EO 14412 CISA CBOM minimum elements due ~March 19, 2027 · PQC key establishment by Dec 31, 2030 · digital signatures by Dec 31, 2031

Turn the finding into evidence

The free check tells you which cryptography breaks and when. It is unsigned — anyone can edit it. A receipt binds those findings to this exact manifest, at this exact moment, and your auditor can verify it against a public key without contacting us. Leave the access code blank to try it free.

Free — 3 per IP per day RS256 + ML-DSA-65 Signed Zero Manifest Retention Published Keyset
StatusSystem Idle
Manifest Verification

Generate Receipt

Upload the same manifest you just checked. You get the same findings back — signed, dated, and verifiable by someone who has no reason to trust you.

Verification Tier

Standard = signed proof of what your manifest declared, and when. Advanced = proof + vulnerability intelligence + time-aware re-evaluation.

Professional Plus subscribers: select Advanced to access intelligence features.

Free to Try — Rate-Limited
Free issuance is capped at 3 receipts per IP address per day. No account, no card — leave the access code blank. IP is hashed, never stored. Paid packs add vulnerability intelligence (OSV / NVD / GHSA) and higher volume.

No code? Upload an SBOM and generate a real signed receipt for free (standard tier · 3 free per IP per day). Paid access codes unlock vulnerability intelligence (OSV / NVD / GHSA) and unlimited receipts.

Upload a CycloneDX or SPDX JSON manifest to generate a signed CBOM receipt.
Drop your manifest here or browse CycloneDX or SPDX JSON · .json files only

Data Handling & Verification Model

Submitted manifests are processed transiently for the sole purpose of issuing a signed receipt.

No uploaded data is stored, retained, indexed, or shared. Processing occurs in-memory within a serverless execution context and is discarded after computation.

Issued receipts are signed by the system and can be verified independently using the public verification key endpoint.

Verification does not require continued access to this platform or the original upload session.

No persistent storage · No manifest logging · No database retention of uploaded contents

Live Scope

System Status & Receipt Scope

Service
Checking…
Mode
Checking…
Timestamp
Checking…
Protocol
Checking…

Receipt Scope

  • Dual-signed receipt: RS256 + ML-DSA-65 (FIPS 204)
  • Manifest SHA-384 fingerprint
  • Merkle-root derivation result
  • Timestamped validation record
  • Public-key verification path
  • VS Code extension manifest scanning
  • AI model card provenance receipting
  • Advanced tier: NVD + OSV + GHSA vulnerability intelligence
  • Advanced tier: EPSS exploit probability scoring
  • Advanced tier: license risk flagging (AGPL, GPL, SSPL)
  • Advanced tier: receipt drift detection and comparison
  • Embeddable verified badge for vendor portals and documentation

The receipt proves what your manifest declared, and when. It does not prove your cryptography is safe, do the migration for you, or substitute for a complete compliance program. It proves you looked, and it proves what you found.

Public verification key endpoint: /.netlify/functions/public-key
Verification Model
Proof of submitted manifest state at issuance time, with signed output and an independent validation path.
Scope & Limits
This system proves the submitted input and signs the resulting receipt. It does not claim full runtime truth or automatic legal compliance.
Output

Verification Result

No manifest verified yet
Upload a CycloneDX or SPDX JSON manifest above to generate a signed receipt.
Drift Detection

Compare Two Receipts

Advanced

Paste two signed receipts (JWS) to see exactly what changed between them — added components, removed dependencies, version upgrades, and risk delta. Requires Advanced tier receipts.

Receipt Comparison
System Interpretation

How This Works

Intended Use

Who This Is For

Operational Buyer Fit

This system is built for environments where software claims must be defensible, not just stated.

Defense
CMMC-bound contractors
Supply Chain
SBOM-submitting vendors
Security
Audit-preparation teams
Evidence
Post-delivery proof needs