Skip to main content
Free with a TestifySec account

Turn your security process into compliance evidence.

Stop fielding questions from GRC teams — our AI agent uses your code and your testing as the answer key. Download CI/lock, connect your repos and pipelines, and sign in once from the CLI (the approve page creates your workspace if you don't have one). The platform is where it comes together: keyless Fulcio signing, hosted attestation storage with 7-day retention, and full attestation and policy verification, at no cost.

Signing in is the consent and the identity — there is no anonymous telemetry. Offline signing with your own keys stays free forever; the platform is optional, never required.

# 1. Download CI/lock
curl -fsSL https://cilock.dev/install.sh | bash

# 2. Sign in — defaults to https://platform.testifysec.com;
#    the approve page creates your workspace if you have none
cilock login

# 3. Your next build: signed with a keyless Fulcio cert +
#    RFC 3161 timestamp, stored in the hosted platform
cilock run --step build -- go build -o ./my-service .

# 4. Verify anywhere — point at the artifact; its sha256 subject
#    is computed for you, trust comes from the platform
cilock verify ./my-service

Start where you work.

Your security process is already producing the answers. CI/lock signs it into evidence wherever it happens — production or pipeline.

GRC engineer
Scan what's running

Stop chasing engineers for answers. Point CI/lock at production — CSPM, STIG, FIPS scans — and get signed evidence about what is, not what a spreadsheet says it should be.

# Wrap a production-side scan — signed evidence of what IS
cilock run --step cspm -- prowler aws
CI/CD developer
Instrument your pipelines

Your pipeline instrumentation is the audit trail. Wrap builds with cilock or cilock-action and every run emits signed provenance about how it's built.

# One step in your workflow — signed provenance per run
- uses: aflock-ai/cilock-action@v1
  with:
    command: go build ./...

Both lanes land in the same place: the platform brings your evidence together — storage, verification, and Security Essentials scans.

Prefer to start in the browser? Start for free → sign up, scan your code and docs from the platform, and bring CI/lock in when you're ready.

What you get, free.

The free tier is the real product, not a crippled trial. It is the same signing, storage, and verification the paid platform runs — scoped to 7-day retention and single-pass scans on the open-source 120B model.

Keyless signing (Fulcio)

Short-lived identity certificates minted from your OIDC login. No signing keys to generate, store, rotate, or leak — the platform runs the Fulcio CA and an RFC 3161 timestamp authority for you.

Hosted attestation storage — 7-day retention

Every DSSE + in-toto envelope you produce is stored, indexed, and queryable in hosted Archivista, retained for 7 days on the free tier. You do not run the store, the database, or the blob backend.

Attestation + policy verification

Verify any artifact against a signed policy. The platform holds the Fulcio and TSA trust roots, so `cilock verify` works without you distributing roots or pinning keys by hand.

Security Essentials scans

Single-pass Security Essentials scans over your evidence, run on the open-source 120B model — the same scan the paid tiers run with multiple passes and larger model classes.

Already using the OSS?

CI/lock and Witness produce the same DSSE + in-toto envelopes, and Archivista is the same evidence store the platform hosts. If you already sign with Witness or self-host Archivista, the free tier is what you get when you stop operating the trust infrastructure yourself — point the tool at the platform and sign in.

  • Witness users — point Witness's Archivista URL at the hosted platform and sign in; your envelopes verify unchanged.
  • Self-hosting Archivista — keep your own store, or push new evidence to the hosted one and drop the ops burden.
  • Air-gapped / your own keys — offline signing stays free forever; the platform never becomes a dependency.
Honest about the wall

Free floor, paid ceiling.

Signing, storage, and verification are free with an account. The paid TestifySec Platform adds longer retention, multi-pass scanning, the frontier and balanced model classes, the compliance frameworks, and multi-team operation.

Free with an account
  • Keyless Fulcio signing + RFC 3161 timestamps
  • Hosted attestation storage — 7-day retention
  • Attestation + signed-policy verification
  • Security Essentials scans — single-pass, on the open-source 120B model
Paid — TestifySec Platform
  • Longer / unlimited retention — your evidence history, kept
  • Multi-pass Union-of-3 scanning — three independent passes, unioned
  • Frontier + balanced model classes for higher-fidelity analysis
  • Full compliance frameworks — SSP generation and FedRAMP control mapping
  • Multi-tenant organizations — multiple teams, shared policy, and role-based access

Your next build can answer for itself.

Download CI/lock, sign in, and your next build is signed, stored, and verifiable — no keys, no infrastructure, no card.