A lightweight policy analysis tool that transforms EPA Federal Register documents into queryable Neo4j knowledge graphs using natural language to Cypher conversion.
Build: 
CI: 
Security: 
License:
Status:
Phase 0 — repository bootstrap
This repository targets EPA items from the Federal Register, implementing natural language to Cypher conversion over a small Neo4j graph. No vector database is included in the MVP scope.
- README.md
- LICENSE
- NOTICE
- .gitignore
- CODEOWNERS
- CONTRIBUTING.md
- .editorconfig
PolicyGraph implements comprehensive security scanning and vulnerability management to ensure the highest standards of security and compliance.
The project uses a multi-layered security approach with automated scanning on every commit, pull request, and weekly scheduled scans:
- Trivy Image Scanning: Container image vulnerability scanning with CVE database integration
- Trivy Filesystem Scanning: Codebase security analysis for configuration and secret detection
- pip-audit: Python dependency vulnerability scanning with Poetry integration
- Security Waiver System: Managed vulnerability acceptance with approval workflows
- Comprehensive Reporting: SARIF, JSON, and Markdown reports for GitHub Security tab integration
- Trivy: Container and filesystem security scanner
- pip-audit: Python dependency vulnerability scanner
- Bandit: Python security linter
- Safety: Python dependency security checker
- GitHub Security: Integrated vulnerability management
.trivy.yaml: Trivy scanner configuration with custom policies.trivyignore: Exclude patterns for false positivesinfra/security/waivers.yml: Security vulnerability waiversinfra/security/security-config.yml: Security policies and thresholds
# Run comprehensive security scan (requires sec/trivy-pip-audit branch)
# This will be triggered automatically on the security branch
# Run specific scan types via GitHub Actions
# Navigate to Actions > Security Scan > Run workflow
# Select scan type: all, trivy-image, trivy-fs, pip-audit, or waiver-check
# View security reports
# Check the Actions tab for scan results and artifacts
# Review GitHub Security tab for vulnerability detailsSecurity waivers allow controlled acceptance of known vulnerabilities with proper documentation and approval:
- Waiver Request: Document vulnerability details and business justification
- Approval Process: Follow approval workflow based on severity level
- Documentation: Include remediation plan and expiration date
- Regular Review: Monthly review of active waivers
- Expiration: Automatic expiration with renewal process
- OWASP Top 10: Web application security standards
- NIST Cybersecurity Framework: Risk management framework
- ISO 27001: Information security management
- Zero-tolerance: Critical and high severity vulnerabilities
For detailed security information, see Security Documentation.
- Python 3.9 or higher
- Poetry (Python dependency manager)
- Docker and Docker Compose (for Neo4j and services)
-
Install Poetry (if not already installed):
curl -sSL https://install.python-poetry.org | python3 - -
Clone the repository:
git clone https://github.com/policygraph/policygraph.git cd policygraph -
Set up Poetry and install dependencies:
# Run the setup script (recommended) ./scripts/setup-poetry.sh # Or manually: poetry install --with dev cd docs && poetry install && cd ..
-
Start the development environment:
make docker-up make quickstart
make install- Install Python dependenciesmake install-dev- Install dependencies including development toolsmake test- Run testsmake lint- Run linting checksmake format- Format codemake help- Show all available commands
The project uses three types of environment files to manage configuration and secrets securely:
-
.env.example- Template file with all configuration options and example values- Status: Committed to version control
- Purpose: Reference template for all environments
- Content: All possible configuration keys with example/placeholder values
-
.env.local- Local development environment file- Status: Git-ignored (never committed)
- Purpose: Developer's local environment configuration
- Content: Actual values for local development
-
.env.production- Production environment template- Status: Committed to version control with commented keys only
- Purpose: Production deployment reference template
- Content: All keys commented out, no actual values
-
Clone the repository (if not already done):
git clone https://github.com/policygraph/policygraph.git cd policygraph -
Create your local environment file:
cp .env.example .env.local
-
Edit
.env.localwith your actual values:# Edit the file and replace placeholder values nano .env.local # or code .env.local
-
Verify
.env.localis git-ignored:git status # .env.local should not appear in tracked files
NEO4J_URI- Your local Neo4j instanceNEO4J_USER- Neo4j usernameNEO4J_PASSWORD- Your Neo4j passwordDEBUG- Set totruefor developmentLOG_LEVEL- Set toINFOorDEBUG
OPENAI_API_KEY- If using OpenAI servicesEPA_API_KEY- If testing EPA API integrationSENTRY_DSN- If using Sentry for error tracking
- Never commit
.env.local- It's automatically git-ignored - Use strong, unique passwords - Don't reuse passwords from other projects
- Keep local secrets secure - Don't share your
.env.localfile - For detailed guidance - See the Secrets Management Runbook
FastAPI backend with Neo4j integration and minimal React UI. Specific implementation details marked as TODO.
See CONTRIBUTING.md for contribution guidelines.
See LICENSE and NOTICE files for licensing and attribution information.
Not legal advice; verify against the Federal Register.
For security vulnerabilities, please open a private channel or contact via email (placeholder).
- Federal Register API
- Regulations.gov API
- Neo4j documentation
- AutoGen documentation