How It Works #

Step 1
Scan
SHA-256 hash every file
Step 2
Attest
Three-layer proof (T0/T1/T2)
Step 3
Compare
Match inventory

Census computes SHA-256 hashes locally. API-backed attestation and lookup operations transmit those digests plus explicitly supplied operational metadata, and receive three layers of cryptographic proof:

  1. T0 — ECDSA Signature — Immediate, server signs the hash with P-256
  2. T1 — TSA Timestamp — Minutes, Merkle tree + RFC 3161 Time Stamping Authority
  3. T2 — Bitcoin Anchor — Hours, Merkle root anchored via OpenTimestamps
Content stays local: Census never uploads file or inspected string bytes to CertiSigma. API-backed attestation and lookup operations transmit SHA-256 digests plus explicitly supplied operational metadata such as source labels; metadata, tagging, sharing and webhook commands transmit the fields explicitly required by the selected operation. Commands documented as local-only make no CertiSigma API calls.
Duplicate analysis: census duplicates PATH and duplicates --manifest inventory.db group local file locations by SHA-256 and report duplicate counts and wasted bytes without API calls or destructive cleanup.
Container analysis: census container inspect, report, duplicates, diff and drift inventory ZIP/TAR/GZIP-family artifacts locally, hash the outer artifact and members, and report unsafe archive changes without extraction or member attestation. container report --attest-container can explicitly attest only the outer artifact hash.
Assurance score and policy gates: census assurance score --manifest inventory.db produces a local evidence-readiness score, while census policy init/check turns that score into deterministic CI gates with JSON/SARIF output. No API calls and no legal compliance verdict.
Release evidence: census release pack builds a local ZIP with artifact digests, selected SBOM/provenance/policy evidence, SHA256SUMS, VERIFY.md and a public receipt. Artifact bytes are excluded unless --include-artifacts is explicit.
Git ref/tag drift: census git ref-snapshot and tag-drift capture read-only local branch/tag/remote evidence, detect moved release refs and emit JSON/SARIF without fetching remotes or calling the API.
Trust surface evidence: census tls snapshot, census dns snapshot, census web snapshot and census snapshot diff --snapshot-files capture or compare passive snapshot evidence for one explicit endpoint, domain or URL: TLS certificate metadata, DNS records, SPF/DMARC evidence, explicit DKIM selector evidence, HTTP status/header evidence, bounded content digests, optional SEO/GEO publication artifacts and local drift evidence. No crawling, zone transfer, enumeration, sitemap URL fetching, browser runtime, active vulnerability test or API call.
Append-only log evidence: census log seal and log verify create and verify local SHA-256/Merkle sidecars for append-only logs. Sidecars contain hashes, Merkle roots and aggregate metadata, not raw log lines. No log shipping, monitoring, API call, automatic attestation or compliance verdict.
SBOM assurance: Validate local SBOM evidence readiness, compare SBOM drift, create evidence bundles, generate CI reference workflows, match explicit local vulnerability feeds, summarize VEX/CSAF status evidence, evaluate supplier intake policy results, parse SPDX 2.x/3.0.1 and CycloneDX JSON SBOMs, and attest component or exact-document hashes with the same three-layer proof chain used for files.
SLSA provenance: Generate SLSA v1.0 provenance statements in the in-toto Statement v1 format. Auto-detects CI environments (GitHub Actions, GitLab CI, Jenkins) and links SBOM components. CertiSigma and Sigstore provide complementary trust models: CertiSigma adds T0/T1/T2 evidence and public anchoring, while Sigstore emphasizes identity-bound ephemeral signing and transparency-log verification.
Forensic timeline: Build a queryable SQLite timeline from the tamper-evident audit log. Export to standard DFIR formats — TSK body file (Autopsy), Plaso l2tcsv, CASE/UCO JSON-LD (AXIOM, X-Ways) — for direct import into forensic workstations.
SIEM event correlation: Correlation rules over forensic timeline with CEF/ECS output for SOC/SIEM integration.
String attestation: Attest serial numbers, license keys, batch codes, and URNs — extending Census beyond files to any string identifier. Manifest schema v5 tracks entry_type on content objects and locations.
Multi-manifest federation: Aggregate manifests from multiple sites, teams, or CI pipelines with configurable conflict resolution strategies (latest_mtime, latest_source, first, skip).

Installation #

Python 3.10+. TOML config support on 3.10 uses tomli (auto-installed).

bash
# Base install
pip install certisigma-census

# With watch mode (filesystem monitoring)
pip install certisigma-census[watch]

# With PDF report generation
pip install certisigma-census[report]

# All optional features
pip install "certisigma-census[watch,report,correlate]"

Quick Start #

Inventory scan

bash
export CERTISIGMA_API_KEY=cs_...

# Scan and attest all file hashes
census scan /path/to/sensitive-files --source inventory-hr

# Dry run (hash only, no attestation)
census scan /path/to/files --dry-run

Inventory comparison

bash
# Compare suspect files against the registry
census compare /path/to/suspect-files --manifest inventory.db

# Exit 0 = no matches, 1 = matches require review

Integrity check

bash
# Check files against manifest baseline (100% local)
census integrity manifest.db

# Differential: only new findings since last run
census integrity manifest.db --since auto --write-state auto

# Atomic update: detect + accept changes in one step
census integrity manifest.db --auto-update

GitHub Actions #

Use the published PyPI package directly in GitHub Actions. The repository-local composite template is not currently distributed under a public reusable reference; Marketplace publication remains gated on public-repository and release-governance work.

yaml
name: Census evidence
on: [push, pull_request]

permissions:
  contents: read
  security-events: write

jobs:
  compare:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - name: Install Census
        run: pip install certisigma-census
      - name: Compare inventory
        id: census
        continue-on-error: true
        env:
          CERTISIGMA_API_KEY: ${{ secrets.CERTISIGMA_API_KEY }}
        run: census compare ./artifacts --manifest ./inventory.db --format sarif --output census-results.sarif
      - name: Upload SARIF
        if: always() && hashFiles('census-results.sarif') != ''
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: census-results.sarif
          category: certisigma-census
      - name: Enforce Census result
        if: steps.census.outcome == 'failure'
        run: exit 1
SARIF prerequisite: security-events: write is required. GitHub also requires Code Security to be enabled before SARIF can be uploaded for private or internal repositories; public repositories can use code scanning under GitHub's applicable product terms. See the GitHub SARIF documentation.

