Firewall verdicts, scan results and runtime traces wrapped in DSSE over SLSA-style in-toto Statements, signed with your keypair. A standalone verifier ships with the platform — no vendor portal required.
What it does
DSSE / in-toto
DSSE envelopes over SLSA-style in-toto v1 Statements, signed with the dpndncY keypair (Ed25519 / RS256).
Offline verifier binary
dpndncy-verify — a single static Linux binary, no network calls, exits 0 on success. Auditors and downstream pipelines verify with the public key alone.
SBOM + SARIF bundles
CycloneDX 1.5, SPDX and SARIF 2.1.0 with diff-from-last-known, bundled into signed evidence.
Sigstore keyless (optional)
When an OIDC token is available, an optional Sigstore-keyless mode issues a Fulcio certificate and Rekor log entry.
Four CO-RE eBPF programs hook connect, exec, file-open and DNS on your CI runners, correlate every event to the workflow step that caused it, and — in enforce mode — actively deny non-allowlisted egress.
SCA, SAST, IaC, secrets, containers and runtime findings unified into one prioritised view, with per-scan trend snapshots and portfolio risk over time — no data leaving your instance.
An OCI tarball parser walks every layer, builds a per-layer SBOM and correlates vulnerabilities across nine in-image ecosystems — with base-image upgrade guidance.