CertiSigma Census CLI

How It Works #

Step 1

Scan

SHA-256 hash every file

→

Step 2

Attest

Three-layer proof (T0/T1/T2)

→

Step 3

Compare

Detect exfiltration

Census computes SHA-256 hashes of files, sends only hashes to the CertiSigma API, and receives three layers of cryptographic proof:

T0 — ECDSA Signature — Immediate, server signs the hash with P-256
T1 — TSA Timestamp — Minutes, Merkle tree + RFC 3161 Time Stamping Authority
T2 — Bitcoin Anchor — Hours, Merkle root anchored via OpenTimestamps

Zero knowledge: Original file content never leaves the client. Only 64-character hex hashes are transmitted.

SBOM attestation: Parse SPDX 2.x and CycloneDX JSON SBOMs and attest every component hash with the same three-layer proof chain used for files. Supports compliance workflows for EU CRA, NIS2, and US EO 14028.

SLSA provenance: Generate SLSA v1.0 provenance statements in the in-toto Statement v1 format. Auto-detects CI environments (GitHub Actions, GitLab CI, Jenkins), links SBOM components, and anchors provenance with CertiSigma three-layer proof — stronger than ephemeral Sigstore certificates.

Forensic timeline: Build a queryable SQLite timeline from the tamper-evident audit log. Export to standard DFIR formats — TSK body file (Autopsy), Plaso l2tcsv, CASE/UCO JSON-LD (AXIOM, X-Ways) — for direct import into forensic workstations.

SIEM event correlation: Correlation rules over forensic timeline with CEF/ECS output for SOC/SIEM integration.

String attestation: Attest serial numbers, license keys, batch codes, and URNs — extending Census beyond files to any string identifier. Manifest schema v4 tracks entry_type (file | string).

Multi-manifest federation: Aggregate manifests from multiple sites, teams, or CI pipelines with configurable conflict resolution strategies (latest_mtime, latest_source, first, skip).

Installation #

Python 3.10+. TOML config support on 3.10 uses tomli (auto-installed).

bash

# Base install
pip install certisigma-census

# With watch mode (filesystem monitoring)
pip install certisigma-census[watch]

# With PDF report generation
pip install certisigma-census[report]

# Everything
pip install "certisigma-census[watch,report]"

Quick Start #

Inventory scan

bash

export CERTISIGMA_API_KEY=cs_...

# Scan and attest all file hashes
census scan /path/to/sensitive-files --source inventory-hr

# Dry run (hash only, no attestation)
census scan /path/to/files --dry-run

Breach comparison

bash

# Compare suspect files against the registry
census compare /path/to/suspect-files --manifest inventory.db

# Exit 0 = no matches, 1 = exfiltration detected

Integrity check

bash

# Check files against manifest baseline (100% local)
census integrity manifest.db

# Differential: only new findings since last run
census integrity manifest.db --since auto --write-state auto

# Atomic update: detect + accept changes in one step
census integrity manifest.db --auto-update

GitHub Action #

Composite action with zero Docker overhead. SARIF auto-upload to GitHub Security tab.

yaml

# Breach detection with SARIF upload
- uses: certisigma/census-action@v1
  with:
    command: compare
    target: ./artifacts
    manifest: ./inventory.db
  env:
    CERTISIGMA_API_KEY: ${{ secrets.CERTISIGMA_API_KEY }}

# Integrity check (no API key needed)
- uses: certisigma/census-action@v1
  with:
    command: integrity
    manifest: ./inventory.db

Input	Required	Default	Description
`command`	Yes	—	scan, integrity, compare, bulk-scan
`target`	No	`.`	Directory to scan or check
`manifest`	No	`.census-manifest.db`	Manifest file path
`api-key`	No	—	API key (or set env var)
`format`	No	auto	text, json, jsonl, sarif (sarif only for compare)
`upload-sarif`	No	`true`	Auto-upload SARIF to Security tab
`source`	No	`github-ci`	Audit label for the scan
`exit-zero`	No	`false`	Report-only mode (compare/bulk-scan)
`version`	No	latest	Pin certisigma-census version
`extra-args`	No	—	Additional CLI flags
`python-version`	No	`3.12`	Python version for setup-python

Commands #

Census provides 40+ commands. Expand each for options and examples.

census scan <dir>

Walk directory, compute SHA-256 hashes, attest in batch, save manifest.

