Software provenance for regulated engineering teams

Trust what
ships

Prove where every release came from. Create a traceable scan record for repositories and archives today. Join early access for AI-origin evidence, dependency lineage, policy decisions, and audit-ready exports as each capability becomes available.

Example
Provenance scan — github.com/acme/payments-service @ main

Provenance confidence

87/ 100

87%

Source provenance

Illustrative — rolling out
Human 62%AI-assisted 28%AI-generated 10%

Top evidence signals

  • Dependency manifest resolved (npm)94%
  • Known vulnerability match (OSV.dev)91%
  • Repository metadata + commit history88%
  • AI-origin stylometric signal (47-signal)Illustrative — rolling out72%

Dependency lineage

Available now

47 dependencies traced across npm + PyPI

3 known vulnerabilities matched (OSV.dev) · 1 high · 2 medium

Policy decision

Pass0 policy violations

Block critical-severity dependencies on release branches

Illustrative — rolling out

Signed evidence ID

EV-2026-07-11-A1B2C3

2026-07-11T14:32:00Z

Availability

  • Scan intakeAvailable now
  • AI-origin scoringRolling out
  • Dependency lineageRolling out
  • Policy enginePlanned
  • Compliance reportsPlanned

SOC 2 Ready

Built to SOC 2 controls — Type II certification in progress

AES-256

Encryption at rest

TLS 1.3

In transit

Everything you need to prove code provenance

One platform for the four questions every security, legal, and engineering team needs answered before shipping.

AI-Origin Detection

Scan intake is live now. AI-origin scoring, stylometric evidence, and explainable confidence reports are being rolled out behind the queued analysis workflow.

Policy Engine

Define provenance rules for review today, with automated log, warn, block, and require-review actions planned for the worker-backed policy phase.

Dependency Lineage

Track repository and archive scan requests now. Transitive npm, PyPI, and Maven lineage graphs are scheduled for the analysis-worker phase.

Compliance Reports

Prepare evidence intake now. SOC 2, EU AI Act, GDPR, and HIPAA report generation will unlock once scan results are produced.

Workflow

How ProvenanceOS works

From signed-in upload intake to queued analysis workflow, with generated results rolling out in phases.

  1. 01

    Start scan intake

    Upload a small archive or submit a repository URL from the authenticated app. ProvenanceOS creates a durable queued scan job.

  2. 02

    Track job status

    View your scan request, source metadata, and queued status while the static-analysis worker rollout continues.

  3. 03

    Unlock generated results

    AI-origin evidence, dependency lineage, policy evaluation, and compliance exports arrive as the worker-backed phases ship.

See how ProvenanceOS traces code provenance from intake to audit

Be the first to know when each phase ships

ProvenanceOS is rolling out in phases. Get launch updates as AI-origin scoring, lineage, policy, and compliance reports come online.

We value your privacy

We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Learn more