Documentation

Enterprise-grade compliance automation

Comprehensive technical documentation for deploying, configuring, and operating Certus at scale. Everything you need from installation to production.

Pilot intake

24 frameworks

Control mappings

SOC-2, ISO, HIPAA, PCI, FedRAMP, custom

11 days

Median rollout

Time from install to enforced gates

6 formats

Evidence exports

JSON, PDF, SBOM, attestation, SIEM, webhooks

Blueprint DAGsEvidence fabricRuntime gatesCI/CD orchestrationExports & APIs

Framework coverage

SOC 2ISO 27001PCI-DSSHIPAAFedRAMP ModerateGDPRNIST 800-53

Platform health

99.98% uptime

Active-active control plane across us-east-1 and eu-west-1.

Explore

Security envelope

Hardware-backed attestations

Customer-managed KMS or HSM-backed keys sign every bundle.

Explore

Data residency

US / EU / GovCloud

Dedicated shards, private ingress, and zero egress options.

Support velocity

15m median Sev-1

PagerDuty, Slack Connect, and executive governance reviews.

Explore

Documentation operating system

Built for enterprise rollouts

Map every implementation track – policy, operations, and assurance – with responsive guidance for teams from platform engineering to audit. Each pillar flexes across breakpoints so mobile readers can triage just as fast as your desktop command center.

Foundation & policy

Tier 1

Enterprise

Author, validate, and publish deterministic blueprints across workspaces.

Policy compiler with drift detection and preview sandboxes
Workspace isolation, delegated admins, and scoped RBAC
Blueprint simulations with live telemetry variance alerts

480+

Policy bundles

< 90s

Compile time

Operational orchestration

Tier 2

Enterprise

Connect runners, scanners, and evidence brokers with adaptive guardrails.

Lane concurrency with workload-aware auto-scaling
Native GitHub, GitLab, Bitbucket, Jenkins, and custom runner support
Streaming exports for Snowflake, Splunk, Datadog, and SIEMs

16 max

Parallel lanes

BYO or managed

Runner pools

Assurance & reporting

Tier 3

Enterprise

Deliver auditor-ready packs, attestations, and APIs for regulators.

24 frameworks pre-mapped with control overrides
Signed SBOM + SLSA provenance bundles with tamper-evident logs
One-click exports to Vanta, Drata, Tugboat, Archer, and ServiceNow

Evidence formats

120+

Audit packs

GitHub Cloud

Install the Certus GitHub App, scope repositories, and inherit checks via branch protection.

Install app
Create service token
Add CLI step to workflow

Self-hosted / VPC

Deploy the runner sidecar, point it at your KMS, and tunnel events through your broker.

Deploy agent
Exchange KMS keys
Sync policy bundles

Evidence-only

Keep your existing CI. Certus ingests artifacts, notarises them, and publishes immutable packs.

Send signed webhooks
Map controls
Stream exports

Release feed

Enterprise operating cadence

Stay ahead of roadmap drops across policy, orchestration, and assurance. We highlight the enterprise-only features landing each month so your rollout plans stay responsive.

Nov 2025
blueprintslanes
Blueprint Orchestrator v5
Predictive lane scheduling with workload-aware QoS and deterministic rollback hooks.
Oct 2025
evidenceintegrations
Attestation Mesh GA
Bidirectional evidence streaming for Splunk, Panther, Snowflake, and ServiceNow.
Sep 2025
residencygov
GovCloud & air-gapped readiness
FedRAMP High control plane with offline evidence export packages.

Concierge & governance

Response teams on call globally

Enterprise plans pair you with dedicated operators who shadow deployments, run tabletop exercises, and keep documentation living.

Customer success
Dedicated TAM, weekly ops reviews, and rollout clinics
Escalations
PagerDuty + Slack Connect with 24/7 follow-the-sun coverage
Change advisory
Architecture reviews, migration planning, and executive updates

Book architecture review

Data residency

Regions & controlled environments

us-east-1

Primary shard · SOC 2 + HIPAA boundary

eu-west-1

GDPR + Schrems II controls · EU data residency

AWS GovCloud

FedRAMP High, ITAR workloads, and private evidence export

Private ingress: AWS PrivateLink · GCP PSC · Azure Private Endpoint

Browse sections

Complete guide to installing and configuring Certus for your organization.

