fidesctl 1.6.0

CLI for Fides

Meet Fidesctl: Privacy Policies as Code

Join the waitlist to get started with our free, hosted version!

:zap: Overview

Fides (fee-dhez, Latin: Fidēs) is an open-source tool that allows you to easily declare your systems' privacy characteristics, track privacy related changes to systems and data in version control, and enforce policies in both your source code and your runtime infrastructure.

:rocket: Quick Start

1. Get running with Docker: First, ensure that you have make and docker installed locally, and clone the Fides repo. Then, from the fides directory, run the following commands:

   This will spin up the entire project and open a shell within the fidesctl container. Once you see the fidesctl# prompt (takes ~3 minutes the first time), you know you're ready to go:

   Run make cli

   ~/git/fides% make cli
   Build the images required in the docker-compose file...
   ...
   Building fidesapi
   ...
   Building fidesctl
   ...
   Building docs
   ...
   root@1a742083cedf:/fides/fidesctl#
   

   This builds the required images, spins up the database, and runs the initialization scripts.

   Run fidesctl init

   Initializing Fidesctl...
   ----------
   Created a './.fides' directory.
   ----------
   Created a fidesctl config file: ./.fides/fidesctl.toml
   To learn more about configuring fidesctl, see:
     https://ethyca.github.io/fides/installation/configuration/
   ----------
   For example policies and help getting started, see:
     https://ethyca.github.io/fides/guides/policies/
   ----------
   Fidesctl initialization complete.
   

2. Use the evaluate command to see if this project's demo analytics and demo marketing systems are compliant with your privacy policy as code:

   Run fidesctl evaluate demo_resources/

   root@fa175a43c077:/fides/fidesctl# fidesctl evaluate demo_resources
   Loading resource manifests from: demo_resources
   Taxonomy successfully created.
   ----------
   Processing registry resources...
   CREATED 1 registry resources.
   UPDATED 0 registry resources.
   SKIPPED 0 registry resources.
   ----------
   Processing dataset resources...
   CREATED 1 dataset resources.
   UPDATED 0 dataset resources.
   SKIPPED 0 dataset resources.
   ----------
   Processing policy resources...
   CREATED 1 policy resources.
   UPDATED 0 policy resources.
   SKIPPED 0 policy resources.
   ----------
   Processing system resources...
   CREATED 2 system resources.
   UPDATED 0 system resources.
   SKIPPED 0 system resources.
   ----------
   Loading resource manifests from: demo_resources
   Taxonomy successfully created.
   Evaluating the following policies:
   demo_privacy_policy
   ----------
   Checking for missing resources...
   Executing evaluations...
   Sending the evaluation results to the server...
   Evaluation passed!
   

   Congratulations, you've successfully run your first fidesctl evaluate command!

3. Now, take a closer look at demo_resources/demo_policy.yml which describes an organization's privacy policy as code. This policy just includes one rule: fail if any system uses contact information for marketing purposes.

   Run cat demo_resources/demo_policy.yml

   policy:
     - fides_key: demo_privacy_policy
       name: Demo Privacy Policy
       description: The main privacy policy for the organization.
       rules:
         - fides_key: reject_direct_marketing
           name: Reject Direct Marketing
           description: Disallow collecting any user contact info to use for marketing.
           data_categories:
             matches: ANY
             values:
               - user.provided.identifiable.contact
           data_uses:
             matches: ANY
             values:
               - advertising
           data_subjects:
             matches: ANY
             values:
               - customer
           data_qualifier: aggregated.anonymized.unlinked_pseudonymized.pseudonymized.identified
   

4. Lastly, we're going to modify our annotations in a way that would fail the policy we just looked at:

   Edit demo_resources/demo_system.yml and uncomment the line that adds user.provided.identifiable.contact to the list of data_categories for the demo_marketing_system.

   Add User-provided contact info to the demo_marketing_system

        privacy_declarations:
          - name: Collect data for marketing
            data_categories:
   -          #- user.provided.identifiable.contact # uncomment to add this category to the system
   +          - user.provided.identifiable.contact # uncomment to add this category to the system
              - user.derived.identifiable.device.cookie_id
            data_uses: marketing_advertising_or_promotion
            data_subjects:
   

   Run fidesctl evaluate demo_resources/

   Running fidesctl evaluate demo_resources now causes an evaluation failure. The privacy policy "Reject Direct Marketing" rule disallows collecting contact information for marketing purposes, and flagged the violating privacy_declaration during evaluation.

   root@fa175a43c077:/fides/fidesctl# fidesctl evaluate demo_resources
   ...
   Executing evaluations...
   {
     "status": "FAIL",
     "details": [
       "Declaration (Collect data for marketing) of System (demo_marketing_system) failed Rule (Reject Direct Marketing) from Policy (demo_privacy_policy)"
     ],
     "message": null
   }
   

At this point, you've seen some of the core concepts in place: declaring systems, evaluating policies, and re-evaluating policies on every code change. But there's a lot more to discover, so we'd recommend following the tutorial to keep learning.

:book: Learn More

The Fides core team is committed to providing a variety of documentation to help get you started using Fidesctl. As such, all interactions are governed by the Fides Code of Conduct.

Documentation

For more information on getting started with Fides, how to configure and set up Fides, and more about the Fides ecosystem of open source projects:

• Documentation: https://ethyca.github.io/fides/
• Tutorial: https://ethyca.github.io/fides/tutorial/
• Deployment: https://ethyca.github.io/fides/deployment/
• Roadmap: https://github.com/ethyca/fides/projects
• Website: www.ethyca.com/fides

Support

Join the conversation on:

• Slack
• Twitter
• Discussions

Contributing

We welcome and encourage all types of contributions and improvements! Please see our contribution guide to opening issues for bugs, new features, and security or experience enhancements.

Read about the Fides community or dive into the development guides for information about contributions, documentation, code style, testing and more. Ethyca is committed to fostering a safe and collaborative environment, such that all interactions are governed by the Fides Code of Conduct.

:balance_scale: License

The Fides ecosystem of tools (Fidesops and Fidesctl) are licensed under the Apache Software License Version 2.0. Fides tools are built on Fideslang, the Fides language specification, which is licensed under CC by 4.

Fides is created and sponsored by Ethyca: a developer tools company building the trust infrastructure of the internet. If you have questions or need assistance getting started, let us know at fides@ethyca.com!