Option	Description
`--source LABEL`	Source label for attestations
`--manifest PATH`	Manifest output path
`--dry-run`	Hash only, no attestation
`--resume`	Resume interrupted scan
`--workers N`	Parallel hashing (1–8)
`--attest-manifest`	Attest manifest’s own hash
`--include/--exclude`	Glob patterns for filtering
`--min-size/--max-size`	Size filters (e.g. 1K, 100M)
`--json`	Machine-readable output

census compare <dir>

Hash suspect files and verify against the CertiSigma registry.

Option	Description
`--manifest PATH`	Local manifest for cross-reference
`--format text\|json\|sarif\|jsonl`	Output format
`--detailed`	Enriched results (source, T0/T1/T2 level)
`--exit-zero`	Report-only mode (always exit 0)
`--summary`	Counts only, no match details
`--on-match CMD`	Execute CMD on matches (JSON on stdin)

census integrity <manifest>

Tamper detection against manifest baseline. 100% local, no API calls.

Option	Description
`--strict`	Exit 1 on any discrepancy
`--since PATH`	Differential mode (auto = sidecar)
`--write-state PATH`	Save state for next run
`--auto-update`	Atomically accept changes into baseline (AIDE parity). Creates `.bak` backup.
`--format text\|json\|jsonl`	Output format

census diff <base> <target>

Compare two manifests. AIDE-style bitmask exit codes (1=added, 2=removed, 4=modified).

census bulk-scan <dir>

Bulk leak detection via /scan endpoint. Up to 50K hashes per call with auto-chunking.

Option	Description
`--dry-run`	Hash only, no API call
`--exit-zero`	Report-only mode
`--summary`	Counts only
`--source LABEL`	Incident tracking label

census verify <hash|--file>

Verify a hash or file against the registry. Full T0/T1/T2 evidence chain. No API key required.

census verify-manifest <manifest>

Full-chain verification: all manifest hashes against the registry.

census update <manifest>

AIDE-style baseline update: detect → review → accept. New entries are unattested.

census report <manifest> -o <file>

Forensic reports: HTML (zero deps), PDF (fpdf2), evidence bundles (ZIP with OTS proofs). Chain of custody metadata adds examiner, case ID, organization, and signature lines.

Option	Description
`-o / --output PATH`	Output file (.html, .pdf, or .json)
`--evidence`	Include full T0/T1/T2 evidence chain
`--bundle`	ZIP evidence bundle (report + OTS proofs + SHA256SUMS + chain_of_custody.json)
`--attest`	Attest the report hash for tamper-evidence
`--integrity`	Include integrity check results
`--examiner TEXT`	Forensic examiner name (chain of custody)
`--case-id TEXT`	Case identifier (chain of custody)
`--organization TEXT`	Organization name (chain of custody)
`--notes TEXT`	Free-text notes (chain of custody)

census watch <dir>

Continuous filesystem monitoring via native OS events (inotify/FSEvents). Batched attestation with debouncing. Requires [watch] extra.

Option	Description
`--on-change CMD`	Shell command on file change (JSON on stdin)
`--on-attest CMD`	Shell command after attestation (JSON on stdin)
`--on-t1 CMD`	Shell command on T1 (TSA) webhook event
`--on-t2 CMD`	Shell command on T2 (Bitcoin) webhook event
`--webhook-secret-file PATH`	Signing secret for embedded webhook receiver
`--webhook-port N`	Webhook receiver port (default: 9514)
`--alert-threshold N`	Velocity alert: file changes per window
`--alert-window SEC`	Velocity alert: rolling window (default: 60s)
`--alert-cooldown SEC`	Velocity alert: cooldown between alerts (default: 300s)
`--on-alert CMD`	Shell command on velocity alert (JSON on stdin)
`--webhook-bind ADDR`	Webhook bind address (default: 127.0.0.1)
`--debounce SEC`	Debounce interval (default: 2)
`--scan-on-start / --no-scan-on-start`	Full scan at startup
`--include/--exclude`	Glob patterns for filtering
`--alert-threshold N`	Fire velocity alert when events exceed N in window
`--alert-window SEC`	Rolling window for velocity alerting (default: 300)
`--alert-cooldown SEC`	Min seconds between alerts (default: 600)
`--on-alert CMD`	Shell command on velocity alert (JSON on stdin)

