Pick a scenario. Watch the pipeline fire: scan → fusion → decision → enforcement → DSSE signature. Every node shows the actual signals that flowed through, the verdict, and the bytes of the signed evidence emitted at the end. Drag nodes, scroll the canvas, replay.
Advisory dropped at 03:00 UTC. The firewall starts rejecting installs immediately.
The same six stages run for every input — package, finding, runtime event.
Input. An install request, a SAST trace, a kernel event from the eBPF agent — all flow through the same downstream pipeline.
Scan engine. SCA, SAST, IaC, secrets, container, attack-path, AI-risk. Whichever engine produced the signal becomes the entry point.
Signal fusion. CISA KEV status, EPSS probability, ExploitDB presence, forecasted exploit window, reachability proof, attack-path score, license obligations. Multi-signal — never raw CVE count.
Decision. Policy engine outputs Patch Now (48h), Patch This Sprint (336h), Monitor (720h), or Accept Risk — with rationale per signal. Verdict colour tells you which path the edge takes next.
Enforcement. For an install request: Dependency Firewall denies the package. For a runtime event: cgroup-BPF blocks the egress. For a scan finding: auto-fix PR opens with breaking-change analysis.
DSSE sign. Runtime traces are wrapped in a DSSE envelope over a SLSA in-toto Statement and signed with your keypair today. DSSE-signed firewall and scan attestations are on the roadmap. The bytes shown at the end are the actual size of the signed evidence file.
Run the real engine on your infrastructure.
What you just watched is the actual pipeline. Same stages, same signals, same DSSE format. Hand the signed evidence to anyone — they verify with one binary and your public key.