Pin certisigma-census to an approved release in production workflows for reproducibility. For a local-only integrity gate, run census integrity inventory.db --strict; it requires no API key or SARIF upload.

Commands #

Census provides 40+ commands. Expand each for options and examples.

census scan <dir>

Walk directory, compute SHA-256 hashes, attest in batch, save manifest.

OptionDescription
--source LABELSource label for attestations
--manifest PATHManifest output path
--dry-runHash only, no attestation
--resumeResume interrupted scan
--workers NParallel hashing (1–8)
--attest-manifestAttest manifest’s own hash
--include/--excludeGlob patterns for filtering
--min-size/--max-sizeSize filters (e.g. 1K, 100M)
--jsonMachine-readable output
census compare <dir>

Hash suspect files and verify against the CertiSigma registry.

OptionDescription
--manifest PATHLocal manifest for cross-reference
--format text|json|sarif|jsonlOutput format
--detailedEnriched results (source, T0/T1/T2 level)
--exit-zeroReport-only mode (always exit 0)
--summaryCounts only, no match details
--on-match CMDExecute CMD on matches (JSON on stdin)
census integrity <manifest>

Tamper detection against manifest baseline. 100% local, no API calls.

OptionDescription
--strictExit 1 on any discrepancy
--since PATHDifferential mode (auto = sidecar)
--write-state PATHSave state for next run
--auto-updateAtomically accept changes into baseline (AIDE parity). Creates .bak backup.
--format text|json|jsonlOutput format
census diff <base> <target>

Compare two manifests. AIDE-style bitmask exit codes (1=added, 2=removed, 4=modified).

census duplicates <dir> | --manifest <manifest>

Local-only duplicate listing by SHA-256. Live mode scans a directory; manifest mode reuses preserved schema v5 locations without rescanning. Reports duplicate groups, duplicate file observations and wasted bytes without API calls, manifest mutation or destructive cleanup.

OptionDescription
--manifest PATHRead duplicate locations from an existing manifest without rescanning
--include/--excludeGlob patterns for filtering
--min-size/--max-sizeSize filters (e.g. 1K, 100M)
--workers NParallel hashing (1–8)
--format text|json|csv|htmlOutput format
--output PATHSave report to file
--jsonMachine-readable output
census assurance score --manifest <manifest>

Local-only evidence-readiness score for a Census manifest. Reports a 0-100 score, grade, aggregate signals and explainable findings without contacting the CertiSigma API or making legal compliance claims.

OptionDescription
--manifest PATHCensus manifest to score
--format text|jsonOutput format
--jsonMachine-readable output
--seal-key KEYOptional HMAC key for local manifest seal verification

Container-member-only observations are treated as local analysis evidence; the score checks outer artifact backing rather than expecting internal member attestation.

census policy init | check

Local assurance policy-as-code gates over census assurance score. Designed for CI and release review: reads the policy TOML, manifest database and optional local seal sidecar, then returns deterministic pass/fail output without API calls or legal compliance claims.

bash
census policy init --output census-policy.toml
census policy init --profile strict --output census-policy.toml
census policy check --policy census-policy.toml --manifest inventory.db
census policy check --policy census-policy.toml --manifest inventory.db --format sarif
OptionDescription
--output PATHPolicy template path for init; result file for check
--profile baseline|strictTemplate profile for init
--forceAllow init to overwrite an existing policy file
--jsonMachine-readable output for init or shorthand for check --format json
--policy PATHCensus assurance policy TOML file for check
--manifest PATHCensus manifest to evaluate
--format text|json|sarifOutput format for policy results
--seal-key KEYOptional HMAC key for local manifest seal verification
--exit-zeroRender the result but always exit 0

Exit codes: 0 passed, 1 policy failed, 2 usage or invalid policy. Future gates for T2, SBOM, provenance, drift, KEV, secrets and certificate expiry are disabled placeholders that fail closed if explicitly enabled before their evidence inputs exist.

census release pack | receipt generate | receipt verify

Local release evidence packaging and public receipts. Creates a ZIP with release-evidence.json, receipt.json, VERIFY.md and SHA256SUMS. No API calls, no pack attestation and no legal compliance verdict.

bash
census release pack 1.28.2 --artifact dist/pkg.whl --manifest inventory.db --policy census-policy.toml --output release-evidence.zip
census receipt generate --release-evidence release-evidence.zip --output receipt.json
census receipt verify receipt.json --release-evidence release-evidence.zip
OptionDescription
--artifact PATHRelease artifact to hash; repeatable and required
--manifest PATHOptional Census manifest for embedded assurance score
--policy PATHOptional Census policy TOML; requires --manifest
--sbom PATH / --provenance PATHSelected evidence files for the pack
--git-ref-snapshot PATH / --git-drift-report PATHOptional Git release-ref evidence files for the pack
--include-artifactsCopy artifact bytes into the ZIP; default is digest-only artifacts
--path-policy basename|relative|fullPath labels stored in evidence; default is basename
--release-evidence PATHZIP pack or release-evidence.json used by receipt commands

Receipt verification is offline: it checks receipt/evidence consistency and ZIP SHA256SUMS. Exit codes: 0 valid, 1 mismatch, 2 usage or invalid input.

census git ref-snapshot | tag-drift

Read-only local Git release evidence. Captures branch/tag/HEAD/remote state, redacts remote credentials and compares the current repository against a prior snapshot. No fetch, push, ref repair, API call or proof-of-compromise claim.

bash
census git ref-snapshot --repo . --output git-refs.json
census git tag-drift --baseline git-refs.json --repo . --release-ref v1.28.2 --format json --output git-drift.json
OptionDescription
--repo PATHGit repository path; default current directory
--baseline PATHBaseline ref snapshot JSON for drift comparison
--release-ref REFOptional tag/branch/ref expected to match current HEAD
--format text|json|sarifDrift report format
--output PATHWrite snapshot or drift report
--exit-zeroRender drift report but always exit 0

Exit codes: 0 no high/medium drift, 1 drift detected, 2 usage or invalid input. Commit messages, authors, file paths and diffs are not captured.

