For the procurement triad
The install-path firewall, federated across every business unit — and every refusal carries a signed audit row.
NIS2, DORA, CRA, GDPR, SOC 2 — every reviewer reads the same signed audit row.
Trust packet: SOC 2 Type II readiness materials (auditor selection in progress), pen-test summary, draft DPA with SCCs, NIS2 Art. 21 control mapping, quarterly DR tabletop exercises (most recent report under NDA), signed-policy-bundle architecture, Billy approval-queue runbook.
Three buyers, one decision
Each of your three teams walks in with a different question. Same audit row answers all three.
AppSec lead
“Snyk and Xray already scan. Why does this stop incidents they don't?”
Because scanners report after install. The proxy refuses on the install path — typosquats, maintainer takeovers, hidden Unicode, install-script exfiltration, KEV-listed CVEs — using 25 supply-chain signals beyond CVE. One Rego decision, one signed audit row, hand to the auditor.
See the four enforcement points →DevSecOps lead
“Fifty BUs, fifty Rego forks. How does this not become a policy zoo?”
Hub-and-spoke federation. A global Rego floor lives at the hub. Each BU spoke inherits and overrides within bounds you set. Billy holds the approval queue for every policy edit and exception. One audit stream rolls up; BUs keep autonomy.
See the federation model →EntIT lead
“Identity is mine. Will this respect Okta/Entra groups and SCIM attrs?”
Group → Rego scope mapping. SCIM with custom attributes (cost_center, BU) flowed straight into policy. JIT break-glass with time-boxed elevation. Every identity event lands in the same signed audit row as the install decision.
See the identity model →Federation architecture
Hub-and-spoke federation: a global floor, BU overrides, one audit stream up.
A 50-BU org doesn't want one Rego file. It wants a shared floor and bounded local autonomy. The hub publishes a signed policy bundle. Each spoke — a regional brand or BU — inherits the floor and adds local overrides inside bounds the hub defines. Billy (the approval-queue daemon) holds every override and exception, with expiry. The audit stream rolls up to one place.
Worked example (anonymized, DH-shape)
Hub floor refuses any package with a maintainer-takeover signal in the last 14 days, any install-script exfil pattern, and any KEV-listed CVE without an active exception. A regional spoke — call it "Brand-EU" — adds a tighter floor: no AGPL, no packages younger than 30 days in production paths. Brand-EU's platform engineer opens an exception for a 14-day-old internal SDK; Billy routes it to the AppSec approver named in the spoke's policy, expiry baked in. One audit row carries actor, signals, scope, approver, expiry — to your SIEM. The hub never has to know.
One policy, four enforcement points
Same Rego fires at PR, install, K8s admission, and runtime. Three vendors collapse to one seam.
Most stacks stitch together a PR scanner (Snyk Code), a registry gate (JFrog Xray), an admission controller (Wiz Code / OPA), and a runtime sensor. Four configs, four policy languages, four audit trails. The proxy ships one Rego policy that fires at all four. The same signed audit row carries every refusal, wherever it happened.
-
Pull request
GitHub / GitLab check
Refuses the merge when the proposed dependency fails policy.
-
Install path
npm / PyPI / Maven / NuGet / Docker + 12 more
Refuses the fetch. Developer sees the reason and the exception path.
-
K8s admission
Validating webhook
Refuses the pod when the image fails the same Rego the install path ran.
-
Runtime
Workload sensor
Refuses outbound calls from packages that drifted post-install.
Deeper reading: architecture overview · structural diff vs JFrog Xray in /vs/jfrog-xray.
Compliance mapping
Regime → article → which audit row, which signed bundle, which export.
