Modern CI/CD pipelines run multiple security scanners.
They detect vulnerabilities, produce reports, and sometimes block builds.
However, the final security decision — the decision that allows a release to proceed — is usually derived from tool outputs and pipeline logic that are difficult to verify later.
In most environments, the decision is effectively trusted rather than independently verifiable.
Nono-Gate explores a different architectural approach.
Instead of treating scan results as the final artifact, Nono-Gate treats the security decision itself as a verifiable artifact.
The system introduces a deterministic verification layer for CI security decisions.
It consumes security signals (for example SARIF outputs from scanners), applies a deterministic policy evaluation process, and produces a structured decision artifact backed by verifiable evidence.
This allows the decision to be replayed and verified later, even outside the original CI environment.
Core capabilities
Deterministic decision generation
Given the same inputs and policy rules, Nono-Gate produces the same security decision every time.
This deterministic behavior allows the decision to be replayed and independently verified.
Evidence root generation
Each decision produces an Evidence Root, derived from the underlying security signals and evaluation process.
This root acts as a compact fingerprint representing the decision context.
Transparency ledger
Decisions are recorded in an append-only transparency log.
This ledger makes it possible to track decision history and verify integrity over time.
Replay verification
Any decision artifact can be re-executed and verified later using the same inputs.
If the replay produces the same evidence root and decision, the integrity of the original decision is confirmed.
Tool-agnostic integration
Nono-Gate does not replace existing security scanners.
Instead, it operates as a verification layer that consumes their outputs.
This means it can work alongside existing tools used in CI/CD pipelines.
Architectural idea
The architecture can be summarized as:
Security Scanners → Security Signals → Deterministic Decision Engine → Verifiable Evidence → Transparency Ledger
This shifts the focus from:
“Did the scanner run?”
to:
“Can the final security decision be independently verified?”
Repository
The project repository and prototype implementation:
https://github.com/88nonog-dev/nono-gate
Question for practitioners
How does your CI/CD pipeline verify the security decision itself, not just the scan results?
Tags
devsecops
security
cicd
opensource
appsec
Top comments (0)