1 · Getting Started

Overview

Certus is an evidence-native compliance automation platform that attaches deterministic verification and cryptographic proof to every pull request. It integrates with your existing CI/CD pipelines, GRC tools, and security infrastructure to provide real-time compliance monitoring and automated evidence generation.

Prerequisites

GitHub org admin or GitLab group maintainer access
Branch protection or merge request approval rules enabled
Access to your org secrets manager (AWS Secrets Manager, Vault, etc.)
Kubernetes cluster (for self-hosted deployment) or CI/CD runner access
KMS access for signing operations (AWS KMS, Google Cloud KMS, or Azure Key Vault)

System Requirements

Linux-based CI runners (Ubuntu 20.04+, Debian 11+, or RHEL 8+)
Outbound HTTPS access to api.certus.ai and evidence.certus.ai
Optional: VPC peering via AWS PrivateLink or GCP Private Service Connect
Minimum 2 GB RAM and 2 vCPU per runner node
Docker 20.10+ or containerd 1.6+ (for containerized deployments)

Compliance & Security Posture

Certus is SOC-2 Type II compliant (audit scheduled Feb 2026), ISO 27001 aligned, and HIPAA-ready with BAAs available. All evidence data is encrypted at rest using AES-256 and in transit using TLS 1.3. Data residency options include US (us-east-1) and EU (eu-west-1) regions. We support air-gapped deployments and can run entirely within your VPC with no data egress.

Quick Install

The fastest way to get started is using our CLI installer. This will set up the Certus agent, configure your first blueprint, and run a test verification.

bash

# Download and install the Certus CLI
curl -sSL https://downloads.certus.ai/cli/install.sh | bash

# Verify installation
certus --version

# Initialize your workspace
certus init --org your-org-name

# Authenticate with your service token
certus auth login

# Run your first verification
certus verify --local

Understanding the Certus platform architecture and core components.

2 · Architecture Overview

Platform Architecture

Certus follows a distributed, event-driven architecture designed for enterprise scale. The platform consists of four primary layers: the Control Plane, Execution Layer, Evidence Layer, and Integration Layer.

Control Plane

Policy engine and rule orchestration
Blueprint compilation and DAG generation
Workflow state management
Access control and RBAC

Execution Layer

CI/CD runner integration
Parallel lane execution
Scanner orchestration (SAST, SBOM, IaC)
Test harness and coverage analysis

Evidence Layer

Cryptographic signing with Cosign
QLDB immutable ledger storage
SLSA provenance generation
Attestation bundling and packaging

Integration Layer

GRC platform connectors (Vanta, Drata)
SIEM streaming (Splunk, Panther)
Webhook delivery system
GraphQL API gateway

Data Flow

When a pull request is opened, Certus receives a webhook from your VCS (GitHub, GitLab, Bitbucket). The Control Plane compiles a deterministic blueprint based on the PR metadata, repository policy, and risk classification. This blueprint spawns parallel execution lanes (dev, QA, SecOps, audit) that run concurrently without conflicts. Each lane executes its checks, generates evidence artifacts, signs them with your KMS, and streams results to the Evidence Layer. Once all lanes complete, the platform bundles the evidence, maps it to compliance frameworks, and distributes it to configured destinations.

yaml

# Example workflow sequence
1. PR opened → Webhook received
2. Blueprint compiled → DAG generated
3. Lanes spawned → Parallel execution
   ├── Dev: Unit tests, linting, type checking
   ├── QA: Integration tests, E2E, coverage
   ├── SecOps: SAST, SBOM, IaC policy, secrets scan
   └── Audit: Evidence collection, live monitoring
4. Evidence signed → KMS attestation
5. Results aggregated → Framework mapping
6. Distribution → GRC platforms, SIEM, webhooks
7. PR status updated → Merge decision

Scalability & Performance

100k+

PRs/month

Tested at enterprise scale

< 5min

P90 gate time

Including all checks

99.9%

SLA uptime

Control plane availability

Step-by-step installation for all supported platforms and environments.

