I built a system that verifies if security decisions were tampered with (offline)

88nonog-dev — Sat, 28 Mar 2026 10:52:40 +0000

I built a system that verifies whether a security decision was altered or not.

The idea is simple:
given a decision file and its evidence bundle, the system can independently verify its integrity.

It produces:

VERIFIED (intact)
or TAMPERED (modified)

Key characteristics:

works fully offline (no cloud, no API)
deterministic (same input always gives the same result)
no need to trust the original system

Why this matters:
teams can run security scans, but often cannot prove why a decision was made after the fact.

This focuses only on verification and proof.

I created a simple demo:

run verify
modify one value
see it fail

I’m interested to know:
would something like this be useful in audits, compliance, or incident investigations?

If relevant, feel free to reach out:
mohammed.devsec@gmail.com

Deterministic Verification for CI Security Decisions (Introducing Nono-Gate)

88nonog-dev — Mon, 16 Mar 2026 17:48:53 +0000

Modern CI/CD pipelines run multiple security scanners.

They detect vulnerabilities, produce reports, and sometimes block builds.
However, the final security decision — the decision that allows a release to proceed — is usually derived from tool outputs and pipeline logic that are difficult to verify later.

In most environments, the decision is effectively trusted rather than independently verifiable.

Nono-Gate explores a different architectural approach.

Instead of treating scan results as the final artifact, Nono-Gate treats the security decision itself as a verifiable artifact.

The system introduces a deterministic verification layer for CI security decisions.

It consumes security signals (for example SARIF outputs from scanners), applies a deterministic policy evaluation process, and produces a structured decision artifact backed by verifiable evidence.

This allows the decision to be replayed and verified later, even outside the original CI environment.

Core capabilities
Deterministic decision generation

Given the same inputs and policy rules, Nono-Gate produces the same security decision every time.
This deterministic behavior allows the decision to be replayed and independently verified.

Evidence root generation

Each decision produces an Evidence Root, derived from the underlying security signals and evaluation process.
This root acts as a compact fingerprint representing the decision context.

Transparency ledger

Decisions are recorded in an append-only transparency log.
This ledger makes it possible to track decision history and verify integrity over time.

Replay verification

Any decision artifact can be re-executed and verified later using the same inputs.
If the replay produces the same evidence root and decision, the integrity of the original decision is confirmed.

Tool-agnostic integration

Nono-Gate does not replace existing security scanners.
Instead, it operates as a verification layer that consumes their outputs.

This means it can work alongside existing tools used in CI/CD pipelines.

Architectural idea

The architecture can be summarized as:

Security Scanners → Security Signals → Deterministic Decision Engine → Verifiable Evidence → Transparency Ledger

This shifts the focus from:

“Did the scanner run?”

to:

“Can the final security decision be independently verified?”

Repository

The project repository and prototype implementation:

https://github.com/88nonog-dev/nono-gate

Question for practitioners

How does your CI/CD pipeline verify the security decision itself, not just the scan results?

DEV Community: 88nonog-dev

I built a system that verifies if security decisions were tampered with (offline)

Deterministic Verification for CI Security Decisions (Introducing Nono-Gate)