Certus logoCERTUSBY OCTAVE-X
Pilot
Docs / Architecture

Platform architecture

Four layers — CLI, API, Engine, and Dashboard — connected by signed evidence packs and org-scoped data isolation.

CLI / Scanner Layer

The Certus CLI runs locally or in CI. It orchestrates 5 parallel scanners (test coverage, SAST, SBOM, IaC, secrets), computes a composite grade, signs the evidence pack, and optionally syncs results to the platform API.

  • Commander.js CLI with 30 commands
  • 5 scanners running in parallel via Promise.allSettled
  • SHA-256 HMAC evidence signing
  • Local history + optional API sync via POST /api/scans

API Layer

Next.js API routes handle authentication, scan ingestion, evidence storage, and dashboard data queries. Dual auth: session-based (Auth0) for dashboard users, API key (SHA-256 hashed) for CLI/CI.

  • POST /api/scans — CLI scan ingestion
  • GET /api/evidence — Evidence pack retrieval
  • Auth0 session + API key dual authentication
  • Drizzle ORM with SQLite (production: Turso)

Engine Layer

The compliance engine maps scanner findings to framework controls, runs blueprint evaluations, computes grades, and produces signed evidence packs.

  • Control mapper: 50+ controls across 6 frameworks
  • Grading engine: A-F letter grade + 0-100 numeric score
  • Blueprint evaluator: 18 pre-built compliance blueprints
  • Evidence signer: SHA-256 + optional HMAC-SHA256 JWS

Dashboard Layer

Next.js App Router dashboard with real-time compliance views, evidence explorer, findings management, and team analytics. Auth0 SSO with org-scoped data isolation.

  • 14 dashboard pages with keyboard navigation
  • Framer Motion transitions, Recharts visualizations
  • Linear-style findings panel with slide-in detail view
  • Command palette (CMD+K) for rapid navigation

Scan-to-dashboard data flow

1Scan

CLI runs 5 scanners in parallel against the local repository

2Grade

Engine computes composite score from scanner results and control mappings

3Sign

Evidence pack is hashed (SHA-256) and signed (HMAC-SHA256)

4Sync

CLI POSTs signed results to /api/scans with branch and commit context

5Store

API validates, stores evidence pack, updates compliance scores

6View

Dashboard queries org-scoped data for real-time compliance visibility

Framework coverage

The control mapper automatically maps scanner findings to controls across these compliance frameworks.

SOC 2
CC-1 through CC-9
18 controls
HIPAA
164.308 – 164.312
12 controls
PCI-DSS
Req 1-12
10 controls
ISO 27001
A.5 – A.18
8 controls
NIST 800-53
AC, AU, CM, SA, SI
14 controls
GDPR
Art. 25, 30, 32, 35
6 controls
Back to docsCLI referenceSecurity model