census tls snapshot <domain>

Passive TLS trust surface snapshot evidence for one explicit endpoint. Captures certificate metadata, SANs, issuer, expiry, algorithms, fingerprints and a canonical snapshot hash. No crawling, active vulnerability test, HTTP fetch, port scan, API call, legal conclusion or policy result.

bash
census tls snapshot example.com
census tls snapshot example.com --format json --output tls-snapshot.json
OptionDescription
--port NTLS port; default 443
--timeout SECONDSSocket timeout, max 10 seconds
--server-name NAMEOptional SNI/hostname override
--format text|jsonOutput format
--jsonMachine-readable JSON output
--output PATHWrite snapshot evidence to file
census dns snapshot <domain>

Passive DNS trust surface snapshot evidence for one explicit domain. Queries bounded DNS records against the system resolver or an explicit resolver, records SPF/DMARC evidence, explicit DKIM selector evidence, DNSSEC-related DS/DNSKEY records when available and a canonical snapshot hash. No zone transfer, zone walking, subdomain enumeration, DKIM selector guessing, active vulnerability test, API call, legal conclusion or policy result.

bash
census dns snapshot example.com
census dns snapshot example.com --record MX --record TXT --dkim-selector default
census dns snapshot example.com --format json --output dns-snapshot.json
OptionDescription
--resolver IPExplicit DNS resolver IP; default is the first system resolver
--timeout SECONDSUDP query timeout, max 10 seconds
--record A|AAAA|MX|TXT|CAA|NS|DS|DNSKEYDNS record type to query; can be repeated
--dkim-selector SELECTORQuery only the explicit DKIM selector; can be repeated
--format text|jsonOutput format
--jsonMachine-readable JSON output
--output PATHWrite snapshot evidence to file
census web snapshot <url>

Passive web/header trust surface snapshot evidence for one explicit HTTP(S) URL. Captures status, redirects, sanitized headers, common web header evidence, canonical URL evidence from the final URL or HTTP Link header, bounded content digest and a canonical snapshot hash. With --seo-geo, it adds bounded same-origin robots.txt, sitemap.xml, llms.txt, HTML canonical/hreflang and schema.org/JSON-LD evidence. Response bodies and artifact bodies are not stored; query strings and sensitive headers are redacted in rendered evidence. No crawling, sitemap URL fetching, form submission, JavaScript execution, browser/headless runtime, active vulnerability test, API call, legal conclusion or policy result.

bash
census web snapshot https://example.com/
census web snapshot https://example.com/ --seo-geo --json
census web snapshot https://example.com/ --method HEAD
census web snapshot https://example.com/ --timeout 3 --max-redirects 3 --max-bytes 1M --format json --output web-snapshot.json
OptionDescription
--method GET|HEADHTTP method; default GET
--timeout SECONDSHTTP timeout, max 10 seconds
--max-redirects NRedirect hops to follow, max 10
--max-bytes SIZEResponse body bytes to hash, max 5M
--user-agent TEXTOptional declared User-Agent
--seo-geoAdd bounded same-origin robots/sitemap/llms and HTML SEO/GEO evidence
--format text|jsonOutput format
--jsonMachine-readable JSON output
--output PATHWrite snapshot evidence to file
census snapshot diff --snapshot-files <old.json> <new.json>

Local trust surface snapshot diff evidence for saved TLS/DNS/web snapshot JSON files. Compares files of the same snapshot kind, ignores runtime-only metadata such as generation timestamps and wrapper timing, emits deterministic findings and a canonical diff hash. It does not capture new evidence, crawl, probe, attest, call the API, or make legal or policy conclusions.

bash
census snapshot diff --snapshot-files old-tls.json new-tls.json
census snapshot diff --snapshot-files old-dns.json new-dns.json --json
census snapshot diff --snapshot-files old-web.json new-web.json --format json --output snapshot-diff.json --exit-zero
OptionDescription
--snapshot-filesInterpret the two diff arguments as trust surface snapshot JSON files
--format text|jsonOutput format
--jsonMachine-readable JSON output
--output PATHWrite snapshot diff evidence to file
--exit-zeroReturn zero while still rendering drift evidence
census container inspect <artifact.zip>

Local-only ZIP/TAR/GZIP-family container inventory. Reports outer artifact hash, member hashes, sizes, compression methods, CRCs and safety findings without extracting members or attesting internal files.

OptionDescription
--format text|json|htmlOutput format
--output PATHSave report to file
--jsonMachine-readable output
--max-members NMaximum entries to analyze
--max-member-size SIZEPer-member uncompressed size limit
--max-total-size SIZETotal uncompressed size limit
--max-ratio NMaximum expansion ratio

census zip inspect is an alias. archive inspect is deferred to preserve the existing census archive MANIFEST command.

census container report <artifact.zip>

Reviewable HTML/JSON/text report and optional local evidence bundle. --attest-container attests only the outer artifact SHA-256; --attest-report attests only the rendered report SHA-256. Internal members remain local analysis evidence.

OptionDescription
--format html|json|textOutput format
--output PATHSave report to file
--evidence-bundle PATHZIP bundle with inspect JSON, rendered report, metadata and SHA256SUMS
--attest-containerExplicitly attest the outer artifact hash only
--attest-reportExplicitly attest the rendered report hash only
census container duplicates / diff / drift

Local-only review commands built on container inspect. They report duplicate member hashes, duplicate ZIP names, added/removed/modified members, metadata drift and safety-finding drift without extraction, remediation or member attestation.

CommandPurpose
container duplicates ARTIFACTDuplicate member content and repeated member names
container diff OLD NEWAdded, removed, modified and metadata-drifted members
container drift ARTIFACT --baseline analysis.jsonCompare against a prior inspect JSON baseline

Outputs are text or JSON. Baseline JSON is size-limited and schema-validated before drift analysis.

census bulk-scan <dir>

Bulk inventory matching via /scan endpoint. Up to 50K hashes per call with auto-chunking.

OptionDescription
--dry-runHash only, no API call
--exit-zeroReport-only mode
--summaryCounts only
--source LABELIncident tracking label
census verify <hash|--file>

Verify a hash or file against the registry. Full T0/T1/T2 evidence chain. No API key required.

census verify-manifest <manifest>

Full-chain verification: all manifest hashes against the registry.

census update <manifest>

AIDE-style baseline update: detect → review → accept. New entries are unattested.

census report <manifest> -o <file>

Forensic reports: HTML (zero deps), PDF (fpdf2), evidence bundles (ZIP with OTS proofs). Chain of custody metadata adds examiner, case ID, organization, and signature lines.

