
β β βββ utils/ # Common utilities
β βββ typescript/
β β βββ types/ # Shared TypeScript types
β β βββ utils/ # Shared utilities
β β βββ components/ # Shared React components
β β βββ hooks/ # Shared React hooks
β βββ docker/
β βββ postgres/
β βββ nginx/
β βββ redis/
β
βββ scripts/
β βββ install.sh # Installation script
β βββ install.ps1 # Windows installation
β βββ build-cli.sh # Build all CLI tools
β βββ build-cloud.sh # Build cloud tools
β βββ build-desktop.sh # Build desktop tools
β βββ test-all.sh # Run all tests
β βββ release.sh # Create release
β βββ setup-dev.sh # Development setup
β
βββ configs/
β βββ soc2-controls.yaml # SOC 2 control definitions
β βββ iso27001-controls.yaml # ISO 27001 controls
β βββ gdpr-requirements.yaml # GDPR requirements
β βββ integrations.yaml # Integration configs
β
βββ deployments/
β βββ kubernetes/
β β βββ policy-hub/
β β βββ access-review/
β β βββ vendor-risk/
β βββ terraform/
β β βββ aws/
β β βββ gcp/
β β βββ azure/
β βββ ansible/
β βββ playbooks/
β
βββ tests/
β βββ cli/
β β βββ soc2-check_test.go
β β βββ mfa-status_test.go
β β βββ public-bucket_test.go
β βββ cloud/
β β βββ policy-hub.test.ts
β β βββ access-review.test.ts
β βββ integration/
β β βββ e2e/
β βββ fixtures/
β βββ aws-mocks/
β βββ test-data/
β
βββ homebrew/
β βββ Formula/
β βββ lowerplane-toolkit.rb
β βββ soc2-check.rb
β βββ mfa-status.rb
β
βββ packages/
β βββ deb/
β β βββ control
β βββ rpm/
β β βββ spec
β βββ msi/
β βββ config.xml
β
βββ .gitignore
βββ .gitattributes
βββ .editorconfig
βββ .dockerignore
βββ README.md
βββ LICENSE
βββ CONTRIBUTING.md
βββ CODE_OF_CONDUCT.md
βββ SECURITY.md
βββ CHANGELOG.md
βββ ROADMAP.md
βββ Makefile
βββ docker-compose.yml # Start all cloud tools
βββ docker-compose.dev.yml # Development setup
βββ go.work # Go workspace file
# Contributing to LowerPlane Compliance Toolkit
Thank you for your interest in contributing! This document provides guidelines and instructions.
## Code of Conduct
Please read and follow our [Code of Conduct](CODE_OF_CONDUCT.md).
## How to Contribute
### Reporting Bugs
- Use GitHub Issues
- Include reproduction steps
- Provide system information
### Feature Requests
- Start a GitHub Discussion
- Describe the use case
- Explain the value
### Pull Requests
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests
5. Submit a PR
## Development Setup
See [DEVELOPMENT.md](docs/DEVELOPMENT.md)
## Coding Standards
- **Go**: Follow [Effective Go](https://golang.org/doc/effective_go)
- **TypeScript**: Use ESLint + Prettier
- **Commits**: Use [Conventional Commits](https://www.conventionalcommits.org/)
## License
By contributing, you agree that your contributions will be licensed under the MIT License.# Security Policy
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, email: security@lowerplane.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
## Response Timeline
- Acknowledgment: Within 24 hours
- Initial assessment: Within 72 hours
- Fix timeline: Depends on severity
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |
| < 1.0 | :x: |# Contributor Covenant Code of Conduct
## Our Pledge
We pledge to make participation in our community a harassment-free experience for everyone.
## Our Standards
Examples of behavior that contributes to a positive environment:
- Using welcoming and inclusive language
- Being respectful of differing viewpoints
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
## Enforcement
Instances of abusive behavior may be reported to conduct@lowerplane.com..PHONY: help install build test clean deps
help: ## Show this help
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
deps: ## Install dependencies
@echo "Installing Go dependencies..."
@go mod download
@echo "Installing Node.js dependencies..."
@cd tools/cloud && npm install
build-cli: ## Build all CLI tools
@echo "Building CLI tools..."
@./scripts/build-cli.sh
build-cloud: ## Build cloud tools
@echo "Building cloud tools..."
@./scripts/build-cloud.sh
build-desktop: ## Build desktop tools
@echo "Building desktop tools..."
@./scripts/build-desktop.sh
build: build-cli build-cloud build-desktop ## Build everything
test: ## Run all tests
@echo "Running tests..."
@./scripts/test-all.sh
install: ## Install all tools locally
@echo "Installing..."
@./scripts/install.sh
clean: ## Clean build artifacts
@echo "Cleaning..."
@rm -rf dist/
@rm -rf build/
@go clean -cache
dev: ## Start development environment
@docker-compose -f docker-compose.dev.yml up
release: ## Create a release
@./scripts/release.sh