Fides (pronounced /fee-dhez/, from Latin: Fidēs) is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code.
This repository provides a comprehensive example of a fictional ecommerce site for a CookieHouse, showcasing how Fides can be integrated into CI/CD pipelines to ensure privacy and regulatory compliance. The example consists of a turn-key solution, demonstrating the full process from building a database in CI to performing migrations against it. The CookieHouse example serves as a practical guide to understand how Fides can be applied in real-world scenarios.
The Fides platform is designed to help organizations manage and fulfill Data Mapping, Consent, and Data Privacy Requests while staying compliant with various privacy regulations. By using Fides in your CI/CD pipeline, you can ensure that your company remains compliant, reducing the risk of privacy breaches and potential fines.
.
├── .fides
│ ├── cookiehouse_core.yml
│ ├── fides.toml
│ └── policy.yml
├── .github
│ └── workflows
│ └── fides_ci.yml
├── README.md
├── database
│ └── migrations
│ └── postgres_sample.sql
├── db_migration.py
└── docker-compose.yml
The .fides
directory is generally required for privacy checks within each repo. While another directory may be specific, .fides
is the default expected path for Fides-related resources.
This folder acts as a place where all Fides and repo specific configurations live. This can include:
-
The Database Privacy Declarations known as a Dataset (
cookiehouse_core.yml
). This can be autocompleted using Fides's AI Classification tools or an empty skeleton can be generated using Fides Generate -
The initial Fides configurations (
fides.toml
) -
A codified version of your privacy policy (
policy.yml
)
The privacy declarations and privacy policy use FidesLang Taxonomy, the universal privacy language of the web!
This folder contains the CI job that will perform the sample database migration and perform the privacy checks.
The example CI job performs the following steps:
-
Checkout: Retrieves the source code for the repository using the actions/checkout action.
-
Set up Python: Sets up the Python environment using the actions/setup-python action, specifying Python version 3.10.
-
Install Fides: Installs the
ethyca-fides
library with version 2.20.1 using thepip install
command. -
Run Database Migrations: Executes a Python script (
db_migration.py
) responsible for running database migrations against our fictional database for CookieHouse. -
Scan Database and Validate that all fields are Accounted for: This is the first step to validate that you are in compliance. The
fides --local scan dataset db
command checks to see if any net-new fields were introduced into the database but weren't annotated incookiehouse_core.yml
. This outputs a report that shows what is missing and what your percent privacy coverage is. You can potentially use this for branch protections or keep this as a warning. An example report is below:
Loading resource manifests from: .fides/
Taxonomy successfully created.
Loaded the following dataset manifests:
cookiehouse_core
Successfully scanned the following datasets:
public
The following fields are missing data category annotations:
public.users.name
public.users.phone
public.orders.billingAddress
Annotation coverage: 82%
- Evaluation: Performs a Privacy Policy Evaluation using Fides. This step runs the command
fides --local evaluate
and the evaluation process uses thepolicy.yml
to validate that data annotated incookiehouse_core.yml
are compliant. An Example output with a violation onuser.demographic.date_of_birth
is shown below:
Loaded config from: .fides/fides.toml
Loading resource manifests from: .fides/
Taxonomy successfully created.
----------
Processing organization resource(s)...
WOULD CREATE 0 organization resource(s).
WOULD UPDATE 1 organization resource(s).
----------
Processing system resource(s)...
WOULD CREATE 0 system resource(s).
WOULD UPDATE 4 system resource(s).
----------
Processing policy resource(s)...
WOULD CREATE 0 policy resource(s).
WOULD UPDATE 1 policy resource(s).
----------
Processing dataset resource(s)...
WOULD CREATE 0 dataset resource(s).
WOULD UPDATE 5 dataset resource(s).
----------
Loading resource manifests from: .fides/
Taxonomy successfully created.
Evaluating the following policies:
- webapp_data_policy
----------
Checking for missing resources...
Executing Policy evaluation(s)...
{ 'fides_key': '54bfd260_1665_42aa_97a4_89fd3af395d8',
'message': None,
'status': <StatusEnum.FAIL: 'FAIL'>,
'violations': [ { 'detail': 'Declaration (Storing customer data) of system '
'(CookieHouse_Core) failed rule (Reject '
'Sensitive Data) from policy '
'(webapp_data_policy) for dataset field (DOB). '
'Violated usage of data categories '
'(user.demographic.date_of_birth) with qualifier '
'(aggregated.anonymized.unlinked_pseudonymized.pseudonymized.identified) '
'for data uses (functional) and subjects '
'(customer)',
'violating_attributes': { 'data_categories': [ 'user.demographic.date_of_birth'],
'data_qualifier': 'aggregated.anonymized.unlinked_pseudonymized.pseudonymized.identified',
'data_subjects': ['customer'],
'data_uses': [ 'functional']}}]}
A few things to note:
- You can customize this flow to match your organization's needs.
- Consider using some of these checks as branch protections to prevent PRs from being merged in that are not compliant with your privacy policy(ies).
For more information on getting started with Fides, how to configure and set up Fides, and more about the Fides ecosystem of open source projects:
- Documentation: https://docs.ethyca.com
- Taxonomy: https://ethyca.github.io/fideslang/explorer/
- Website: https://docs.ethyca.com/fides/overview
Join the conversation on:
We welcome and encourage all types of contributions and improvements! Please see our contribution guide to opening issues for bugs, new features, and security or experience enhancements.
Read about the Fides community or dive into the contributor guides for information about contributions, documentation, code style, testing and more. Ethyca is committed to fostering a safe and collaborative environment, such that all interactions are governed by the Fides Code of Conduct.
The Fides ecosystem of tools are licensed under the Apache Software License Version 2.0. Fides tools are built on Fideslang, the Fides language specification, which is licensed under CC by 4.
Fides is created and sponsored by Ethyca: a developer tools company building the trust infrastructure of the internet. If you have questions or need assistance getting started, let us know at fides@ethyca.com!