No certification is claimed that isn't held. Each control your reviewer asks about maps to a specific Chainsaw artifact.
| Regime | Article / control | Chainsaw control evidence |
|---|---|---|
| NIS2 | Art. 21 — supply-chain risk management | Signed policy bundle + signed audit row per install decision; refusal reasons map to specific signals (typosquat, maintainer takeover, install-script exfil). |
| DORA | Art. 6 — ICT risk framework; Art. 28 — third-party ICT risk | Per-BU enforcement evidence, immutable audit export to SIEM, subprocessor list in DPA, source-available enforcement bundle clause for exit. |
| CRA | Annex I — secure-by-design; vuln handling | SBOM export per release, KEV-aware refusal, exception lifecycle with expiry — all carried in the same audit row. |
| GDPR | Art. 32 — security of processing | Narrow data model: package metadata + decision records, no source code, no payload bodies. EU-region SaaS or in-VPC. DPA with SCCs. |
| SOC 2 | CC6 (access), CC7 (operations), CC8 (change) | RBAC + SCIM, signed audit row with actor_type + correlation_id, signed policy-bundle change history. SOC 2 Type II — readiness phase, auditor selection in progress. |
| ISO 27001 | Annex A.8 — asset & access management | Group → Rego scope mapping, JIT break-glass, identity events in the same audit stream as install decisions. |
Identity depth
Okta or Entra ID is the source of truth. Policy reads it directly.
Group → Rego scope mapping. SCIM provisions users with custom attributes
(cost_center, bu, region) that policy reads at
decision time. JIT break-glass elevates a developer into an approver role for a
time-boxed window — Billy holds the request, the audit row carries it. Conditional
access from Okta / Entra propagates into refusal context, so a high-risk install
attempted from an unmanaged device gets refused with that reason on the row.
Operational SLAs + support
Targets below; negotiated figures in your MSA.
-
Uptime target (SaaS)
99.95% uptime target (not contractual; negotiated in MSA)
-
P1 response
15 minutes, 24/7 — dedicated Slack Connect
-
P2 response
1 business hour, follow-the-sun
-
P3 response
1 business day
-
Named CSM
Single contact across AppSec / DevSecOps / EntIT
-
QBR cadence
Quarterly; metrics on refusals, exceptions, BU adoption
-
RPO / RTO target
RPO 15 min / RTO 1 hour (target; negotiated in MSA)
Cost shape at 30,000 developers
Predictable annual. Not per-seat.
Per-seat pricing in a 30k-engineer org turns every hire into a budget event and every BU acquisition into a re-paper. The proxy is priced annually on the dimensions that actually drive cost on our side — not on your headcount.
- Number of business units in the federation (spoke count)
- Regions for SaaS / VPC residency or air-gapped sideload cadence
- Audit retention window (12 / 36 / 84 months)
- Audit-stream destinations (SIEM, data lake, regulator export)
- Support tier (standard, 24/7 follow-the-sun, on-site QBR)
Vendor risk + escape hatch
If Chainsaw the company disappears, the proxy keeps refusing.
-
Source-available enforcement bundle clause
Source-available enforcement bundle clause negotiable into Unlimited-tier MSAs. The signed binary continues to enforce policy offline after license expiry, regardless.
-
Data portability
Audit rows, policy bundles, exception ledger — exportable to S3 / GCS / Azure Blob on a documented schema, on demand. Retention window negotiated in MSA (12 / 36 / 84 months).
-
Offline continuity
Signed binary keeps refusing on the install path without phone-home. Threat-intel updates arrive as signed bundles you verify.
-
Subprocessors
Full list in the DPA. Notification on material change with right to object.
Reference
Top-5 European on-demand platform, 25,000 developers, 40 business units.
Federated hub-and-spoke rollout across 40 BUs. Global Rego floor authored by the central AppSec team; each BU added local overrides under Billy's approval queue. Single audit stream to the central SIEM. Replaced a stitched stack of registry gate, PR scanner, and admission controller with one signed policy bundle. Reference call available under NDA during procurement.
Architecture review, not a demo
Bring your AppSec, DevSecOps, and EntIT leads. One call, one decision.
Thirty minutes. The hub-and-spoke model walked against your Okta groups and BU shape, top three compliance asks (NIS2, DORA, your SOC 2 reviewer's list) mapped to the audit row, and the trust packet handed back.