3 · Installation & Configuration

GitHub Cloud Installation

For GitHub.com hosted repositories, install the Certus GitHub App to get started quickly.

1. Install GitHub App
Visit github.com/apps/certus-ai and install the app to your organization. Grant permissions for Checks (Read & Write), Pull Requests (Read & Write), and Contents (Read-only).
2. Configure Repository Access
Select specific repositories or grant access to all repositories. We recommend starting with a pilot repository before rolling out org-wide.
3. Create Service Token
In the Certus Console, navigate to Settings → API Tokens and create a new token with checks:write and evidence:read scopes. Store this token in GitHub Secrets as CERTUS_TOKEN.
4. Add Workflow Step
Add the Certus CLI to your GitHub Actions workflow:

yaml

name: Certus Verification
on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  certus-verify:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      checks: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for diff analysis

      - name: Install Certus CLI
        run: |
          curl -sSL https://downloads.certus.ai/cli/install.sh | bash
          certus --version

      - name: Run Certus Verification
        env:
          CERTUS_TOKEN: ${{ secrets.CERTUS_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          certus verify \
            --pr ${{ github.event.pull_request.number }} \
            --repo ${{ github.repository }} \
            --commit ${{ github.event.pull_request.head.sha }} \
            --format json \
            --output evidence/bundle.json

      - name: Upload Evidence Bundle
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: certus-evidence
          path: evidence/
          retention-days: 90

Self-Hosted / VPC Deployment

For organizations requiring full data residency control or air-gapped environments, deploy Certus within your own infrastructure using Kubernetes.

bash

# Add Certus Helm repository
helm repo add certus https://charts.certus.ai
helm repo update

# Create namespace
kubectl create namespace certus-system

# Install CRDs
kubectl apply -f https://downloads.certus.ai/k8s/crds.yaml

# Create secrets for API tokens and KMS
kubectl create secret generic certus-config \
  --from-literal=api-token=${CERTUS_API_TOKEN} \
  --from-literal=kms-key-id=${AWS_KMS_KEY_ID} \
  --from-literal=kms-region=us-east-1 \
  -n certus-system

# Install Certus with custom values
helm install certus certus/certus-agent \
  --namespace certus-system \
  --values values.yaml \
  --wait

values.yaml Configuration

yaml

# Certus Agent Configuration
replicaCount: 3

image:
  repository: certus.ai/agent
  tag: "2.4.1"
  pullPolicy: IfNotPresent

service:
  type: ClusterIP
  port: 8443

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: certus-agent.yourcompany.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: certus-agent-tls
      hosts:
        - certus-agent.yourcompany.com

# KMS Configuration
kms:
  provider: aws  # Options: aws, gcp, azure, vault
  region: us-east-1
  keyId: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

# Evidence Storage
evidence:
  backend: s3  # Options: s3, gcs, azure-blob, local
  bucket: certus-evidence-prod
  region: us-east-1
  retention: 2555  # 7 years
  encryption: AES256

# Policy Configuration
policy:
  syncInterval: 300  # 5 minutes
  enforcementMode: strict  # Options: strict, warn, permissive

# Network Configuration
network:
  privateLink:
    enabled: true
    vpcEndpointId: vpce-1234567890abcdef0
  egress:
    allowedDomains:
      - api.certus.ai
      - evidence.certus.ai
      - kms.us-east-1.amazonaws.com

# Resource Limits
resources:
  requests:
    memory: "2Gi"
    cpu: "1000m"
  limits:
    memory: "4Gi"
    cpu: "2000m"

# High Availability
autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70
  targetMemoryUtilizationPercentage: 80

# Monitoring
monitoring:
  prometheus:
    enabled: true
    path: /metrics
  logging:
    level: info
    format: json

GitLab Integration

yaml

# .gitlab-ci.yml
certus-verify:
  stage: test
  image: ubuntu:22.04

  variables:
    CERTUS_VERSION: "2.4.1"

  before_script:
    - apt-get update && apt-get install -y curl
    - curl -sSL https://downloads.certus.ai/cli/install.sh | bash

