The company was heading for an IPO, which meant the auditors were coming. They wanted evidence that access, permissions, and roles across every system were being reviewed on a regular cadence. I had about a month to make that true, and I was doing it solo.
The naive version of this is a person with a spreadsheet, once a quarter, screenshotting IAM consoles and pasting GitHub team lists into a doc. It technically produces evidence. It also rots the moment it’s done, doesn’t scale, and quietly depends on one human remembering to do it.
So I built Memphis instead: a single Python binary that treats compliance evidence as a data pipeline. It connects to the systems that actually hold the truth (GitHub for org permissions, team memberships, and repo access; Bytebase for database change history; GCP for IAM roles and service-account permissions), pulls the current state, and produces reports organized by period: quarterly, half-yearly, annual. Everything lands in Google Drive, structured by year and quarter, so an auditor can pull any period on demand without asking a human to go fetch it.
A few decisions mattered more than the code:
- No static credentials. Memphis authenticates with API tokens and GCP service accounts, not keys baked into the binary. A compliance tool that itself holds long-lived secrets is its own audit finding.
- Pagination, everywhere. GitHub and Bytebase don’t hand you a large org in one response. Most of the unglamorous work was making sure “all the access” actually meant all of it, not the first page.
- It runs in the cluster, not on my laptop. Deployed as a Kubernetes job, so it’s reproducible and scheduled, not a thing I run when I remember.
But the part I didn’t see coming was the most important. The auditors didn’t only want the reports. They wanted proof the reporting itself had happened: when did Memphis run, what did it fetch, did it actually execute on the cadence we claimed? A report with no provenance is just a document. It could have been written by anyone, at any time.
So Memphis emits structured execution logs, shipped to the same observability stack as everything else: every run, every source it pulled, every timestamp. The evidence isn’t just “here are the permissions.” It’s “here is the machine that checked the permissions, and here is the log proving it checked, on schedule, unattended.”
That reframed how I think about compliance work. The report is the easy half. The hard and more valuable half is proving the process that produced it is real, repeatable, and running without anyone babysitting it. What I took from it was that the auditors weren’t really testing the spreadsheet. They were testing whether the process would keep running after they left.
Memphis shipped in the month it was assigned, and it’s still the thing that runs.