OptionDescription
-o / --output PATHOutput file (.html, .pdf, or .json)
--evidenceInclude full T0/T1/T2 evidence chain
--bundleZIP evidence bundle (report + OTS proofs + SHA256SUMS + chain_of_custody.json)
--attestAttest the report hash for tamper-evidence
--integrityInclude integrity check results
--examiner TEXTForensic examiner name (chain of custody)
--case-id TEXTCase identifier (chain of custody)
--organization TEXTOrganization name (chain of custody)
--notes TEXTFree-text notes (chain of custody)
census watch <dir>

Continuous filesystem monitoring via native OS events (inotify/FSEvents). Batched attestation with debouncing. Requires [watch] extra.

OptionDescription
--on-change CMDShell command on file change (JSON on stdin)
--on-attest CMDShell command after attestation (JSON on stdin)
--on-t1 CMDShell command on T1 (TSA) webhook event
--on-t2 CMDShell command on T2 (Bitcoin) webhook event
--webhook-secret-file PATHSigning secret for embedded webhook receiver
--webhook-port NWebhook receiver port (default: 9514)
--webhook-bind ADDRWebhook bind address (default: 127.0.0.1)
--debounce SECDebounce interval (default: 2)
--scan-on-start / --no-scan-on-startFull scan at startup
--include/--excludeGlob patterns for filtering
--alert-threshold NFire velocity alert when events exceed N in window
--alert-window SECRolling window for velocity alerting (default: 300 seconds)
--alert-cooldown SECMinimum time between alerts (default: 600 seconds)
--on-alert CMDShell command on velocity alert (JSON on stdin)
Velocity alerting: --alert-threshold enables rolling-window event counting that flags unusual bulk activity, including scenarios that may warrant investigation for suspected exfiltration or ransomware. Alerts fire via --on-alert hook with full forensic payload. See velocity-alerting.md.
Full T1/T2 lifecycle: Combine --on-t1 / --on-t2 with --webhook-secret-file to start an embedded webhook receiver alongside the watcher. See Webhooks section.
census seal / verify-seal

HMAC-SHA256 tamper-evidence seal for manifests (Tripwire/AIDE pattern).

census log seal | verify

Local append-only log evidence sidecars. log seal streams one explicit local log file, creates SHA-256/Merkle windows and writes a JSON .logseal sidecar without raw log lines. log verify recomputes the same evidence and reports findings without shipping logs, monitoring, calling the API, attesting automatically or making legal/security/compliance conclusions.

bash
census log seal audit.jsonl --window 1h
census log seal audit.jsonl --window 15m --output audit.jsonl.logseal --json
census log verify audit.jsonl.logseal
census log verify audit.jsonl.logseal --log audit.jsonl --json
OptionDescription
--window DURATIONEvidence window such as 30s, 15m, 1h or 1d
--output PATHWrite sidecar path for log seal
--log PATHExplicit log path for log verify
--format text|jsonOutput format
--jsonMachine-readable JSON output
--exit-zeroReturn zero while still rendering verification findings
census track <attestation_id>

Track attestation status and T0/T1/T2 progression. Poll until a target proof level is reached.

OptionDescription
--pollPoll until target level is reached
--level T1|T2Target proof level (default: T2). Use T1 for faster TSA-only.
--poll-interval SECSeconds between polls (default: 60)
--timeout SECMax seconds to poll (default: 3600)
--jsonMachine-readable output
census archive <manifest>

Create a forensic evidence preservation package (ZIP) from a manifest. Includes manifest, inventory, chain of custody metadata, and SHA256SUMS integrity file.

OptionDescription
-o, --output PATHOutput ZIP path (default: evidence-YYYY-MM-DD.census.zip)
--examiner TEXTExaminer name (chain of custody)
--case-id TEXTCase identifier (chain of custody)
--organization TEXTOrganization name (chain of custody)
--notes TEXTFree-text notes (chain of custody)
--no-compressStore files without compression
--no-sealExclude manifest seal even if present
--jsonMachine-readable JSON output
census verify-archive <archive>

Verify the integrity of a forensic archive package using the embedded SHA256SUMS file.

census webhook register | list | delete | deliveries | verify-payload | serve

Webhook management for T1/T2 lifecycle push notifications. See Webhooks section for full documentation.

census export / hash / stats

Manifest export (CSV/JSON/sha256sum), standalone hashing, org statistics.

census merge <manifest1> <manifest2> ... -o <output>

Merge multiple manifests into one. Same-hash entries preserve attestation state; same-path conflicts keep the latest mtime.

OptionDescription
-o, --output PATHOutput manifest path (required)
--jsonMachine-readable JSON summary
census compliance-report <manifest>

Generate local evidence cross-reference reports using the legacy compliance-report command name. Profiles summarize manifest and integrity signals against NIS2, DORA or ISO/IEC 27001 evidence objectives; they do not determine applicability or conformity. No API calls.

bash
census compliance-report manifest.db -o report.html
census compliance-report manifest.db --template dora -o report.html
census compliance-report manifest.db --template iso27001 --json
census compliance-report manifest.db --integrity -o report.html
OptionDescription
--template nis2|dora|iso27001Evidence cross-reference profile (default: nis2)
-o, --output PATHOutput file (.html or .json)
--integrity / --no-integrityRun integrity check and include results
--jsonMachine-readable JSON output
census ai-policy init | apply | report

AI governance: classify inventoried assets for ML/AI training compliance.

census ai-policy init                           # generate .census-ai-policy.toml template
census ai-policy apply manifest.db --dry-run    # classify only, no API calls
census ai-policy apply manifest.db              # classify and tag attestations
census ai-policy report manifest.db -o ai.html  # HTML compliance report
census ai-policy report manifest.db --json      # JSON output
OptionDescription
-p, --policy PATHTOML policy file (default: .census-ai-policy.toml)
--dry-runClassify only, do not tag attestations
-o, --output PATHSave report to file (.html or .json)
--jsonMachine-readable JSON output

