Declare producers
Each adapter declares the evidence types and statuses it can emit. Internal platforms, test systems, scanners, and runtime tools all speak through the same vocabulary.
Veridion normalizes evidence from tests, scanners, runtime systems, approvals, and custom infrastructure into a governed release decision contract. Start with introduced dependency risk. Expand into the release decision OS.
Each adapter declares the evidence types and statuses it can emit. Internal platforms, test systems, scanners, and runtime tools all speak through the same vocabulary.
Raw outputs become native Veridion evidence. Translators can be first-party or owned by your platform team in whatever language fits the source system.
Validated evidence flows into policy and produces GO, CONDITIONAL GO, or NO GO with required approvals, next steps, and a machine-readable decision contract.
Every company has different gates.
Veridion gives them consistent meaning.
The test failed. The check is pending. The scanner found a CVE. The incident is active. The approval is stale.
Does this evidence block, condition, or allow this specific release under the organization’s policy?
The acceleration
The control problem
Canonical statuses and evidence types keep every adapter aligned. Failed, missing, degraded, stale, and unsatisfied mean the same thing across producers.
Producer manifests describe who emits a signal, which evidence types are possible, which statuses can appear, and which subject identifiers attach to the release.
Raw outputs from JUnit, GitHub checks, scanners, runtime systems, and custom tools are translated, validated, and checked against the producer manifest.
Policy evaluates the normalized evidence and emits a stable contract for PR comments, deployment gates, approval routing, audit, and downstream automation.
Docs-only change
No introduced findings. Low-friction approval path. High-confidence release decision.
Required load test missing
The producer declared the load test as required, but no fresh evidence was emitted for this commit. Release requires review.
Critical dependency + failed e2e
Introduced dependency risk and required validation failure both block release until remediation or approved exception.
Accepted-risk suppression
Known risk accepted temporarily with reason and expiry. Visibility stays intact and the release posture remains cautious.
The first install path stays focused: Syft, Grype, Trivy, baseline comparison, accepted-risk metadata, and deterministic release decisioning for PRs.
Native evidence JSON, producer manifests, catalog validation, conformance checks, and local translators let teams bring their own release signals without custom product work.
Every run emits `veridion-decision.json`, a stable contract for workflow gates, approval routing, accepted-risk review, audit, and internal platform automation.
Adapter authors should be able to declare a producer, ingest raw output, validate native evidence, and prove conformance before the decision engine sees it.
Dependency risk, test evidence, baseline quality, accepted risk, approvals, confidence, and next steps should be scannable without opening raw tool logs.
Use the quickstart for the first PR gate. Use the Evidence Gateway when your platform team is ready to connect tests, checks, runtime metrics, approvals, and internal validation systems.
veridion-bootstrap --preset dependency-risk-v1