The free check tells you which cryptography breaks and when. It is unsigned — anyone can edit it. A receipt binds those findings to this exact manifest, at this exact moment, and your auditor can verify it against a public key without contacting us. Leave the access code blank to try it free.
Free — 3 per IP per dayRS256 + ML-DSA-65 SignedZero Manifest RetentionPublished Keyset
StatusSystem Idle
Manifest Verification
Generate Receipt
Upload the same manifest you just checked. You get the same findings back — signed, dated, and verifiable by someone who has no reason to trust you.
Verification Tier
Standard = signed proof of what your manifest declared, and when. Advanced = proof + vulnerability intelligence + time-aware re-evaluation.
Professional Plus subscribers: select Advanced to access intelligence features.
Free to Try — Rate-Limited
Free issuance is capped at 3 receipts per IP address per day. No account, no card — leave the access code blank. IP is hashed, never stored. Paid packs add vulnerability intelligence (OSV / NVD / GHSA) and higher volume.
Download this, then drag it into the upload box above to generate a receipt.
Data Handling & Verification Model
Submitted manifests are processed transiently for the sole purpose of issuing a signed receipt.
No uploaded data is stored, retained, indexed, or shared. Processing occurs in-memory within a serverless execution context and is discarded after computation.
Issued receipts are signed by the system and can be verified independently using the public verification key endpoint.
Verification does not require continued access to this platform or the original upload session.
No persistent storage · No manifest logging · No database retention of uploaded contents
Advanced tier: receipt drift detection and comparison
Embeddable verified badge for vendor portals and documentation
The receipt proves what your manifest declared, and when. It does not prove your cryptography is safe, do the migration for you, or substitute for a complete compliance program. It proves you looked, and it proves what you found.
Public verification key endpoint: /.netlify/functions/public-key
Verification Model
Proof of submitted manifest state at issuance time, with signed output and an independent validation path.
Scope & Limits
This system proves the submitted input and signs the resulting receipt. It does not claim full runtime truth or automatic legal compliance.
Output
Verification Result
No manifest verified yet
Upload a CycloneDX or SPDX JSON manifest above to generate a signed receipt.
Status
-
Format
-
Components
-
Timestamp
-
Signature
-
Provenance
-
Access Role
-
Tier
-
Tier Label
-
Scope
-
Manifest SHA-384
-
Merkle Root
-
Receipt ID
-
Advanced Risk Analysis
Risk Status
-
Confidence
-
Issue Count
0
Sources Used
-
Component-Level Findings
Upgrade Available
Advanced tier includes proof + intelligence + time-aware trust evaluation.
Multi-source vulnerability intelligence
Component-level issue detection
Confidence scoring
Source-backed analysis (NVD, OSV, Internal)
Time-aware re-evaluation of existing receipts
Signed Receipt (JWS)
-
Validation Notes
Detected Fields
Raw Receipt
Drift Detection
Compare Two Receipts
Advanced
Paste two signed receipts (JWS) to see exactly what changed between them — added components, removed dependencies, version upgrades, and risk delta. Requires Advanced tier receipts.
Receipt Comparison
System Interpretation
How This Works
Overview
The evidence half of the check
The free check grades every cryptographic asset in your manifest against EO 14412 deadlines. It is an unsigned report — useful to you, worthless to anyone who has to take your word for it. This page issues the signed version: the same findings, bound to the same manifest, dual-signed with RS256 and ML-DSA-65 (FIPS 204), and independently verifiable against a published key.
Flow
Verification process
Upload a CycloneDX or SPDX JSON manifest.
The system validates structure and extracts component entries.
A SHA-384 fingerprint and Merkle root are derived from the manifest data.
A signed receipt is issued with timestamp, manifest hash, and verification metadata.
Proof Scope
What the receipt proves
That this manifest was processed by the NextGenRails verification system.
That the output receipt was signed by the system's private signing key.
That the manifest fingerprint and Merkle root in the receipt are deterministic outputs of the submitted data.
That the receipt can be verified independently using the public verification key.
Boundaries
What it does not claim
It does not certify that software is vulnerability-free.
It does not guarantee legal compliance by itself.
It does not replace a full security audit or formal attestation framework.
It produces cryptographically signed verification evidence for submitted manifests.
Intended Use
Who This Is For
Operational Buyer Fit
This system is built for environments where software claims must be defensible, not just stated.
Defense
CMMC-bound contractors
Supply Chain
SBOM-submitting vendors
Security
Audit-preparation teams
Evidence
Post-delivery proof needs
Defense contractors subject to CMMC requirements
Vendors submitting SBOMs to government buyers
Security teams preparing for audit or certification
Organizations that must prove software state after delivery