Policy files use TOML with [policy] section and [[rules]] array. Rules support glob patterns (*.md, docs/*.txt), size filters (min_size, max_size), and regulatory framework mapping (eu-ai-act, iso42001, c2pa). Safety-first: default_action = "exclude". Most-restrictive-wins on shared attestation IDs.

census sbom validate | diff | bundle | pipeline | vuln | vex | intake | attest | verify | summary

SBOM assurance: validate local evidence readiness, compare release-to-release drift, create local evidence bundles, generate CI reference workflows, match explicit local vulnerability feeds, summarize VEX/CSAF status evidence, evaluate supplier intake policy results, parse SPDX 2.x / 3.0.1 and CycloneDX JSON, extract SHA-256 component hashes, and batch-attest or verify hashes via the CertiSigma API.

census sbom validate bom.cdx.json --profile bsi --json
census sbom validate bom.cdx.json --profile enterprise --report-format sarif
census sbom diff old-bom.cdx.json new-bom.cdx.json --json
census sbom bundle bom.cdx.json --output sbom-evidence.zip
census sbom pipeline init --generator syft --profile bsi
census sbom vuln cache --feed osv.json --source osv --cache-dir .census/sbom-vuln
census sbom vuln match bom.cdx.json --cache-dir .census/sbom-vuln --report-format sarif
census sbom vex summarize supplier-vex.json --json
census sbom intake supplier-bom.cdx.json --policy supplier-policy.toml --json
census sbom attest sbom.spdx.json --source "ci-pipeline"
census sbom attest sbom.spdx.json --attest-document --source "ci-pipeline"
census sbom attest bom.cdx.json --dry-run --json
census sbom verify sbom.spdx.json --json
census sbom verify bom.cdx.json --exit-zero --detailed
census sbom summary sbom.spdx.json --json
OptionDescription
--format auto|spdx|cyclonedxForce SBOM format (auto-detected by default)
--profile cra-minimal|bsi|enterpriseLocal evidence-readiness profile (validate only)
--report-format text|json|sarifValidation or diff report format
--output PATHSave validation/diff report or SBOM evidence ZIP
--validation-report PATHInclude validation evidence in an SBOM bundle
--diff-report PATHInclude diff evidence in an SBOM bundle
--include-sbomCopy the original SBOM body into the bundle (bundle only)
--generator syft|cyclonedx-pyExternal SBOM generator family to reference (pipeline init only)
--baseline-sbom PATHAdd a generated sbom diff step (pipeline init only)
--attestAdd generated attestation step using CI secret CERTISIGMA_API_KEY (pipeline init only)
--feed PATHExplicit local vulnerability feed to ingest (vuln cache only)
--source osv|nvd|ghsa|kev|epss|censusLocal vulnerability feed source format (vuln cache only)
--cache-dir PATHLocal vulnerability cache directory (vuln only)
--vex PATHApply or include local VEX/CSAF evidence (vuln match / intake)
--policy PATHSupplier intake TOML policy (intake only)
--vulnerability-report PATHLocal Census vulnerability evidence report (intake only)
--source LABELSource label for attestations (attest only)
--manifest PATHSave attested hashes to manifest (attest only)
--dry-runParse only, do not call the API (attest only)
--attest-documentAlso attest the exact SBOM document SHA-256 (attest only)
--detailedInclude attestation level, source, timestamps (verify only)
--exit-zeroAlways exit 0, report-only mode for CI (validate/diff/verify/vuln/intake)
--jsonMachine-readable JSON output

Supports SPDX 2.2/2.3 JSON, SPDX 3.0.1 JSON-LD and CycloneDX 1.4/1.5/1.6 JSON. File size limit: 100 MB. No external SBOM libraries required for parsing. Hashes are normalised to lowercase hex and deduplicated before submission. Document attestation sends only the exact SBOM SHA-256 digest. Validation, diff, bundle, pipeline generation, vulnerability matching, VEX/CSAF summary and intake are local-only; pipeline init writes a template and does not install external generators. Bundles exclude the original SBOM body unless --include-sbom is explicit. Reports describe evidence readiness, vulnerability evidence and policy result, not legal compliance verdicts.

census status <manifest>

Show manifest summary: content objects, preserved locations, attested/pending counts, files/strings breakdown, root directory, schema version, and federation metadata (if present).

census doctor / config / completion

Self-diagnostic (--manifest, --json), TOML configuration (config init, config show, config paths), shell completions (bash/zsh/fish).

census git-hook install | uninstall | status | run

Git integration: automatic attestation on commit. Post-commit hook hashes changed files, records in manifest, and batch-attests with commit SHA provenance.

OptionDescription
--repo DIRGit repository root (default: auto-detect)
--manifest PATHManifest path relative to repo
--source LABELSource label for attestations
--dry-runHash only, no attestation
--jsonMachine-readable JSON output
census provenance generate | verify

SLSA v1.0 provenance generation and verification. Creates in-toto Statement v1 envelopes with SLSA provenance predicates that document what was scanned, when, and by whom — anchored by CertiSigma three-layer proof.

census provenance generate manifest.db --source "release-v2.1"
census provenance generate manifest.db --commit abc123 --attest
census provenance generate manifest.db --sbom bom.json --embed-materials
census provenance generate manifest.db --format intoto-jsonl
census provenance verify manifest.db.provenance.json --strict --json
OptionDescription
--source TEXTSource label for the scan
--commit TEXTGit commit SHA
--builder-id TEXTBuilder identity URI
--sbom PATHLink SBOM components as resolvedDependencies
--embed-materialsInclude individual file digests (max 10K)
--format json|intoto-jsonlOutput format
--attestAttest provenance hash via CertiSigma API
--strictExit 1 if any subject is unverified

Auto-detects CI environments: GitHub Actions, GitLab CI, Jenkins. Builder metadata (repo URL, commit SHA, workflow, run ID) is populated automatically.

census timeline build | query | stats

Forensic timeline — queryable SQLite index over the tamper-evident audit log. Supports time-range, action, path, and hash filters. Export to standard DFIR formats for direct import into Autopsy, AXIOM, X-Ways, and Plaso.

