Security Stack Logo
JUDGE logo

Supply Chain SecurityGovernance, Risk & Compliance

JUDGE

Turns CI/CD activity into signed, audit-ready evidence mapped to NIST, SOC 2, and FedRAMP.

Software Supply Chain Attestation

JUDGE Overview

What it does

JUDGE is TestifySec commercial software supply chain attestation and compliance platform built on two open-source CNCF in-toto projects: Witness (CLI pipeline observer) and Archivista (attestation storage manager). JUDGE automates collection, distribution, trust verification, and policy evaluation of artifact evidence throughout the SDLC, creating cryptographically signed evidence trails capturing secure hashes of materials, artifacts, and events during CI/CD processes. The platform includes an OPA Rego-based policy engine with pre-built rule templates covering most compliance controls, real-time risk assessment combining external threat intelligence with internal process data, and automated threat mitigation detecting tampering and process manipulation to prevent supply chain attacks like SolarWinds.

How it works

JUDGE enables compliance with SLSA Supply Chain Levels for Software Artifacts, NIST SP 800-218 Secure Software Development Framework attestation requirements, and Executive Order 14028 federal procurement standards through automated metadata collection, keyless signing with Sigstore and SPIFFE/SPIRE integration, RFC3161 timestamp authority support, and air-gap distribution capabilities for network-restricted environments. The platform integrates with major CI/CD tools including GitLab, GitHub Actions, Jenkins, and cloud platforms AWS, GCP, and Azure, while supporting SBOM generation and Protobom translation enabling format-neutral data exchange between SPDX and CycloneDX formats.

Credentials and traction

TestifySec was one of seven startups selected for the U.S. Department of Homeland Security Science and Technology Directorate's 2023 Silicon Valley Innovation Program cohort, co-developing Protobom, which CISA, DHS S&T, and the OpenSSF launched as an open-source project in April 2024. The company also secured a 2024 U.S. Air Force SBIR Phase I award. TestifySec lists Datadog, Best Buy, Autodesk, Adobe, GitLab, Lockheed Martin, GDIT, and Carahsoft among the organizations using its platform. It targets regulated and federal software producers.

Key Capabilities

mapped to solution categories
Software Supply Chain Attestation

Assembles signed pipeline evidence artifacts into auditor-ready compliance reports on demand, eliminating manual evidence gathering and reducing audit preparation time from weeks to minutes.

Automatically collects verifiable evidence from CI/CD pipeline steps (build logs, test results, scan outputs, code review approvals), without developer intervention, keeping the evidence trail current with every commit.

Signs pipeline step outputs (commits, builds, test runs, deployments) using the in-toto attestation specification, creating tamper-evident records of what produced each artifact, from what source, and under what conditions.

Maps cryptographic pipeline evidence to specific controls across SOC 2, NIST SSDF, FedRAMP, ISO 27001, and EO 14028, identifying which controls are satisfied by existing attestations and which have gaps requiring remediation.

Defines supply chain security requirements as versioned policy rules that are automatically evaluated against attestations at each pipeline stage; artifacts that fail policy checks are blocked before reaching production.

Evaluates CI/CD pipeline build processes against SLSA (Supply-chain Levels for Software Artifacts) level requirements, identifying gaps between current posture and the target level and reporting the achieved level per artifact.

Detects anomalies in pipeline attestation patterns (missing attestations, unexpected signing keys, modified source references, or broken provenance chains) that indicate potential supply chain compromise or build tampering.

Integrations

compatible tools
ArchivistaBuildkiteDrataGitHub ActionsGitLab CIJenkinsProtobomSecureframeSemgrepSnykTrivyVantaWitness CLI

Implementation & support

Deployment model
Air-GappedOn-PremisesSaaS
Pricing structure
Community EditionCustom / EnterpriseFree TrialPer SeatUsage-based
Support channels
Business Hours SupportCommunity ForumDocumentationEmail SupportTicketing Portal

Info last updated on May 28, 2026

Vendors

Is this your product?

Claim your profile to connect with the teams looking for your solutions.

Security Stack Logo

The curated research platform for enterprise cybersecurity solutions.

All product and company names, logos, and brands are property of their respective owners and are used on this website for identification purposes only. Security Stack does not endorse any vendor, product, or service listed, and makes no warranties, express or implied, as to the accuracy or completeness of this content, including any warranties of merchantability or fitness for a particular purpose.

© 2026 Security Stack. All rights reserved.