Velocity alerting: --alert-threshold enables rolling-window event counting that detects exfiltration, ransomware, or bulk operations. Alerts fire via --on-alert hook with full forensic payload. See velocity-alerting.md.

Full T1/T2 lifecycle: Combine --on-t1 / --on-t2 with --webhook-secret-file to start an embedded webhook receiver alongside the watcher. See Webhooks section.

census seal / verify-seal

HMAC-SHA256 tamper-evidence seal for manifests (Tripwire/AIDE pattern).

census track <attestation_id>

Track attestation status and T0/T1/T2 progression. Poll until a target proof level is reached.

Option	Description
`--poll`	Poll until target level is reached
`--level T1\|T2`	Target proof level (default: T2). Use T1 for faster TSA-only.
`--poll-interval SEC`	Seconds between polls (default: 60)
`--timeout SEC`	Max seconds to poll (default: 3600)
`--json`	Machine-readable output

census archive <manifest>

Create a forensic evidence preservation package (ZIP) from a manifest. Includes manifest, inventory, chain of custody metadata, and SHA256SUMS integrity file.

Option	Description
`-o, --output PATH`	Output ZIP path (default: evidence-YYYY-MM-DD.census.zip)
`--examiner TEXT`	Examiner name (chain of custody)
`--case-id TEXT`	Case identifier (chain of custody)
`--organization TEXT`	Organization name (chain of custody)
`--notes TEXT`	Free-text notes (chain of custody)
`--no-compress`	Store files without compression
`--no-seal`	Exclude manifest seal even if present
`--json`	Machine-readable JSON output

census verify-archive <archive>

Verify the integrity of a forensic archive package using the embedded SHA256SUMS file.

Webhook management for T1/T2 lifecycle push notifications. See Webhooks section for full documentation.

census export / hash / stats

Manifest export (CSV/JSON/sha256sum), standalone hashing, org statistics.

census merge <manifest1> <manifest2> ... -o <output>

Merge multiple manifests into one. Same-hash entries preserve attestation state; same-path conflicts keep the latest mtime.

Option	Description
`-o, --output PATH`	Output manifest path (required)
`--json`	Machine-readable JSON summary

census compliance-report <manifest>

Generate compliance reports mapping Census data to NIS2, DORA, or ISO 27001 requirements. 100% local — no API calls.

bash

census compliance-report manifest.db -o report.html
census compliance-report manifest.db --template dora -o report.html
census compliance-report manifest.db --template iso27001 --json
census compliance-report manifest.db --integrity -o report.html

Option	Description
`--template nis2\|dora\|iso27001`	Compliance framework (default: nis2)
`-o, --output PATH`	Output file (.html or .json)
`--integrity / --no-integrity`	Run integrity check and include results
`--json`	Machine-readable JSON output

census ai-policy init | apply | report

AI governance: classify inventoried assets for ML/AI training compliance.

census ai-policy init                           # generate .census-ai-policy.toml template
census ai-policy apply manifest.db --dry-run    # classify only, no API calls
census ai-policy apply manifest.db              # classify and tag attestations
census ai-policy report manifest.db -o ai.html  # HTML compliance report
census ai-policy report manifest.db --json      # JSON output

Option	Description
`-p, --policy PATH`	TOML policy file (default: .census-ai-policy.toml)
`--dry-run`	Classify only, do not tag attestations
`-o, --output PATH`	Save report to file (.html or .json)
`--json`	Machine-readable JSON output

Policy files use TOML with [policy] section and [[rules]] array. Rules support glob patterns (*.md, docs/*.txt), size filters (min_size, max_size), and regulatory framework mapping (eu-ai-act, iso42001, c2pa). Safety-first: default_action = "exclude". Most-restrictive-wins on shared attestation IDs.