census timeline build --manifest .census-manifest.db
census timeline query --action scan --start -7d
census timeline query --format bodyfile --output timeline.bodyfile
census timeline query --format case-json --output case.json --case-name "Investigation-2026"
census timeline query --format l2tcsv --output timeline.csv
census timeline query --format html --output timeline.html
census timeline stats --window 1h --json
OptionDescription
--format bodyfile|l2tcsv|case-json|html|json|jsonl|csvDFIR export format
--action TEXTFilter by action prefix (repeatable)
--start / --endTime range (ISO-8601 or relative: -1h, -7d)
--around TIMESTAMPAnchor for relative window query
--window INTWindow size in seconds (with --around, default 300)
--attested / --unattestedFilter by attestation status
--case-name / --examinerMetadata for CASE/UCO and HTML exports

Timeline DB is always rebuildable from the audit log — it is a derived index, never the authoritative record.

census correlate run | list-rules | validate | init

SIEM-native event correlation — evaluate rules against the forensic timeline index. Output as text, JSON, JSONL, ArcSight CEF, or Elastic ECS for SOC/SIEM pipelines.

census correlate run

census correlate run --rules census-correlate.toml
census correlate run --format jsonl --timeline-dir ./timeline-db
census correlate run --format cef -o alerts.cef --start -24h
census correlate run --format ecs -o alerts.ndjson --hostname prod-host-01
OptionDescription
--rules PATHCustom rules file (TOML or YAML, repeatable)
--no-builtinDisable built-in rules
--format text|json|jsonl|cef|ecsOutput format
-o / --output PATHWrite output to file (required for CEF/ECS file export)
--severity info|low|medium|high|criticalMinimum severity to report
--timeline-dir PATHTimeline DB directory (repeatable for multi-manifest)
--start / --endTime window (ISO 8601 or relative, e.g. -24h)
--hostname TEXTOverride hostname for ECS output
--dry-runCount matching events per rule without correlation
--jsonShorthand for --format json
-q / --quietSuppress informational output
-v / --verboseVerbose logging

census correlate list-rules

OptionDescription
--rules PATHInclude custom rules file (repeatable)
--no-builtinOmit built-in rules from the listing
--jsonMachine-readable JSON output

census correlate validate RULES_FILE

Argument / optionDescription
RULES_FILERules file path to validate
--jsonMachine-readable JSON output

census correlate init

OptionDescription
-o / --output PATHOutput path (default: census-correlate.toml)
census attest --string | --strings-file

Cryptographic attestation of string identifiers (serial numbers, license keys, URNs). Hashes identifiers via SHA-256, attests in batch, and saves to the manifest with entry_type=string.

census attest --string "SN-2026-0042" --source "production-batch-Q1"
census attest --strings-file serial-numbers.txt --source "batch-registry" --json
census attest --strings-file ids.txt --source "inventory" --dry-run
OptionDescription
--string VALUEAttest a single string identifier
--strings-file PATHAttest identifiers from file (one per line, # comments)
--source LABELSource label (mandatory — PII protection)
--manifest PATHManifest path (default: .census-strings-manifest.db)
--dry-runHash only, no attestation
--jsonMachine-readable JSON output
census federate <m1> <m2> ... -o <output>

Aggregate manifests from multiple sites, teams, or CI pipelines into a single federated manifest. Four conflict resolution strategies handle entries with the same path but different hashes.

census federate site-a.db site-b.db -o global.db
census federate *.db -o combined.db --strategy skip --show-conflicts
census federate prod.db staging.db -o merged.db --label production --label staging --json
OptionDescription
MANIFESTSTwo or more manifest paths (positional)
-o / --output PATHOutput manifest path (required)
--strategylatest_mtime (default), latest_source, first, skip
--labelSource label per manifest (repeatable)
--show-conflictsShow conflict details in output
--encryption-key HEXEncrypt the output manifest
--jsonMachine-readable JSON output
census audit-log / snapshot

Tamper-evident JSONL audit log (audit-log show, verify, clear). Named snapshots for compliance baselines (snapshot create, list, diff, delete).

census share / tag / derived-list / annotate / metadata / key-rotate / key-gen

Forensic cooperation: share tokens, structured tagging, HMAC-derived lists, annotations, key rotation.

Output Formats #

FormatFlagUse case
Text(default)Human-readable terminal output
JSON--json or --format jsonCI/CD automation, machine parsing
JSONL--format jsonlSIEM/ELK streaming, log pipelines
SARIF--format sarifGitHub Security tab, VS Code, Defect Dojo
CSV--output report.csvSpreadsheets, compliance reporting
sha256sum--format sha256sumGNU coreutils compatible (sha256sum -c)
HTML/PDF-o report.html, -o report.pdfForensic reports (census report, compliance-report)
ZIP--bundleEvidence bundle (report + OTS proofs + SHA256SUMS)

All JSON output includes census_version and elapsed_seconds for forensic traceability. JSONL streams end with a _summary trailer.

Forensic Features #

  • Evidence chaincensus verify with T0/T1/T2 details, OTS proof export
  • Forensic reports — HTML, PDF, evidence bundles (ZIP with OTS proofs + SHA256SUMS + chain of custody)
  • Chain of custody--examiner, --case-id, --organization, --notes — forensic provenance metadata with signature lines (PDF) and manifest SHA-256 binding. Aligned with NIST SP 800-86 and ISO/IEC 27037.
  • Audit log — Tamper-evident JSONL with SHA-256 hash chain (census audit-log verify)
  • Append-only log seal — Local SHA-256/Merkle sidecars for retained logs (census log seal, census log verify)
  • Named snapshots — Compliance baselines with diff comparison
  • Manifest seal — HMAC-SHA256 tamper-evidence (Tripwire/AIDE pattern)
  • Differential integrity--since auto --write-state auto for new-findings-only mode
  • Baseline update — AIDE-style detect → review → accept workflow
  • Atomic integrity update--auto-update combines detection and baseline acceptance in a single atomic operation with backup. No TOCTOU window.
  • Forensic annotation — Case IDs, notes, tags with AES-256-GCM client-side encryption
  • Forensic archivecensus archive packages manifest, inventory, chain of custody, and SHA256SUMS into a verifiable ZIP. census verify-archive checks integrity.
  • Webhook evidencecensus webhook verify-payload cryptographically verifies a saved webhook delivery against its HMAC-SHA256 signature, proving authenticity in the evidence chain.
  • File attribution — Owner, group, and permissions captured during scan (schema v3), available in reports and archives.
  • Attested reportscensus report --attest attests the report’s own hash for tamper-evidence. census verify-report verifies it.
  • Git commit attestationcensus git-hook install attests changed files on every commit, creating commit-level cryptographic provenance.

