Start where you work.
Your security process is already producing the answers. CI/lock signs it into evidence wherever it happens — production or pipeline.
Stop chasing engineers for answers. Point CI/lock at production — CSPM, STIG, FIPS scans — and get signed evidence about what is, not what a spreadsheet says it should be.
# Wrap a production-side scan — signed evidence of what IS
cilock run --step cspm -- prowler awsYour pipeline instrumentation is the audit trail. Wrap builds with cilock or cilock-action and every run emits signed provenance about how it's built.
# One step in your workflow — signed provenance per run
- uses: aflock-ai/cilock-action@v1
with:
command: go build ./...Both lanes land in the same place: the platform brings your evidence together — storage, verification, and Security Essentials scans.
Prefer to start in the browser? Start for free → sign up, scan your code and docs from the platform, and bring CI/lock in when you're ready.
What you get, free.
The free tier is the real product, not a crippled trial. It is the same signing, storage, and verification the paid platform runs — scoped to 7-day retention and single-pass scans on the open-source 120B model.
Short-lived identity certificates minted from your OIDC login. No signing keys to generate, store, rotate, or leak — the platform runs the Fulcio CA and an RFC 3161 timestamp authority for you.
Every DSSE + in-toto envelope you produce is stored, indexed, and queryable in hosted Archivista, retained for 7 days on the free tier. You do not run the store, the database, or the blob backend.
Verify any artifact against a signed policy. The platform holds the Fulcio and TSA trust roots, so `cilock verify` works without you distributing roots or pinning keys by hand.
Single-pass Security Essentials scans over your evidence, run on the open-source 120B model — the same scan the paid tiers run with multiple passes and larger model classes.
Already using the OSS?
CI/lock and Witness produce the same DSSE + in-toto envelopes, and Archivista is the same evidence store the platform hosts. If you already sign with Witness or self-host Archivista, the free tier is what you get when you stop operating the trust infrastructure yourself — point the tool at the platform and sign in.
- Witness users — point Witness's Archivista URL at the hosted platform and sign in; your envelopes verify unchanged.
- Self-hosting Archivista — keep your own store, or push new evidence to the hosted one and drop the ops burden.
- Air-gapped / your own keys — offline signing stays free forever; the platform never becomes a dependency.
Free floor, paid ceiling.
Signing, storage, and verification are free with an account. The paid TestifySec Platform adds longer retention, multi-pass scanning, the frontier and balanced model classes, the compliance frameworks, and multi-team operation.
- Keyless Fulcio signing + RFC 3161 timestamps
- Hosted attestation storage — 7-day retention
- Attestation + signed-policy verification
- Security Essentials scans — single-pass, on the open-source 120B model
- Longer / unlimited retention — your evidence history, kept
- Multi-pass Union-of-3 scanning — three independent passes, unioned
- Frontier + balanced model classes for higher-fidelity analysis
- Full compliance frameworks — SSP generation and FedRAMP control mapping
- Multi-tenant organizations — multiple teams, shared policy, and role-based access
Your next build can answer for itself.
Download CI/lock, sign in, and your next build is signed, stored, and verifiable — no keys, no infrastructure, no card.