What changed?
Application code, dependencies, Dockerfiles, Terraform, Kubernetes, Helm, GitHub Actions, IAM policy, network exposure, and database migrations — all classified directly from the diff.
What risk was introduced?
Veridion isolates risk introduced in this PR from pre-existing backlog. Teams reason about the current change, not the entire historical scanner backlog.
What should happen next?
A scored decision, confidence level, explicit approvals, and required next steps. A release decision memo posted to the PR, not a raw finding dump.
AI increases software velocity.
Veridion governs operational trust.
The acceleration
- AI-generated code at higher volume and velocity
- Autonomous dependency upgrades and remediation
- Infrastructure changes from non-infrastructure engineers
- Deploy frequency outpacing manual review capacity
The control problem
- What exactly changed and what does it touch?
- What new risk did this PR actually introduce?
- What is the blast radius if this goes wrong?
- Should this ship, and who needs to approve it?
-
Scan on every PR
Semgrep, Trivy, Grype, and Syft run against both head and baseline. One bootstrap command generates the workflow with policy, trust inputs, and accepted-risk support.
-
Normalize, deduplicate, attribute
Scanner output is unified into one schema. Cross-scanner duplicates collapse. Each finding is attributed as introduced or pre-existing against the baseline.
-
Score against your policy
Change surface, blast radius, operational context, accepted risk, and policy are weighed to produce a deterministic 0-100 score and release verdict.
-
Decision posted to the PR
GO, CONDITIONAL GO, or NO GO — with primary drivers, required approvals, and next steps. A decision memo, not a raw scanner log.
GO
94
Docs-only change
No introduced findings. Low-friction approval path. High-confidence release decision.
CONDITIONAL GO
74
Code risk introduced
Introduced code risk pushes the change into a controlled release path instead of an automatic block.
NO GO
38
Dependency + IAM + ingress
Critical dependency risk plus IAM and ingress exposure. Release blocked pending remediation and review.
CONDITIONAL GO
81
Accepted-risk suppression
Known risk accepted temporarily with reason and expiry. Visibility stays intact and the release posture remains cautious.
Introduced-only intelligence
Multi-scanner normalization, deduplication, baseline comparison, and deterministic release decisioning. Legacy debt stays separate from current change risk.
Blast-radius and policy intelligence
Change-surface inference across multiple risk domains. Configurable approvals, score adjustments, and accepted-risk exception handling with expiry governance.
Portable integration contract
GitHub Actions is the current wedge. The engine already accepts a versioned operational-context artifact designed for future CI systems, deployment pipelines, and autonomous delivery paths.
Output should feel like a decision memo
Primary drivers, contextual risk, required approvals, and next steps should be scannable without opening a single raw scanner log.
Accepted risk should stay visible
A suppression should never erase the truth. It should downgrade cleanly, stay visible in the PR comment, and preserve accountability with an expiry date.
Start with evaluation.
Move to live install when it earns it.
Read the evaluation guide if you want to test the wedge with real PR scenarios. Use the bootstrap command when you are ready to run Veridion in a live repository and see how it governs deployment trust end to end.
veridion-bootstrap --preset application-team