Cooperation #

Share forensic data with third parties without exposing original content.

  • Derived lists — HMAC-SHA256 opaque hash lists for third-party inventory matching. The third party can match suspects without seeing your inventory.
  • Share tokens — Time-limited, use-limited tokens for chain of custody.
  • Structured tagging — Key-value classification with encrypted tags and cursor-paginated query.
  • Annotations — Add forensic notes, case IDs, and metadata to attestations.
bash
# Create an opaque derived list from your manifest
census derived-list create --manifest ./inventory.db --label "Q1 2026"

# Third party matches their suspects
census derived-list match <list_id> --list-key <hex64> --hashes-file suspects.txt

CI/CD Integration #

Census is designed for automation. Exit codes, report-only mode, and SARIF output integrate with any CI/CD pipeline.

FeatureDescription
--exit-zeroReport-only: always exit 0 (upload SARIF without gating)
--summaryCounts only, no match details (concise CI logs)
--format sarifSARIF v2.1.0 for GitHub Security tab upload
--on-match CMDExecute command with results on stdin when matches > 0
--format jsonlStreaming output for SIEM/ELK log pipelines
--no-colorDisable colored output (also respects NO_COLOR env var)
-q / --quietSuppress info output (errors and JSON always shown)
sbom verify --exit-zeroVerify SBOM components against the registry without gating the build
sbom diff --report-format sarifReport SBOM release drift in CI without uploading SBOM content
sbom bundle --output evidence.zipPackage local SBOM evidence with SHA256SUMS and verification notes
sbom pipeline initGenerate a reference GitHub Actions SBOM evidence workflow
sbom attest --source ciAttest SBOM component hashes as part of the build pipeline
provenance generate --attestGenerate SLSA v1.0 provenance and attest provenance hash
provenance verify --strictVerify provenance subjects are attested (gate pipeline on failure)
GitHub Actions: Install Census from PyPI and invoke the CLI directly. See the GitHub Actions section for a runnable SARIF workflow and required permissions.

Exit Codes

CodeContextMeaning
0All commandsSuccess (or --exit-zero report-only mode)
1All commandsGeneral error (API, I/O, config, or matches found)
2All commandsUsage error (invalid arguments)
1integrity --strictViolations detected
bitmaskdiff1=added, 2=removed, 4=modified (OR'd together)

Webhooks #

Push-based T1/T2 lifecycle notifications. Instead of polling for attestation completion, register a webhook and receive server-side callbacks when proofs are ready.

T0
Attest
ECDSA signature (instant)
Webhook
T1 Complete
TSA timestamp (minutes)
Webhook
T2 Complete
Bitcoin anchor (hours)

Register a webhook

bash
# Register and save the signing secret
census webhook register \
  --url https://hooks.example.com/certisigma \
  --events t1_complete,t2_complete \
  --label prod-monitor \
  --save-secret .census-webhook-secret
One-time secret: The signing secret is returned once at registration. Use --save-secret to persist it with 0o600 permissions, or copy it immediately. It cannot be retrieved later.

Manage webhooks

bash
# List registered webhooks
census webhook list --json

# Show delivery history
census webhook deliveries wh_abc123

# Delete a webhook
census webhook delete wh_abc123

Receive webhooks

Start a lightweight HTTP receiver with HMAC-SHA256 verification, anti-replay guard, and hook dispatch:

bash
# Standalone receiver with shell hooks
census webhook serve \
  --secret-file .census-webhook-secret \
  --on-t1 'notify-send "T1 certified"' \
  --on-t2 'curl -X POST https://slack/hook -d @-'

# Or embed in watch mode for full lifecycle
census watch /data \
  --on-change 'echo "changed"' \
  --on-t1 'echo "T1 done"' \
  --on-t2 'echo "T2 anchored"' \
  --webhook-secret-file .census-webhook-secret
OptionDescription
--secret-file PATHSigning secret file (from register --save-secret)
--on-t1 CMDShell command on T1 (TSA) event (JSON payload on stdin)
--on-t2 CMDShell command on T2 (Bitcoin) event (JSON payload on stdin)
--port NListen port (default: 9514)
--bind ADDRBind address (default: 127.0.0.1 — loopback only)
--tls-cert / --tls-keyPEM files for built-in TLS (reverse proxy recommended)
--replay-window SECAnti-replay window in seconds (default: 300)

Forensic verification

Verify a saved webhook delivery is authentic and unmodified:

bash
census webhook verify-payload delivery.json \
  --signature "sha256=abc..." \
  --secret-file .census-webhook-secret

Security properties

  • HMAC-SHA256 on every delivery — Signature verified before JSON parsing. Invalid signatures are rejected (401).
  • Anti-replay guard — Bounded delivery ID deduplication (10K entries, FIFO) + timestamp window (300s). Prevents replay attacks.
  • Secret file permissions--save-secret writes with 0o600 (owner-only). Load strips comments and whitespace.
  • Loopback by default — Binds to 127.0.0.1. For public exposure, use --bind 0.0.0.0 behind a reverse proxy with TLS termination.
  • Optional built-in TLS--tls-cert / --tls-key for environments without a reverse proxy. Minimum TLS 1.2.
  • Payload size limit — 1 MB maximum. Requests exceeding this are rejected before reading the body.
  • Graceful shutdown — SIGINT/SIGTERM cleanly stops the receiver.

