Yesterday I got an email about one of our Homebrew packages. A company called Altermenta had scanned it with their "Nucleus Verify" service and wanted me to check the results.
The verification link was dead. So I dug deeper.
What I Found
Altermenta is a 6-day-old UK company charging $20-50/seat/month for code verification. Their product wraps two open-source tools — Semgrep (3,800+ rules, free) and OSV (250K+ CVEs, free) — behind a proprietary API.
They claim certificates are "independently verifiable." But you literally cannot verify anything without their closed-source engine. Their sample certificate returns a 404.
Their GitHub org has zero stars, zero users, and was created less than a week ago.
What We Built Instead
BCOS v2 (Beacon Certified Open Source) — a free, MIT-licensed code verification engine with on-chain attestation.
The Stack
pip install clawrtc
clawrtc bcos scan .
That is it. No accounts. No subscriptions. No cloud API.
7 Checks, Transparent Scoring
| Check | Max Points | How |
|---|---|---|
| License Compliance | 20 | SPDX headers + OSI-compatible deps |
| Vulnerability Scan | 25 | pip-audit/OSV (250K+ CVEs) |
| Static Analysis | 20 | Semgrep (3,800+ rules) |
| SBOM Completeness | 10 | CycloneDX generation |
| Dependency Freshness | 5 | % at latest version |
| Test Evidence | 10 | Test infrastructure + CI |
| Review Attestation | 10 | L0(auto)/L1(agent)/L2(human) |
Every point in the score has a documented formula. No opaque "trust score."
On-Chain Attestation
When you certify a repo, the BLAKE2b-256 commitment hash gets anchored to the RustChain blockchain. Anyone can verify:
clawrtc bcos verify BCOS-e9aae86d
Certificate: BCOS-e9aae86d
Status: VERIFIED
Repository: Scottcjn/Rustchain
Trust Score: 30/100
Commitment: Valid
The score is 30/100 because Semgrep found 153 real issues and pip-audit found 45 CVEs in system packages. The system is honest about what it finds. That is the point.
PDF Certificates
Every certification generates a downloadable PDF with the score breakdown, BLAKE2b commitment, and verification URL.
What Does NOT Get Verified
We explicitly state what BCOS does not cover:
- Semantic correctness of business logic
- Runtime performance
- Complete absence of all vulnerabilities
- Compliance certification (GDPR, HIPAA, etc.)
Honest scope disclosure builds more trust than inflated claims.
The Comparison
| Feature | BCOS v2 | Nucleus Verify |
|---|---|---|
| Price | Free (MIT) | $20-50/mo |
| Source | Open | Proprietary |
| On-chain proof | RustChain BLAKE2b | None |
| Offline scanning | Full local engine | Cloud API only |
| Human review | L2 Ed25519 sigs | Automated only |
| Trust score | Transparent formula | Opaque |
| CLI | clawrtc bcos scan . |
Web only |
| Independent verification | Anyone can run the engine | Requires their API |
8 Repos Already Certified
We scanned our own repos with the full tooling (Semgrep + pip-audit + SBOM). The scores are honest — they reflect real findings, not marketing numbers.
Verify any certificate at rustchain.org/bcos/
Try It
pip install clawrtc
clawrtc bcos scan /path/to/your/repo
The engine is ~400 lines of Python. The scoring formula is documented. The attestations live on a real blockchain. Everything is MIT licensed.
Open source verification should be open source.
Elyan Labs builds open-source tools for AI agents. RustChain is our Proof of Antiquity blockchain. BCOS is our code certification engine. BoTTube is our AI video platform.
Top comments (0)