dpndncY
Signed Attestations
Every decision is a file
you can verify offline.

Firewall verdicts, scan results and runtime traces wrapped in DSSE over SLSA-style in-toto Statements, signed with your keypair. A standalone verifier ships with the platform — no vendor portal required.

Pillar · Sign

What it does

DSSE / in-toto

DSSE envelopes over SLSA-style in-toto v1 Statements, signed with the dpndncY keypair (Ed25519 / RS256).

DSSEin-toto v1

Offline verifier binary

dpndncy-verify — a single static Linux binary, no network calls, exits 0 on success. Auditors and downstream pipelines verify with the public key alone.

Static binaryNo network

SBOM + SARIF bundles

CycloneDX 1.5, SPDX and SARIF 2.1.0 with diff-from-last-known, bundled into signed evidence.

CycloneDX · SPDXSARIF

Sigstore keyless (optional)

When an OIDC token is available, an optional Sigstore-keyless mode issues a Fulcio certificate and Rekor log entry.

Sigstore optional
100%
offline-verifiable
0
vendor callbacks

One platform. On your infrastructure.
Every decision signed and verifiable.