census sbom attest | verify | summary

SBOM attestation: parse SPDX 2.x / CycloneDX JSON, extract SHA-256 component hashes, batch-attest or verify via the CertiSigma API.

census sbom attest sbom.spdx.json --source "ci-pipeline"
census sbom attest bom.cdx.json --dry-run --json
census sbom verify sbom.spdx.json --json
census sbom verify bom.cdx.json --exit-zero --detailed
census sbom summary sbom.spdx.json --json

Option	Description
`--format auto\|spdx\|cyclonedx`	Force SBOM format (auto-detected by default)
`--source LABEL`	Source label for attestations (attest only)
`--manifest PATH`	Save attested hashes to manifest (attest only)
`--dry-run`	Parse only, do not call the API (attest only)
`--detailed`	Include attestation level, source, timestamps (verify only)
`--exit-zero`	Always exit 0, report-only mode for CI (verify only)
`--json`	Machine-readable JSON output

Supports SPDX 2.2/2.3 and CycloneDX 1.4/1.5/1.6 JSON. File size limit: 100 MB. No external SBOM libraries required. Hashes are normalised to lowercase hex and deduplicated before submission. Supports EU CRA, NIS2, and US EO 14028 compliance.

census status <manifest>

Show manifest summary: total entries, attested/pending counts, files/strings breakdown, root directory, schema version, and federation metadata (if present).

census doctor / config / completion

Self-diagnostic (--manifest, --json), TOML configuration (config init, config show, config paths), shell completions (bash/zsh/fish).

census git-hook install | uninstall | status | run

Git integration: automatic attestation on commit. Post-commit hook hashes changed files, records in manifest, and batch-attests with commit SHA provenance.

Option	Description
`--repo DIR`	Git repository root (default: auto-detect)
`--manifest PATH`	Manifest path relative to repo
`--source LABEL`	Source label for attestations
`--dry-run`	Hash only, no attestation
`--json`	Machine-readable JSON output

census provenance generate | verify

SLSA v1.0 provenance generation and verification. Creates in-toto Statement v1 envelopes with SLSA provenance predicates that document what was scanned, when, and by whom — anchored by CertiSigma three-layer proof.

census provenance generate manifest.db --source "release-v2.1"
census provenance generate manifest.db --commit abc123 --attest
census provenance generate manifest.db --sbom bom.json --embed-materials
census provenance generate manifest.db --format intoto-jsonl
census provenance verify manifest.db.provenance.json --strict --json

Option	Description
`--source TEXT`	Source label for the scan
`--commit TEXT`	Git commit SHA
`--builder-id TEXT`	Builder identity URI
`--sbom PATH`	Link SBOM components as resolvedDependencies
`--embed-materials`	Include individual file digests (max 10K)
`--format json\|intoto-jsonl`	Output format
`--attest`	Attest provenance hash via CertiSigma API
`--strict`	Exit 1 if any subject is unverified

Auto-detects CI environments: GitHub Actions, GitLab CI, Jenkins. Builder metadata (repo URL, commit SHA, workflow, run ID) is populated automatically.

census timeline build | query | stats

Forensic timeline — queryable SQLite index over the tamper-evident audit log. Supports time-range, action, path, and hash filters. Export to standard DFIR formats for direct import into Autopsy, AXIOM, X-Ways, and Plaso.

census timeline build --manifest .census-manifest.db
census timeline query --action scan --start -7d
census timeline query --format bodyfile --output timeline.bodyfile
census timeline query --format case-json --output case.json --case-name "Investigation-2026"
census timeline query --format l2tcsv --output timeline.csv
census timeline query --format html --output timeline.html
census timeline stats --window 1h --json

Option	Description
`--format bodyfile\|l2tcsv\|case-json\|html\|json\|jsonl\|csv`	DFIR export format
`--action TEXT`	Filter by action prefix (repeatable)
`--start / --end`	Time range (ISO-8601 or relative: -1h, -7d)
`--around TIMESTAMP`	Anchor for relative window query
`--window INT`	Window size in seconds (with --around, default 300)
`--attested / --unattested`	Filter by attestation status
`--case-name / --examiner`	Metadata for CASE/UCO and HTML exports

