Last month I posted ESP, a compliance engine where policy is data, not code [1]. This is the CI/CD implementation.
The problem: security tools in CI (Semgrep, Syft, etc.) produce findings, but not evidence. When your auditor asks "prove you're scanning for vulnerabilities" you're back to screenshots and log exports.
This runner wraps your security tools and produces signed attestations:
Policy (hash) → Tool execution → Findings (hash) → Sigstore signature
- Constrained execution: tools run through whitelisted executors, not shell - Contract-based: policy declares WHAT to check, contracts define HOW - Signed output: keyless Sigstore in CI, local keys for dev - SSDF mapping: attestations reference specific NIST practices (PW.7.2, PS.3.2)
Example attestation: ```json { "policy": { "id": "sast-no-critical", "hash": "sha256:..." }, "execution": { "ctn_types": ["sast_scan"], "duration_ms": 5462 }, "outcome": "pass", "findings_hash": "sha256:...", "signature": { "algorithm": "sigstore-oidc", "key_id": "github-actions" } }