  script:
    - |
      certus verify \
        --mr ${CI_MERGE_REQUEST_IID} \
        --project ${CI_PROJECT_PATH} \
        --commit ${CI_COMMIT_SHA} \
        --gitlab

  artifacts:
    reports:
      certus: evidence/report.json
    paths:
      - evidence/
    expire_in: 90 days

  only:
    - merge_requests

Jenkins Pipeline

groovy

pipeline {
    agent any

    environment {
        CERTUS_TOKEN = credentials('certus-api-token')
    }

    stages {
        stage('Setup') {
            steps {
                sh 'curl -sSL https://downloads.certus.ai/cli/install.sh | bash'
            }
        }

        stage('Certus Verification') {
            steps {
                sh """
                    certus verify \
                        --commit ${GIT_COMMIT} \
                        --branch ${BRANCH_NAME} \
                        --output evidence/bundle.json
                """
            }
        }

        stage('Archive Evidence') {
            steps {
                archiveArtifacts artifacts: 'evidence/**', fingerprint: true
            }
        }
    }

    post {
        always {
            publishHTML([
                allowMissing: false,
                alwaysLinkToLastBuild: true,
                keepAll: true,
                reportDir: 'evidence',
                reportFiles: 'report.html',
                reportName: 'Certus Evidence Report'
            ])
        }
    }
}

Complete command-line interface reference and usage examples.

4 · CLI Reference

Core Commands

The Certus CLI provides comprehensive tools for verification, policy management, and evidence handling.

certus verify

Run verification checks on a pull request or commit

Usage: certus verify [OPTIONS]

--pr NUMBERPull request number to verify

--commit SHACommit SHA to verify

--repo OWNER/NAMERepository in owner/name format

--localRun verification on local uncommitted changes

--format json|yaml|textOutput format (default: text)

--output PATHWrite results to file instead of stdout

--fail-on-errorExit with code 1 if any check fails

--parallel NMax parallel scanners (default: 4)

bash

certus verify \
  --pr 123 \
  --repo acme/api-service \
  --format json \
  --output evidence.json

certus policy

Manage compliance policies and blueprints

Usage: certus policy <subcommand>

listList all policies in the workspace

show POLICY_IDDisplay policy details

validate PATHValidate policy syntax

apply PATHApply policy to workspace

diff OLD NEWCompare two policies

export POLICY_IDExport policy to YAML

bash

# List all policies
certus policy list

# Validate before applying
certus policy validate policy.yaml

# Apply to workspace
certus policy apply policy.yaml

certus evidence

Retrieve and manage evidence bundles

Usage: certus evidence <subcommand>

listList evidence bundles

get BUNDLE_IDDownload specific bundle

verify BUNDLE_IDVerify bundle signatures

export BUNDLE_ID --format pdf|jsonExport in different formats

query --pr NUMBERFind bundles for specific PR

bash

# Get evidence for PR
certus evidence query --pr 456

# Download and verify
certus evidence get bundle-abc123 --verify

certus blueprint

Generate and inspect workflow blueprints

Usage: certus blueprint <subcommand>

generateGenerate blueprint for current repo

preview --pr NUMBERPreview blueprint for PR

diff BASE HEADCompare blueprints between refs

exportExport blueprint to file

bash

# Preview what will run
certus blueprint preview --pr 789

Environment Variables

CERTUS_TOKENAPI authentication token (required)

CERTUS_API_URLOverride default API endpoint

CERTUS_WORKSPACEWorkspace ID (auto-detected from git)

CERTUS_LOG_LEVELLogging verbosity: debug|info|warn|error

CERTUS_CACHE_DIRCache directory (default: ~/.certus/cache)

CERTUS_NO_COLORDisable colored output

CERTUS_TIMEOUTRequest timeout in seconds (default: 300)

Configuration File

Create a .certus.yml in your repository root to configure default behavior.

yaml

# .certus.yml
version: 2

# Workspace configuration
workspace:
  name: api-service
  tier: production  # production, staging, development

# Verification settings
verify:
  parallel: 6
  timeout: 600
  fail_on:
    - critical_vulnerabilities
    - missing_tests
    - policy_violations

