Cryptographic evidence for compliance — beyond trust me, we ran the security scan

Beyond “Trust Me, We Ran the Security Scan”: Cryptographic Evidence for Compliance

By Cole Kennedy · December 2025

“Trust me, we ran the security scan” isn't a compliance strategy.

The challenge with traditional security scans isn't the scanning itself—it's proving what was actually scanned and when. CI logs are mutable, screenshots can be doctored, and “trust me” doesn't satisfy auditors who need concrete evidence of security controls.

The Problem with Current Evidence

Current Approaches Fall Short

Most organizations rely on evidence that won't stand up to serious scrutiny:

  • CI logs: Not cryptographically signed, can be modified after the fact
  • Screenshots: Easily manipulated and don't prove what code was tested
  • Manual reports: Time-consuming and prone to human error

The Auditor's Dilemma

When an auditor asks “Can you prove this security scan ran on this specific artifact?”, the answer is usually a shrug and a spreadsheet.

Without cryptographic proof, compliance teams are left scrambling to piece together evidence from unreliable sources.

Transforming Scans into Attestations

The solution is transforming your existing security tools into sources of cryptographic evidence. Using the TestifySec AI Compliance Platform, we can wrap your current security scanners to create attestation-based evidence.

Here's what gets captured:

  • Source code hash: Cryptographic proof of what was tested
  • Report hash: Immutable fingerprint of the scan results
  • Scanner identity: Who or what performed the scan
  • Environment metadata: Where and when the scan occurred

Example: SAST Scanning with Witness

Instead of just running snyk test --json, you can create cryptographic evidence:

witness run --step sast-scan -- snyk test --json

This command wraps your existing Snyk scan and generates a cryptographically signed attestation containing all the evidence an auditor needs.

Meeting NIST 800-53 Control SA-11

This approach directly addresses NIST 800-53 Control SA-11 (Developer Security Testing and Evaluation) by providing:

  • Proof that security testing was performed on specific artifacts
  • Evidence of actual flaw remediation with before/after hashes
  • Automatic mapping of attestations to control requirements

Deployment Enforcement

The real power comes from enforcement: deployments can be automatically blocked without the required attestations. No more “we'll add security later”—the pipeline simply won't proceed without cryptographic proof of compliance.

From Mutable Logs to Immutable Proof

Instead of asking auditors to trust mutable logs and manual processes, we provide them with immutable, cryptographic proof that security controls were actually executed. The result? Compliance without spreadsheets, evidence without doubt.

Originally published on LinkedIn