Now Available in AWS Marketplace

JUDGE in AWS Marketplace

Observe, manage, and act on supply chain telemetry and attestations for verifiable SSDF compliance with JUDGE on Amazon Web Services (AWS).

Buy JUDGE

Now available in AWS Marketplace

JUDGE enables a unified developer and cybersecurity governance experience to mitigate the risk of software supply chain attacks by integrating zero trust principles of observability and verification into software build pipelines. JUDGE contains a configurable package, including:

Get Documenation

View AWS Marketplace listing

Build Pipeline Observer

Automate the collection of trusted telemetry across input, environment, action, and output to cryptographically verify supply chain metadata (telemetry) via signing that data with a self-managed key, a key from a KMS, or an identity.

Certificate Authority

Enable an identity-based signature by authenticating and generating a short-lived key to create a short-lived certificate (only valid for 10 minutes) that then uses that certificate and key to sign the data, thereby removing the entire burden of key management, key rotation, etc.

Time Stamping Authority

Provide cryptographic proof that your data was signed while the certificate was valid and verify provenance without relying on an external service, enabling artifact verification across disconnected (air-gapped) environments.

GraphQL Data Store

Ability to manage storage, retrieval, and retention of software build pipeline attestations and trusted telemetry via a GraphQL API to facilitate either ad hoc or deploy-time compliance verification from developer commit to production deployment.

Policy as Code

Trusted telemetry is securely stored and accessible via a GraphQL API for custom integrations. If all policies are verified, one or more evidence-based software supply attestations are generated, encompassing the entire SDLC from developer commit to production deployment. Create software deployment policies, distribute policies, digitally sign policies to avoid tampering, and identify specific responses to disparate types of policy violations when they are detected.

Continuous Monitoring

Continuous monitoring of software build pipeline trusted telemetry yields a lower residual risk of software supply chain attack by verifying provenance and meets multiple NIST SP 800-53r5 security controls.