JUDGE

JUDGE is TestifySec commercial software supply chain attestation and compliance platform built on two open-source CNCF in-toto projects: Witness (CLI pipeline observer) and Archivista (attestation storage manager). JUDGE automates collection, distribution, trust verification, and policy evaluation of artifact evidence throughout the SDLC, creating cryptographically signed evidence trails capturing secure hashes of materials, artifacts, and events during CI/CD processes. The platform includes an OPA Rego-based policy engine with pre-built rule templates covering most compliance controls, real-time risk assessment combining external threat intelligence with internal process data, and automated threat mitigation detecting tampering and process manipulation to prevent supply chain attacks like SolarWinds.

JUDGE enables compliance with SLSA Supply Chain Levels for Software Artifacts, NIST SP 800-218 Secure Software Development Framework attestation requirements, and Executive Order 14028 federal procurement standards through automated metadata collection, keyless signing with Sigstore and SPIFFE/SPIRE integration, RFC3161 timestamp authority support, and air-gap distribution capabilities for network-restricted environments. The platform integrates with major CI/CD tools including GitLab, GitHub Actions, Jenkins, and cloud platforms AWS, GCP, and Azure, while supporting SBOM generation and Protobom translation enabling format-neutral data exchange between SPDX and CycloneDX formats.

Founded by Cole Kennedy CEO and Mikhail Swift CTO and headquartered in Jasper, Alabama, TestifySec participated in the 2023 CISA and DHS Science and Technology Directorate Silicon Valley Innovation Program SVIP cohort alongside Chainguard, Scribe Security, Manifest Cyber, and three other startups to co-develop Protobom. The company secured $75,000 SBIR Phase 1 funding from the Department of the Air Force in 2024 for FLiCK Forensic License Compliance Knowledgebase development and launched JUDGE in AWS Marketplace in May 2024, with Autodesk adopting the underlying Witness and Archivista open-source tools to achieve FedRAMP Authority to Operate by meeting supply chain security compliance requirements.