Timeline DB is always rebuildable from the audit log — it is a derived index, never the authoritative record.

census correlate run | list-rules | validate | init

SIEM-native event correlation — evaluate rules against the forensic timeline index. Output as text, JSON, JSONL, ArcSight CEF, or Elastic ECS for SOC/SIEM pipelines.

census correlate run

census correlate run --rules census-correlate.toml
census correlate run --format jsonl --timeline-dir ./timeline-db
census correlate run --format cef -o alerts.cef --start -24h
census correlate run --format ecs -o alerts.ndjson --hostname prod-host-01

Option	Description
`--rules PATH`	Custom rules file (TOML or YAML, repeatable)
`--no-builtin`	Disable built-in rules
`--format text\|json\|jsonl\|cef\|ecs`	Output format
`-o / --output PATH`	Write output to file (required for CEF/ECS file export)
`--severity info\|low\|medium\|high\|critical`	Minimum severity to report
`--timeline-dir PATH`	Timeline DB directory (repeatable for multi-manifest)
`--start / --end`	Time window (ISO 8601 or relative, e.g. `-24h`)
`--hostname TEXT`	Override hostname for ECS output
`--dry-run`	Count matching events per rule without correlation
`--json`	Shorthand for `--format json`
`-q / --quiet`	Suppress informational output
`-v / --verbose`	Verbose logging

census correlate list-rules

Option	Description
`--rules PATH`	Include custom rules file (repeatable)
`--no-builtin`	Omit built-in rules from the listing
`--json`	Machine-readable JSON output

census correlate validate RULES_FILE

Argument / option	Description
`RULES_FILE`	Rules file path to validate
`--json`	Machine-readable JSON output

census correlate init

Option	Description
`-o / --output PATH`	Output path (default: `census-correlate.toml`)

census attest --string | --strings-file

Cryptographic attestation of string identifiers (serial numbers, license keys, URNs). Hashes identifiers via SHA-256, attests in batch, and saves to the manifest with entry_type=string.

census attest --string "SN-2026-0042" --source "production-batch-Q1"
census attest --strings-file serial-numbers.txt --source "batch-registry" --json
census attest --strings-file ids.txt --source "inventory" --dry-run

Option	Description
`--string VALUE`	Attest a single string identifier
`--strings-file PATH`	Attest identifiers from file (one per line, `#` comments)
`--source LABEL`	Source label (mandatory — PII protection)
`--manifest PATH`	Manifest path (default: `.census-strings-manifest.db`)
`--dry-run`	Hash only, no attestation
`--json`	Machine-readable JSON output

census federate <m1> <m2> ... -o <output>

Aggregate manifests from multiple sites, teams, or CI pipelines into a single federated manifest. Four conflict resolution strategies handle entries with the same path but different hashes.

census federate site-a.db site-b.db -o global.db
census federate *.db -o combined.db --strategy skip --show-conflicts
census federate prod.db staging.db -o merged.db --label production --label staging --json

Option	Description
`MANIFESTS`	Two or more manifest paths (positional)
`-o / --output PATH`	Output manifest path (required)
`--strategy`	`latest_mtime` (default), `latest_source`, `first`, `skip`
`--label`	Source label per manifest (repeatable)
`--show-conflicts`	Show conflict details in output
`--encryption-key HEX`	Encrypt the output manifest
`--json`	Machine-readable JSON output

census audit-log / snapshot

Tamper-evident JSONL audit log (audit-log show, verify, clear). Named snapshots for compliance baselines (snapshot create, list, diff, delete).

census share / tag / derived-list / annotate / metadata / key-rotate / key-gen

Forensic cooperation: share tokens, structured tagging, HMAC-derived lists, annotations, key rotation.

