Book a demo Get started

For DevSecOps & Compliance

Every install leaves evidence. Compliance stops being a spreadsheet project.

Every install produces a structured verdict with the rule, the reason, the repo, the CI job, and the user. That log is your audit trail. CycloneDX SBOMs export in one click. The same license, version, and provenance rules run in CI, on a laptop, and in Dockerfiles. When the auditor asks how you enforce it, the answer is a query, not a quarter of collection work.

The pain

  • Policy is written down but not enforced consistently across teams and pipelines.
  • License violations show up in audits, not at PR time.
  • Compliance evidence is a manual spreadsheet at the end of the quarter.
  • Frameworks keep changing — SOC 2 CC 8.1, NIST 800-161, SLSA — and your controls inventory lags behind.

What changes

Enforce on the request path

License, version, and provenance rules run on every install. Consistent whether the install happens in CI, on a laptop, or inside a Dockerfile.

SBOM and audit on demand

Export CycloneDX SBOMs and structured audit logs straight from the dashboard or API. Stream to Splunk HEC, Microsoft Sentinel, or IBM QRadar on Unlimited.

Monitor first, block later

Roll out policy without breaking builds. Capture what would have been blocked, then flip to enforce rule by rule when you're confident.

Framework alignment

Controls that map cleanly to the frameworks your auditor reads

Chainsaw doesn't certify you compliant. It produces the evidence your auditor asks for. Below is how the install-path firewall lines up against the frameworks we see most often.

SOC 2 Type II

CC 7.1 change management, CC 8.1 system changes, CC 6.6 logical access

Install-path audit log demonstrates approval boundaries. Exception expiry and RBAC-scoped API keys satisfy the access-change controls.

NIST 800-161r1 C-SCRM

SR-3, SR-4, SR-11 supply-chain controls

Supply-chain attack signals, SBOM export, and maintainer-change detection map directly to the supply-chain risk controls introduced in r1.

ISO 27001 / ISO 27002

A.8.9 config mgmt, A.8.22 segregation, A.5.19 supplier

Centralised policy and tenant-scoped rules satisfy the segregation controls. Supplier controls land on the provenance and attack-signal rules.

SLSA v1.0

Provenance L2–L3, Source L2+, Build L3

Chainsaw ingests Sigstore attestations, npm provenance, and Go sumdb to enforce the provenance levels your consumers require.

HIPAA Security Rule

§164.308 administrative safeguards

Audit log retention and structured export give PHI-handling teams the evidence they need without a custom collector.

Compliance, without chasing

From draft policy to audit-ready in three steps

  1. Model your policy once

    Allow-list licenses, block versions below a floor, require signed provenance. Single declarative surface; same YAML runs everywhere.

  2. Watch monitor-mode traffic

    Every install produces a verdict in the audit log even in monitor mode. You see what enforcement would do without breaking anyone's build.

  3. Export evidence on demand

    One-click CycloneDX SBOMs per repo. Audit trails stream to Splunk HEC, Microsoft Sentinel, or IBM QRadar on Unlimited. No spreadsheet assembly at quarter-end.

Audit season around the corner?

Turn on Chainsaw in monitor mode

Get a picture of where you'd land on SOC 2 / ISO / NIST today — without changing enforcement. Export the audit log when you're ready.

Generate audit evidence Talk to compliance