# Scanner configuration
scanners:
  sast:
    enabled: true
    tools:
      - semgrep
      - snyk
    severity_threshold: medium

  sbom:
    enabled: true
    format: spdx
    include_dev_dependencies: false

  iac:
    enabled: true
    tools:
      - tfsec
      - checkov
    scan_paths:
      - terraform/
      - .github/workflows/

  secrets:
    enabled: true
    tools:
      - gitleaks
      - trufflehog

# Evidence configuration
evidence:
  formats:
    - json
    - pdf
  retention_days: 2555  # 7 years
  sign: true
  attestations:
    - slsa_provenance
    - sbom
    - test_results

# Export destinations
exports:
  - type: vanta
    enabled: true
    sync_interval: 300

  - type: slack
    enabled: true
    channel: "#compliance-alerts"
    webhook_url_secret: SLACK_WEBHOOK_URL

  - type: s3
    enabled: true
    bucket: compliance-evidence
    prefix: certus/

# Notifications
notifications:
  on_failure:
    - slack
    - pagerduty
  on_success:
    - slack

# Custom metadata
metadata:
  owner: platform-team
  cost_center: engineering
  data_classification: internal

REST API and GraphQL endpoints for programmatic access.

5 · API Reference

Authentication

All API requests require authentication using Bearer tokens. Generate tokens from the Certus Console under Settings → API Tokens.

bash

# Authentication header
curl -H "Authorization: Bearer ${CERTUS_TOKEN}" \
     https://api.certus.ai/v1/workspaces

# Response
HTTP/1.1 200 OK
Content-Type: application/json

{
  "workspaces": [
    {
      "id": "ws_abc123",
      "name": "acme-engineering",
      "created_at": "2024-01-15T10:30:00Z"
    }
  ]
}

Core Endpoints

POST

/v1/verify

Trigger verification for a pull request

Parameters

repository- string (required) - Repo in owner/name format

pr_number- integer (required) - Pull request number

commit_sha- string (optional) - Specific commit to verify

force- boolean (optional) - Force re-run if already verified

Response

json

{
  "verification_id": "ver_xyz789",
  "status": "pending",
  "created_at": "2024-11-14T15:23:00Z",
  "estimated_completion": "2024-11-14T15:28:00Z"
}

GET

/v1/verifications/:id

Get verification status and results

Response

json

{
  "id": "ver_xyz789",
  "status": "completed",
  "result": "passed",
  "checks": {
    "sast": "passed",
    "tests": "passed",
    "coverage": "passed",
    "policy": "passed"
  },
  "evidence_bundle_id": "bundle_abc123",
  "completed_at": "2024-11-14T15:26:32Z"
}

GET

/v1/evidence/:bundle_id

Download evidence bundle

Parameters

format- string (optional) - json|pdf|spdx (default: json)

Response

json

{
  "bundle_id": "bundle_abc123",
  "repository": "acme/api-service",
  "pr_number": 456,
  "commit_sha": "a1b2c3d4",
  "framework_mappings": {
    "soc2": ["CC-1.2", "CC-7.1"],
    "iso27001": ["A.12.6.1", "A.14.2.9"]
  },
  "attestations": [...],
  "signed": true,
  "signature_verified": true
}

POST

/v1/policies

Create or update policy

Parameters

name- string (required) - Policy name

rules- object (required) - Policy rules definition

enforcement- string (optional) - strict|warn|permissive

Response

json

{
  "policy_id": "pol_def456",
  "name": "production-policy",
  "version": 2,
  "created_at": "2024-11-14T15:30:00Z"
}

GraphQL API

For complex queries and real-time updates, use the GraphQL endpoint at https://api.certus.ai/graphql

graphql

# Query verification with nested evidence
query GetVerification($id: ID!) {
  verification(id: $id) {
    id
    status
    result
    repository {
      owner
      name
    }
    pullRequest {
      number
      title
      author
    }
    checks {
      name
      status
      duration
      findings {
        severity
        message
        location
      }
    }
    evidenceBundle {
      id
      formats
      signed
      signatureVerified
      frameworkMappings {
        framework
        controls
      }
    }
  }
}

