Product of Octave-X
Compliance at the merge gate.
Certus is the Octave-X product for governed delivery. It scans pull requests, signs the evidence, and posts the certus/compliance merge-gate status that GitHub branch protection can require before code ships.
<48 h target per compliance PR
<2% target 14-day revert risk
Per-PR signed evidence
Ticket to evidence
A merge-gate workflow, not a post-audit dashboard
Ticket
A tracked issue or PR request starts the run
PR
GitHub App evaluates the pull request
Checks
Tests, SAST, SBOM, secrets, and policy gates
Evidence
Signed pack for reviewers and evidence export
review export -> PR comment -> merge decision
What the product does
Certus is the release-control layer for teams that need engineering, security, and audit evidence on the same path. Every pull request is scanned, mapped to controls, graded for audit posture, and evaluated against a merge-gate policy that GitHub can enforce through required status checks.
Framework coverage
SOC 2, HIPAA, PCI DSS, ISO 27001, NIST, FedRAMP, CMMC, GDPR, and related control sets.
Blueprint library
Auth hardening, security headers, audit logs, secrets rotation, CI/CD, runtime shielding.
Scanner pipeline
Tests, SAST, SBOM, IaC, and secrets scanning feed the signed evidence path.
CLI and dashboard
One package for local operation, one review surface for merge approval and evidence access.
What reviewers receive
PR comments and status checks attached directly to the pull request
Required certus/compliance status for protected branches
Policy gates before merge approval
Signed evidence with control-to-code mapping
Reviewer-facing proof for security and audit
Exportable artifacts for downstream assurance workflows
Product surface
Web application
Login, review flow, evidence viewer, and organization settings
CLI package
Local scans, verification, export, policy explain, and signed evidence tools
Automation engine
Webhook intake, runner orchestration, checks, and artifact signing
GitHub control plane
Check runs, PR comments, merge gating, and branch protection handoff
Evidence storage
Signed packs, reviewer exports, retention policy, and audit retrieval
Data and network posture
Hosted deployments keep the Certus control plane managed by Octave-X with encrypted artifacts, signed evidence, and configurable retention.
Enterprise deployments can run in a customer VPC or on-prem environment so repositories, runners, keys, and evidence stay inside the network boundary you operate.
Operational boundary
Certus manages merge-gate evaluation, evidence integrity, and review surfaces. Customers manage repository permissions, runner placement, dependency policy, approval rules, and GitHub branch protection requiring certus/compliance.
Live now
What pilots can test today.
CLI scans with tests, SAST, SBOM, IaC, and secrets inputs
Signed evidence packs with hash verification and optional JWS signing
GitHub PR comments, commit status, and check-run output where permissions allow
Dry-run remediation plans and selected repository hygiene fixes
In progress
What is still expanding.
Deeper authored control coverage across every framework family
Ticket-driven remediation automation beyond the current evidence workflow
Broader GitHub App check-run write coverage without PAT fallback
More authoritative framework-specific gates as scanner trust coverage expands
Deployment options
Hosted SaaS
Fastest start; pre-audit teams
Signed evidence, 30-day artifacts
VPC Helm
Regulated data; strict compliance
Customer keys, SIEM export, custom retention
On-prem
No egress environments
Private registry and offline bundle
Pilot lane
Start narrow and prove the merge gate on one repo.
Certus pilots are designed to protect a single active pull request lane first. That keeps setup, reviewer feedback, and evidence review concrete enough to decide rollout quickly.
Day 1
Connect one repository and set the merge gate policy.
Week 1
Run real PRs through reviewer evidence and failing-pass scenarios.
Week 2
Decide rollout based on blocked PRs, evidence quality, and reviewer fit.
First-run path
1. Connect repository
Use the dashboard repository surface to connect the first GitHub repo.
2. Set policy and merge gate
Pick the first framework priorities and configure the PR blocking threshold.
3. Review evidence on live PRs
Inspect the signed pack, PR comment, and reviewer export before widening rollout.
Product by Octave-X
A product surface for governed delivery, not another post-audit dashboard.
Certus is a product of Octave-X Inc. built to keep engineering, security, and audit review aligned from request intake through merge approval.