Configuration #

Census reads configuration from TOML files with user/project precedence:

  1. CLI flags (highest priority)
  2. Environment variables (CERTISIGMA_API_KEY, CERTISIGMA_BASE_URL)
  3. Project config (.census.toml in current directory)
  4. User config (~/.config/census/config.toml)
bash
# Create a project config template
census config init --project

# View effective configuration
census config show

# Shell completions
eval "$(census completion bash)"

Security Model #

  • Content bytes stay local — Census never uploads original file or inspected string bytes to CertiSigma. API-backed attestation and lookup operations transmit SHA-256 digests plus explicitly supplied operational metadata; metadata-oriented commands transmit only the fields required by the selected operation.
  • Duplicate maps stay localcensus duplicates emits path lists only to local stdout/files; the audit log records aggregate counts only.
  • Container member maps stay localcensus container analysis emits member names and hashes only to local stdout/files; audit entries contain aggregate counts only.
  • Opaque encrypted metadata — Annotations and tag values can be encrypted client-side with AES-256-GCM before sending to the API. The server stores ciphertext only.
  • HMAC-derived lists — Third-party inventory matching uses HMAC-SHA256 derivation. The third party sees opaque derived hashes, not your original inventory.
  • Manifest is local — The content/location mapping lives on your filesystem. CertiSigma never sees file paths, duplicate maps or directory structure.
  • Manifest encryption at rest — Manifests can be encrypted with AES-256-GCM using --encryption-key or CENSUS_ENCRYPTION_KEY env var. Encrypted files use a compact binary format with 96-bit random nonce and authenticated encryption. Auto-detected on load.
  • API key scoping — RBAC scoped keys allow read-only access for analysts with full audit trail.
  • Webhook HMAC-SHA256 — Every webhook delivery is signed with a per-webhook secret. The receiver verifies signatures before processing. Anti-replay guard prevents stored replay attacks.
  • Secret file management — Webhook secrets are written with 0o600 permissions (owner-only). Never logged, never committed. Display-once semantics at registration.
Important: API keys and webhook secrets should never be committed to source control. Use environment variables or a secrets manager. Census masks keys in config show and doctor output.

Evidence Mapping #

Census produces technical evidence that may support the objectives below. References are indicative, edition-specific cross-references: Census does not determine applicability or conformity, and this table is not legal advice or a certification statement. ISO references use ISO/IEC 27001:2022 Annex A.

Evidence objectiveIndicative referenceCensus evidence
Asset inventoryNIS2 Art.21(2)(a); ISO/IEC 27001:2022 A.5.9census scan + manifest
Duplicate location reviewISO/IEC 27001:2022 A.5.9; DORA Art.9census duplicates or duplicates --manifest local evidence report
Archive/package reviewNIS2 Art.21(2)(a), Art.21(2)(d); DORA Art.9census container local inspect/diff/drift evidence
Evidence readiness reviewInternal assurance, supplier reviewcensus assurance score + census policy check local score and CI gate with explainable findings; not a compliance verdict
Release handover evidenceSupplier review, procurement, internal auditcensus release pack + receipt verify local evidence ZIP and receipt; not a compliance verdict
Release ref drift reviewSupplier review, CI/CD assurancecensus git ref-snapshot + tag-drift read-only local Git evidence; no remote fetch or compliance verdict
TLS/DNS/web trust surface evidenceNIS2 Art.21(2)(a), Art.21(2)(e); DORA Art.9; supplier reviewcensus tls snapshot, census dns snapshot, census web snapshot and snapshot diff --snapshot-files passive snapshot and local drift evidence with no crawling, zone transfer, browser runtime, active testing, legal conclusion or policy result
Change detectionNIS2 Art.21(2)(a), Art.21(2)(f); DORA Art.9; ISO/IEC 27001:2022 A.8.9census integrity + differential
Incident response evidenceNIS2 Art.23, DORA Art.17census compare + forensic reports
Data integrity verificationDORA Art.11; ISO/IEC 27001:2022 A.8.9, A.8.32census verify-manifest
Audit trailNIS2 Art.21(2); ISO/IEC 27001:2022 A.8.15, A.8.16census audit-log plus census log seal/verify local append-only log evidence
Third-party riskNIS2 Art.21(2)(d); DORA Art.28Derived lists + share tokens
Data classificationISO/IEC 27001:2022 A.5.12Structured tagging + encryption
Cryptographic controlsISO/IEC 27001:2022 A.8.24; DORA Art.9T0/T1/T2 proof chain, AES-256-GCM
Supply chain integrityNIS2 Art.21(2d)census seal + verify-seal
Supply chain provenanceSLSA v1.0, EO 14028census provenance generate + verify
Forensic timelineISO 27037, NIST SP 800-86census timeline build + query --format bodyfile|l2tcsv|case-json
SIEM event correlationNIST SP 800-92; ISO/IEC 27001:2022 A.8.15, A.8.16census correlate run + --format cef|ecs|jsonl
Asset identifier censusISO/IEC 27001:2022 A.5.9census attest --string + --strings-file
Multi-site federationNIS2 Art.21(2)(a)census federate + --strategy latest_mtime|skip
Continuous monitoringDORA Art.9(2)census watch + webhooks + systemd
Evidence preservationISO/IEC 27001:2022 A.5.28census archive + verify-archive

Architecture #

Census is a client of the CertiSigma API. It uses the published Python SDK and treats it as a black box.

ComponentDescription
CLIClick-based, 40+ commands, global flags (-v, -q, --no-color)
ManifestSQLite (WAL mode), schema v5 objects/locations, auto-migration from JSON and SQLite v2-v4
ScannerStreamed SHA-256, parallel hashing (ProcessPoolExecutor), glob filters
DuplicatesLive or manifest-backed SHA-256 duplicate grouping with text, JSON, CSV and HTML output
ContainerLocal ZIP-family member inventory, duplicate analysis, diff/drift and JSON reports
Watcherwatchdog + producer/consumer, debounce, batch attestation, velocity alerting
RetryExponential backoff on 429/5xx with Retry-After header
ReportsHTML (zero deps), PDF (fpdf2), ZIP bundles with OTS proofs
AuditJSONL with SHA-256 hash chain, tail-read for last hash
WebhooksLightweight HTTP receiver, HMAC-SHA256 verification, anti-replay guard, TLS optional
ArchiveForensic evidence ZIP packages with SHA256SUMS integrity
SDK integration: Census consumes certisigma from PyPI. For API-level integration details, see the SDK documentation.

Global Options #

OptionDescription
-v / --verboseEnable debug logging
-q / --quietSuppress informational output
--log-format text|jsonLog output format
--no-colorDisable colored output (also NO_COLOR env)
--encryption-key HEX64AES-256-GCM key for manifest encryption at rest (or CENSUS_ENCRYPTION_KEY env)
--versionShow version