Output Formats #

Format	Flag	Use case
Text	(default)	Human-readable terminal output
JSON	`--json` or `--format json`	CI/CD automation, machine parsing
JSONL	`--format jsonl`	SIEM/ELK streaming, log pipelines
SARIF	`--format sarif`	GitHub Security tab, VS Code, Defect Dojo
CSV	`--output report.csv`	Spreadsheets, compliance reporting
sha256sum	`--format sha256sum`	GNU coreutils compatible (`sha256sum -c`)
HTML/PDF	`-o report.html`, `-o report.pdf`	Forensic reports (census report, compliance-report)
ZIP	`--bundle`	Evidence bundle (report + OTS proofs + SHA256SUMS)

All JSON output includes census_version and elapsed_seconds for forensic traceability. JSONL streams end with a _summary trailer.

Forensic Features #

Evidence chain — census verify with T0/T1/T2 details, OTS proof export
Forensic reports — HTML, PDF, evidence bundles (ZIP with OTS proofs + SHA256SUMS + chain of custody)
Chain of custody — --examiner, --case-id, --organization, --notes — forensic provenance metadata with signature lines (PDF) and manifest SHA-256 binding. Aligned with NIST SP 800-86 and ISO/IEC 27037.
Audit log — Tamper-evident JSONL with SHA-256 hash chain (census audit-log verify)
Named snapshots — Compliance baselines with diff comparison
Manifest seal — HMAC-SHA256 tamper-evidence (Tripwire/AIDE pattern)
Differential integrity — --since auto --write-state auto for new-findings-only mode
Baseline update — AIDE-style detect → review → accept workflow
Atomic integrity update — --auto-update combines detection and baseline acceptance in a single atomic operation with backup. No TOCTOU window.
Forensic annotation — Case IDs, notes, tags with AES-256-GCM zero-knowledge encryption
Forensic archive — census archive packages manifest, inventory, chain of custody, and SHA256SUMS into a verifiable ZIP. census verify-archive checks integrity.
Webhook evidence — census webhook verify-payload cryptographically verifies a saved webhook delivery against its HMAC-SHA256 signature, proving authenticity in the evidence chain.
File attribution — Owner, group, and permissions captured during scan (schema v3), available in reports and archives.
Attested reports — census report --attest attests the report’s own hash for tamper-evidence. census verify-report verifies it.
Git commit attestation — census git-hook install attests changed files on every commit, creating commit-level cryptographic provenance.

Cooperation #

Share forensic data with third parties without exposing original content.

Derived lists — HMAC-SHA256 opaque hash lists for third-party breach detection. The third party can match suspects without seeing your inventory.
Share tokens — Time-limited, use-limited tokens for chain of custody.
Structured tagging — Key-value classification with encrypted tags and cursor-paginated query.
Annotations — Add forensic notes, case IDs, and metadata to attestations.

bash

# Create an opaque derived list from your manifest
census derived-list create --manifest ./inventory.db --label "Q1 2026"

# Third party matches their suspects
census derived-list match <list_id> --list-key <hex64> --hashes-file suspects.txt

CI/CD Integration #

Census is designed for automation. Exit codes, report-only mode, and SARIF output integrate with any CI/CD pipeline.

Feature	Description
`--exit-zero`	Report-only: always exit 0 (upload SARIF without gating)
`--summary`	Counts only, no match details (concise CI logs)
`--format sarif`	SARIF v2.1.0 for GitHub Security tab upload
`--on-match CMD`	Execute command with results on stdin when matches > 0
`--format jsonl`	Streaming output for SIEM/ELK log pipelines
`--no-color`	Disable colored output (also respects `NO_COLOR` env var)
`-q / --quiet`	Suppress info output (errors and JSON always shown)
`sbom verify --exit-zero`	Verify SBOM components against the registry without gating the build
`sbom attest --source ci`	Attest SBOM component hashes as part of the build pipeline
`provenance generate --attest`	Generate SLSA v1.0 provenance and attest provenance hash
`provenance verify --strict`	Verify provenance subjects are attested (gate pipeline on failure)

GitHub Action: Use certisigma/census-action@v1 for seamless CI/CD integration. See GitHub Action section.

