JUDGE
CI/CD attestation platform automating compliance evidence and supply chain integrity.
Vendor Information
JUDGE Overview
JUDGE is TestifySec commercial software supply chain attestation and compliance platform built on two open-source CNCF in-toto projects: Witness (CLI pipeline observer) and Archivista (attestation storage manager). JUDGE automates collection, distribution, trust verification, and policy evaluation of artifact evidence throughout the SDLC, creating cryptographically signed evidence trails capturing secure hashes of materials, artifacts, and events during CI/CD processes. The platform includes an OPA Rego-based policy engine with pre-built rule templates covering most compliance controls, real-time risk assessment combining external threat intelligence with internal process data, and automated threat mitigation detecting tampering and process manipulation to prevent supply chain attacks like SolarWinds.
JUDGE enables compliance with SLSA Supply Chain Levels for Software Artifacts, NIST SP 800-218 Secure Software Development Framework attestation requirements, and Executive Order 14028 federal procurement standards through automated metadata collection, keyless signing with Sigstore and SPIFFE/SPIRE integration, RFC3161 timestamp authority support, and air-gap distribution capabilities for network-restricted environments. The platform integrates with major CI/CD tools including GitLab, GitHub Actions, Jenkins, and cloud platforms AWS, GCP, and Azure, while supporting SBOM generation and Protobom translation enabling format-neutral data exchange between SPDX and CycloneDX formats.
Founded by Cole Kennedy CEO and Mikhail Swift CTO and headquartered in Jasper, Alabama, TestifySec participated in the 2023 CISA and DHS Science and Technology Directorate Silicon Valley Innovation Program SVIP cohort alongside Chainguard, Scribe Security, Manifest Cyber, and three other startups to co-develop Protobom. The company secured $75,000 SBIR Phase 1 funding from the Department of the Air Force in 2024 for FLiCK Forensic License Compliance Knowledgebase development and launched JUDGE in AWS Marketplace in May 2024, with Autodesk adopting the underlying Witness and Archivista open-source tools to achieve FedRAMP Authority to Operate by meeting supply chain security compliance requirements.
Key Capabilities
Standardized capabilities mapped to this product's security niche
Assembles signed pipeline evidence artifacts into auditor-ready compliance reports on demand, eliminating manual evidence gathering and reducing audit preparation time from weeks to minutes.
Automatically collects verifiable evidence from CI/CD pipeline steps (build logs, test results, scan outputs, code review approvals), without developer intervention, keeping the evidence trail current with every commit.
Signs pipeline step outputs (commits, builds, test runs, deployments) using the in-toto attestation specification, creating tamper-evident records of what produced each artifact, from what source, and under what conditions.
Maps cryptographic pipeline evidence to specific controls across SOC 2, NIST SSDF, FedRAMP, ISO 27001, and EO 14028, identifying which controls are satisfied by existing attestations and which have gaps requiring remediation.
Defines supply chain security requirements as versioned policy rules that are automatically evaluated against attestations at each pipeline stage; artifacts that fail policy checks are blocked before reaching production.
Evaluates CI/CD pipeline build processes against SLSA (Supply-chain Levels for Software Artifacts) level requirements, identifying gaps between current posture and the target level and reporting the achieved level per artifact.
Detects anomalies in pipeline attestation patterns (missing attestations, unexpected signing keys, modified source references, or broken provenance chains) that indicate potential supply chain compromise or build tampering.
Integrations
Compatible tools and platforms
Solution Details
Deployment Options
Where and how this solution can be deployed
Support Channels
Available support and communication options
Pricing Model
How this solution is priced
How to buy
This profile hasn’t been claimed yet. Contact the vendor directly for pricing and purchasing options.
Is this your company?
Claim Your Profile