Skip to main content
SLSA Level 3 Attestation Ready

Code Provenance & SBOM

Prove your software supply chain is secure.

Cryptographic attestation for builds, SBOMs, and dependencies — verifiable evidence for supply chain security compliance.

Start Attesting BuildsTalk to Sales

Trusted by security-conscious teams at

DevSecOps IncSecureBuildCloudNative CoSupplyGuard

The Supply Chain Security Crisis

Software supply chain attacks are exploding — and so are compliance requirements

SolarWinds-Scale Attacks

18,000+ organizations compromised through a single supply chain attack. Build systems are the new attack vector.

742% increase in attacks since 2019

Executive Order 14028

Federal agencies now require SBOM for all software purchases. SLSA attestation becoming mandatory for government contracts.

Affecting $100B+ in contracts

Enterprise Requirements

Fortune 500 companies now require supply chain attestation before deploying third-party software.

78% of enterprises mandate SBOM

Cryptographic Attestation for Every Build

Code Provenance creates an immutable, timestamped record of your software supply chain

1

Attest Your Builds

Record build metadata, artifact hashes, and builder identity. We create SLSA-compliant provenance attestations.

2

Generate SBOM

Automatically generate and certify SBOMs in SPDX or CycloneDX format. Track every dependency in your supply chain.

3

RFC 3161 Timestamp

Receive a legally-binding timestamp certificate proving exactly when each build was created and attested.

4

Verify Artifacts

Anyone can verify artifact integrity against your attestations. Public verification with zero trust required.

build_attestation.json
{
  "attestation_id": "att_build_9k3m2x",
  "build": {
    "project": "my-service",
    "version": "2.1.0",
    "artifact_hash": "sha256:7d8a9b2c...",
    "builder": "github-actions",
    "builder_version": "2.0.0",
    "build_type": "container"
  },
  "source": {
    "repo": "github.com/acme/my-service",
    "commit": "abc123def456...",
    "branch": "main"
  },
  "slsa": {
    "level": 3,
    "builder_verified": true,
    "source_verified": true
  },
  "timestamp": {
    "rfc3161": true,
    "tsa": "DigiCert",
    "time": "2024-12-17T10:30:00Z",
    "signature": "MIIEpAIBAAKCAQ..."
  },
  "verification_url": "certnode.io/v/att_9k3m2x"
}

Complete Supply Chain Security Suite

Everything you need to prove your software supply chain integrity

SLSA Attestation

Generate SLSA Level 1-3 attestations for your builds. Prove builder identity, source integrity, and build process security.

SBOM Generation

Auto-generate certified SBOMs in SPDX or CycloneDX format. Track every dependency, license, and version.

Dependency Tracking

Monitor dependency vulnerabilities and license compliance. Get alerts when CVEs affect your supply chain.

RFC 3161 Timestamps

RFC 3161 timestamps from accredited authorities. Verifiable proof of when each build was created.

Artifact Registry

Track artifact hashes across versions. Verify any artifact against its original attestation at any time.

Compliance Reports

One-click export for EO 14028, FedRAMP, and SOC2 audits. Ready for government and enterprise procurement.

CI/CD Native Integration

Integrate attestation directly into your build pipeline. One line to add cryptographic proof to every release.

GitHub Actions, GitLab CI, Jenkins plugins
CLI for any build system
Sigstore/Cosign compatible
OCI registry integration
.github/workflows/build.yml
name: Build & Attest
on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build
        run: npm run build

      - name: Generate SBOM
        uses: certnode/sbom-action@v1
        with:
          format: spdx

      - name: Attest Build
        uses: certnode/attest-action@v1
        with:
          api_key: ${{ secrets.CERTNODE_KEY }}
          artifact: dist/app.tar.gz
          slsa_level: 3

      # Output: att_build_9k3m2x
      # Verification: certnode.io/v/att_9k3m2x

Built for Security-Conscious Teams

From startups to enterprise, secure your software supply chain

Government Contractors

Meet EO 14028 and FedRAMP requirements. Provide attestation packages for government procurement.

  • SBOM generation for federal requirements
  • SLSA Level 3 attestation
  • Audit-ready documentation

Enterprise Software Vendors

Differentiate with provable supply chain security. Win enterprise deals with attestation-backed trust.

  • Customer-facing verification portal
  • SOC2 evidence packages
  • Sales enablement materials

Open Source Projects

Build trust with enterprise users. Prove releases are built from verified source code.

  • Free tier for open source
  • Sigstore integration
  • Community verification badges

DevSecOps Teams

Automate security compliance in your pipeline. Shift left with attestation-as-code.

  • CI/CD native integration
  • Policy-as-code support
  • Real-time vulnerability alerts

Simple, Transparent Pricing

Pay per attestation. No hidden fees.

Team

For development teams

$299/month
  • 500 build attestations/month
  • SBOM generation
  • RFC 3161 timestamps
  • CI/CD integrations
Get Started
Most Popular

Business

For scaling organizations

$999/month
  • 5,000 build attestations/month
  • SLSA Level 3 attestation
  • Vulnerability monitoring
  • Priority support
Get Started

Enterprise

For large-scale deployments

Custom
  • Unlimited attestations
  • On-premise deployment
  • FedRAMP support
  • Dedicated support
Contact Sales

Secure Your Supply Chain Today

The next SolarWinds-scale attack is coming. Make sure your builds have cryptographic proof of integrity.

Get StartedSchedule Demo