Exit Codes

Code	Context	Meaning
`0`	All commands	Success (or `--exit-zero` report-only mode)
`1`	All commands	General error (API, I/O, config, or matches found)
`2`	All commands	Usage error (invalid arguments)
`1`	`integrity --strict`	Violations detected
bitmask	`diff`	`1`=added, `2`=removed, `4`=modified (OR'd together)

Webhooks #

Push-based T1/T2 lifecycle notifications. Instead of polling for attestation completion, register a webhook and receive server-side callbacks when proofs are ready.

T0

Attest

ECDSA signature (instant)

→

Webhook

T1 Complete

TSA timestamp (minutes)

→

Webhook

T2 Complete

Bitcoin anchor (hours)

Register a webhook

bash

# Register and save the signing secret
census webhook register \
  --url https://hooks.example.com/certisigma \
  --events t1_complete,t2_complete \
  --label prod-monitor \
  --save-secret .census-webhook-secret

One-time secret: The signing secret is returned once at registration. Use --save-secret to persist it with 0o600 permissions, or copy it immediately. It cannot be retrieved later.

Manage webhooks

bash

# List registered webhooks
census webhook list --json

# Show delivery history
census webhook deliveries wh_abc123

# Delete a webhook
census webhook delete wh_abc123

Receive webhooks

Start a lightweight HTTP receiver with HMAC-SHA256 verification, anti-replay guard, and hook dispatch:

bash

# Standalone receiver with shell hooks
census webhook serve \
  --secret-file .census-webhook-secret \
  --on-t1 'notify-send "T1 certified"' \
  --on-t2 'curl -X POST https://slack/hook -d @-'

# Or embed in watch mode for full lifecycle
census watch /data \
  --on-change 'echo "changed"' \
  --on-t1 'echo "T1 done"' \
  --on-t2 'echo "T2 anchored"' \
  --webhook-secret-file .census-webhook-secret

Option	Description
`--secret-file PATH`	Signing secret file (from `register --save-secret`)
`--on-t1 CMD`	Shell command on T1 (TSA) event (JSON payload on stdin)
`--on-t2 CMD`	Shell command on T2 (Bitcoin) event (JSON payload on stdin)
`--port N`	Listen port (default: 9514)
`--bind ADDR`	Bind address (default: 127.0.0.1 — loopback only)
`--tls-cert / --tls-key`	PEM files for built-in TLS (reverse proxy recommended)
`--replay-window SEC`	Anti-replay window in seconds (default: 300)

Forensic verification

Verify a saved webhook delivery is authentic and unmodified:

bash

census webhook verify-payload delivery.json \
  --signature "sha256=abc..." \
  --secret-file .census-webhook-secret

Security properties

HMAC-SHA256 on every delivery — Signature verified before JSON parsing. Invalid signatures are rejected (401).
Anti-replay guard — Bounded delivery ID deduplication (10K entries, FIFO) + timestamp window (300s). Prevents replay attacks.
Secret file permissions — --save-secret writes with 0o600 (owner-only). Load strips comments and whitespace.
Loopback by default — Binds to 127.0.0.1. For public exposure, use --bind 0.0.0.0 behind a reverse proxy with TLS termination.
Optional built-in TLS — --tls-cert / --tls-key for environments without a reverse proxy. Minimum TLS 1.2.
Payload size limit — 1 MB maximum. Requests exceeding this are rejected before reading the body.
Graceful shutdown — SIGINT/SIGTERM cleanly stops the receiver.

Configuration #

Census reads configuration from TOML files with user/project precedence:

CLI flags (highest priority)
Environment variables (CERTISIGMA_API_KEY, CERTISIGMA_BASE_URL)
Project config (.census.toml in current directory)
User config (~/.config/census/config.toml)

