A compliance policy management platform for small and mid-size businesses. Write policies in Markdown, version them in Git, publish a branded static site, and generate audit-ready PDFs — all from a single GitHub Action.
PolicyPress is built on Zola and Pandoc. It is designed to be hosted by your customers in their own repositories; PolicyPress itself is the theme and toolchain, not the content.
"I run a small business. My employees need an acceptable use policy, a data handling policy, maybe an employee handbook - right now it's a Word doc someone emailed around and nobody knows which version is current. I want something that looks professional, is always current, and doesn't require SharePoint."
PolicyPress is for that person. If you are comfortable enough with GitHub to click a button and edit a text file, you can have a professional policy library with version-controlled PDFs in an afternoon. You do not need to know anything about web development, LaTeX, or compliance frameworks.
What you get:
- A policy website your employees can bookmark
- A PDF for every policy, named by title and version, ready to hand to an auditor or attach to a vendor questionnaire
- A full revision history: who approved what, and when
- Draft watermarks for policies under review
- Redaction tags for internal notes that should not appear in distributed copies
- Your policies live in a Git repository as Markdown files
- On every push, the
sc2in/policypressGitHub Action builds the policy site and generates PDFs - The site deploys to GitHub Pages; PDFs are uploaded as artifacts for download
The fastest path: use the policypress-template repository. Click Use this template → Create a new repository, edit config.toml with your organization name and brand color, replace the logo, enable GitHub Pages, and push.
If you need Azure DevOps or a custom setup, see the Installation guide.
Every policy file starts with a YAML metadata block:
---
title: "Acceptable Use Policy"
description: "Policy governing acceptable use of company resources"
weight: 10
taxonomies:
SCF:
- HRS-05
TSC2017:
- CC2.1
extra:
owner: Jane Smith
last_reviewed: "2025-01-15"
major_revisions:
- date: "2025-01-15"
description: Annual review.
revised_by: Jane Smith
approved_by: John Doe
version: "1.2"
---
Policy content goes here.
{% redact() %}
Internal notes - stripped from redacted PDFs.
{% end %}| Input | Default | Description |
|---|---|---|
config_path |
config.toml |
Path to Zola config file |
output_dir |
public |
Output directory for the build |
draft_mode |
false |
Stamp PDFs with a DRAFT watermark |
redact_mode |
false |
Strip content inside redaction tags |
| Output | Description |
|---|---|
pdf_path |
Directory containing generated PDFs |
site_path |
Directory containing built static site (public/) |
report_path |
Directory containing compliance reports |
PDFs are named {Title}_-_v{version}.pdf. With redact_mode: true, the name becomes {Title}_(Redacted)_-_v{version}.pdf. With draft_mode: true, it becomes {Title}_(Draft)_-_v{version}.pdf.
PDFs are generated using the Eisvogel Pandoc LaTeX template via XeLaTeX.
The site includes optional compliance coverage views. To enable them, add your control data files and configure the paths:
[extra.policypress]
scf_controls = "templates/opencontrols/standards/SCF.yml"
tsc2017_controls = "templates/opencontrols/standards/TSC-2017 (SOC2).yml"
scf_report_page = "@/reports/scf.md"
soc2_report_page = "@/reports/soc2.md"Control data files are customer-supplied - PolicyPress does not ship them. The format matches the OpenControl standard.
Requires Nix. The devshell provides Zola, Pandoc, XeLaTeX, ImageMagick, mermaid-filter, and Zig.
nix develop github:sc2in/policypress
# Build the static site
zola build
# Generate PDFs
policypress -c config.toml -o public
# Generate redacted PDFs
policypress -c config.toml -o public/redacted --redact
# Verbose output (shows pandoc args)
policypress -v -c config.toml -o public
# CI-friendly JSON log output
policypress --json -c config.toml -o public
# Preview with live reload
zola servegit clone https://github.com/sc2in/policypress
cd policypress
nix develop
zig build
zig build test| Dependency | Purpose |
|---|---|
| Zola | Static site generator |
| Pandoc | PDF generation |
| Eisvogel | PDF template |
| zigmark | YAML/TOML frontmatter parsing |
| tomlz | TOML config parsing |
| clap | CLI argument parsing |
| mvzr | Regex for markdown transforms |
| zig-datetime | Date handling |
PolicyPress is developed and maintained by Star City Security Consulting, LLC (SC2).
Primary contributors:
- Ben Craton - architecture, implementation, security design
With assistance from:
- Perplexity.ai - research assistance
- Github Copilot - pair programming and code review
- Claude (Anthropic) - pair programming and code review
Built on:
- Zola - static site generator
- Eisvogel - PDF template by Pascal Wagler
- Secure Controls Framework (SCF) - control taxonomy
- AICPA Trust Services Criteria (TSC) - SOC 2 control framework
PolyForm Noncommercial License 1.0.0
Copyright © 2026 Star City Security Consulting, LLC (SC2) - sc2.in
Free for noncommercial use including personal projects, research, education, nonprofits, and government. For commercial licensing, contact sc2.in.