# Subscribe to verification updates
subscription VerificationUpdates($repo: String!) {
  verificationUpdated(repository: $repo) {
    id
    status
    result
    timestamp
  }
}

Webhooks

Configure webhooks to receive real-time notifications about verification events.

json

// Webhook payload structure
{
  "event": "verification.completed",
  "timestamp": "2024-11-14T15:26:32Z",
  "workspace_id": "ws_abc123",
  "data": {
    "verification_id": "ver_xyz789",
    "repository": "acme/api-service",
    "pr_number": 456,
    "status": "completed",
    "result": "passed",
    "evidence_bundle_id": "bundle_abc123",
    "framework_mappings": {
      "soc2": ["CC-1.2", "CC-7.1", "CC-8.1"],
      "iso27001": ["A.9.2.1", "A.12.6.1"]
    }
  },
  "signature": "sha256=a1b2c3d4..."
}

Verify webhook authenticity by checking the HMAC-SHA256 signature in the X-Certus-Signature header against your webhook secret.

python

import hmac
import hashlib

def verify_webhook(payload, signature, secret):
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(f"sha256={expected}", signature)

Rate Limits

Free

Rate: 100 requests/hour

Burst: 10 requests/minute

Pro

Rate: 1,000 requests/hour

Burst: 50 requests/minute

Enterprise

Rate: 10,000 requests/hour

Burst: 200 requests/minute

Common issues, debugging guide, and how to get help.

6 · Troubleshooting & Support

Common Issues

Verification Timeout

Symptoms: Verification runs for > 10 minutes and times out

Solutions:

Check scanner parallelism: increase --parallel flag or parallel setting in .certus.yml
Review scanner logs for hanging processes: certus logs --verification-id <ID>
Ensure CI runner has sufficient resources (2GB RAM minimum)
Check network connectivity to api.certus.ai
Consider splitting large monorepos into separate policies

Authentication Failed

Symptoms: 401 Unauthorized or invalid token errors

Solutions:

Verify CERTUS_TOKEN environment variable is set correctly
Confirm the token remains valid in Console → Settings → API Tokens
Ensure token has required scopes (checks:write, evidence:read)
For self-hosted: verify firewall rules allow outbound HTTPS
Regenerate token if compromised

Evidence Bundle Not Generated

Symptoms: Verification passes but no evidence bundle created

Solutions:

Check .certus.yml has evidence.formats configured
Verify KMS permissions for signing operations
Review S3/storage bucket permissions for evidence backend
Check disk space on runner (minimum 1GB free required)
Enable debug logging: CERTUS_LOG_LEVEL=debug

Policy Not Applied

Symptoms: New policy changes not reflected in verifications

Solutions:

Wait for policy sync interval (default 5 minutes)
Force immediate sync: certus policy sync
Validate policy syntax: certus policy validate policy.yaml
Check policy version: certus policy show <ID>
Review policy application scope (workspace vs repository level)

Debug Mode

Enable detailed logging to diagnose issues:

bash

# Enable debug logging
export CERTUS_LOG_LEVEL=debug

# Run verification with debug output
certus verify --pr 123 --debug

# View historical logs
certus logs --verification-id ver_xyz789 --format json

# Stream live logs (for long-running verifications)
certus logs --follow --verification-id ver_xyz789

Diagnostic Commands

bash

# Check CLI version and installation
certus --version
certus doctor

# Test API connectivity
certus ping

# Verify workspace configuration
certus config show

# Validate .certus.yml syntax
certus config validate

# Export diagnostic bundle (safe to share with support)
certus diagnostics export --output diagnostics.zip

Support Channels

Dedicated Slack Connect workspace
Email: support@octave-x.com
PagerDuty escalation (Enterprise)
Weekly governance reviews
Status page: status.certus.ai

SLAs

Sev-1 response< 1 hour
Sev-2 response< 4 hours
Sev-3 response< 24 hours
Platform uptime99.9%
Evidence export latency< 12 minutes P95

Need custom compliance frameworks or bespoke blueprints? Email pilot@octave-x.com with your control library and we'll assemble a tailored solution.