bash

# Create a project config template
census config init --project

# View effective configuration
census config show

# Shell completions
eval "$(census completion bash)"

Security Model #

Content never leaves the client — Only SHA-256 hashes are transmitted to the API. The original file content stays on your infrastructure.
Zero-knowledge metadata — Annotations and tag values can be encrypted client-side with AES-256-GCM before sending to the API. The server stores ciphertext only.
HMAC-derived lists — Third-party breach detection uses HMAC-SHA256 derivation. The third party sees opaque derived hashes, not your original inventory.
Manifest is local — The hash-to-filepath mapping lives on your filesystem. CertiSigma never sees file paths or directory structure.
Manifest encryption at rest — Manifests can be encrypted with AES-256-GCM using --encryption-key or CENSUS_ENCRYPTION_KEY env var. Encrypted files use a compact binary format with 96-bit random nonce and authenticated encryption. Auto-detected on load.
API key scoping — RBAC scoped keys allow read-only access for analysts with full audit trail.
Webhook HMAC-SHA256 — Every webhook delivery is signed with a per-webhook secret. The receiver verifies signatures before processing. Anti-replay guard prevents stored replay attacks.
Secret file management — Webhook secrets are written with 0o600 permissions (owner-only). Never logged, never committed. Display-once semantics at registration.

Important: API keys and webhook secrets should never be committed to source control. Use environment variables or a secrets manager. Census masks keys in config show and doctor output.

Compliance Mapping #

Census provides cryptographic evidence chains that map to regulatory requirements:

Requirement	Framework	Census capability
Asset inventory	NIS2 Art.21, ISO 27001 A.8.1	`census scan` + manifest
Change detection	NIS2 Art.21, DORA Art.9	`census integrity` + differential
Incident response evidence	NIS2 Art.23, DORA Art.17	`census compare` + forensic reports
Data integrity verification	DORA Art.11, ISO 27001 A.14	`census verify-manifest`
Audit trail	NIS2 Art.21, ISO 27001 A.12.4	`census audit-log` (tamper-evident)
Third-party risk	NIS2 Art.21, DORA Art.28	Derived lists + share tokens
Data classification	ISO 27001 A.8.2	Structured tagging + encryption
Cryptographic controls	ISO 27001 A.10, DORA Art.9	T0/T1/T2 proof chain, AES-256-GCM
Supply chain integrity	NIS2 Art.21(2d)	`census seal` + `verify-seal`
Supply chain provenance	SLSA v1.0, EO 14028	`census provenance generate` + `verify`
Forensic timeline	ISO 27037, NIST SP 800-86	`census timeline build` + `query --format bodyfile\|l2tcsv\|case-json`
SIEM event correlation	NIST SP 800-92 Log Management, ISO 27001 A.12.4 Logging	`census correlate run` + `--format cef\|ecs\|jsonl`
Asset identifier census	ISO 27001 A.8.1 Asset Inventory	`census attest --string` + `--strings-file`
Multi-site federation	NIS2 Art.21(2a) Risk Analysis	`census federate` + `--strategy latest_mtime\|skip`
Continuous monitoring	DORA Art.9(2)	`census watch` + webhooks + systemd
Evidence preservation	ISO 27001 A.16.1.7	`census archive` + `verify-archive`

Architecture #

Census is a client of the CertiSigma API. It uses the published Python SDK and treats it as a black box.

Component	Description
CLI	Click-based, 40+ commands, global flags (`-v`, `-q`, `--no-color`)
Manifest	SQLite (WAL mode), schema v3, auto-migration from JSON
Scanner	Streamed SHA-256, parallel hashing (`ProcessPoolExecutor`), glob filters
Watcher	`watchdog` + producer/consumer, debounce, batch attestation, velocity alerting
Retry	Exponential backoff on 429/5xx with `Retry-After` header
Reports	HTML (zero deps), PDF (`fpdf2`), ZIP bundles with OTS proofs
Audit	JSONL with SHA-256 hash chain, tail-read for last hash
Webhooks	Lightweight HTTP receiver, HMAC-SHA256 verification, anti-replay guard, TLS optional
Archive	Forensic evidence ZIP packages with SHA256SUMS integrity

SDK integration: Census consumes certisigma from PyPI. For API-level integration details, see the SDK documentation.

Global Options #

Option	Description
`-v / --verbose`	Enable debug logging
`-q / --quiet`	Suppress informational output
`--log-format text\|json`	Log output format
`--no-color`	Disable colored output (also `NO_COLOR` env)
`--encryption-key HEX64`	AES-256-GCM key for manifest encryption at rest (or `CENSUS_ENCRYPTION_KEY` env)
`--version`	Show version