How It Works #
Census computes SHA-256 hashes locally. API-backed attestation and lookup operations transmit those digests plus explicitly supplied operational metadata, and receive three layers of cryptographic proof:
- T0 — ECDSA Signature — Immediate, server signs the hash with P-256
- T1 — TSA Timestamp — Minutes, Merkle tree + RFC 3161 Time Stamping Authority
- T2 — Bitcoin Anchor — Hours, Merkle root anchored via OpenTimestamps
census duplicates PATH and duplicates --manifest inventory.db group local file locations by SHA-256 and report duplicate counts and wasted bytes without API calls or destructive cleanup.census container inspect, report, duplicates, diff and drift inventory ZIP/TAR/GZIP-family artifacts locally, hash the outer artifact and members, and report unsafe archive changes without extraction or member attestation. container report --attest-container can explicitly attest only the outer artifact hash.census assurance score --manifest inventory.db produces a local evidence-readiness score, while census policy init/check turns that score into deterministic CI gates with JSON/SARIF output. No API calls and no legal compliance verdict.census release pack builds a local ZIP with artifact digests, selected SBOM/provenance/policy evidence, SHA256SUMS, VERIFY.md and a public receipt. Artifact bytes are excluded unless --include-artifacts is explicit.census git ref-snapshot and tag-drift capture read-only local branch/tag/remote evidence, detect moved release refs and emit JSON/SARIF without fetching remotes or calling the API.census tls snapshot, census dns snapshot, census web snapshot and census snapshot diff --snapshot-files capture or compare passive snapshot evidence for one explicit endpoint, domain or URL: TLS certificate metadata, DNS records, SPF/DMARC evidence, explicit DKIM selector evidence, HTTP status/header evidence, bounded content digests, optional SEO/GEO publication artifacts and local drift evidence. No crawling, zone transfer, enumeration, sitemap URL fetching, browser runtime, active vulnerability test or API call.census log seal and log verify create and verify local SHA-256/Merkle sidecars for append-only logs. Sidecars contain hashes, Merkle roots and aggregate metadata, not raw log lines. No log shipping, monitoring, API call, automatic attestation or compliance verdict.entry_type on content objects and locations.latest_mtime, latest_source, first, skip).Installation #
Python 3.10+. TOML config support on 3.10 uses tomli (auto-installed).
# Base install
pip install certisigma-census
# With watch mode (filesystem monitoring)
pip install certisigma-census[watch]
# With PDF report generation
pip install certisigma-census[report]
# All optional features
pip install "certisigma-census[watch,report,correlate]"
Quick Start #
Inventory scan
export CERTISIGMA_API_KEY=cs_...
# Scan and attest all file hashes
census scan /path/to/sensitive-files --source inventory-hr
# Dry run (hash only, no attestation)
census scan /path/to/files --dry-run
Inventory comparison
# Compare suspect files against the registry
census compare /path/to/suspect-files --manifest inventory.db
# Exit 0 = no matches, 1 = matches require review
Integrity check
# Check files against manifest baseline (100% local)
census integrity manifest.db
# Differential: only new findings since last run
census integrity manifest.db --since auto --write-state auto
# Atomic update: detect + accept changes in one step
census integrity manifest.db --auto-update
GitHub Actions #
Use the published PyPI package directly in GitHub Actions. The repository-local composite template is not currently distributed under a public reusable reference; Marketplace publication remains gated on public-repository and release-governance work.
name: Census evidence
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
compare:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Census
run: pip install certisigma-census
- name: Compare inventory
id: census
continue-on-error: true
env:
CERTISIGMA_API_KEY: ${{ secrets.CERTISIGMA_API_KEY }}
run: census compare ./artifacts --manifest ./inventory.db --format sarif --output census-results.sarif
- name: Upload SARIF
if: always() && hashFiles('census-results.sarif') != ''
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: census-results.sarif
category: certisigma-census
- name: Enforce Census result
if: steps.census.outcome == 'failure'
run: exit 1
security-events: write is required. GitHub also requires Code Security to be enabled before SARIF can be uploaded for private or internal repositories; public repositories can use code scanning under GitHub's applicable product terms. See the GitHub SARIF documentation.Pin certisigma-census to an approved release in production workflows for reproducibility. For a local-only integrity gate, run census integrity inventory.db --strict; it requires no API key or SARIF upload.
Commands #
Census provides 40+ commands. Expand each for options and examples.
census scan <dir>
Walk directory, compute SHA-256 hashes, attest in batch, save manifest.
| Option | Description |
|---|---|
--source LABEL | Source label for attestations |
--manifest PATH | Manifest output path |
--dry-run | Hash only, no attestation |
--resume | Resume interrupted scan |
--workers N | Parallel hashing (1–8) |
--attest-manifest | Attest manifest’s own hash |
--include/--exclude | Glob patterns for filtering |
--min-size/--max-size | Size filters (e.g. 1K, 100M) |
--json | Machine-readable output |
census compare <dir>
Hash suspect files and verify against the CertiSigma registry.
| Option | Description |
|---|---|
--manifest PATH | Local manifest for cross-reference |
--format text|json|sarif|jsonl | Output format |
--detailed | Enriched results (source, T0/T1/T2 level) |
--exit-zero | Report-only mode (always exit 0) |
--summary | Counts only, no match details |
--on-match CMD | Execute CMD on matches (JSON on stdin) |
census integrity <manifest>
Tamper detection against manifest baseline. 100% local, no API calls.
| Option | Description |
|---|---|
--strict | Exit 1 on any discrepancy |
--since PATH | Differential mode (auto = sidecar) |
--write-state PATH | Save state for next run |
--auto-update | Atomically accept changes into baseline (AIDE parity). Creates .bak backup. |
--format text|json|jsonl | Output format |
census diff <base> <target>
Compare two manifests. AIDE-style bitmask exit codes (1=added, 2=removed, 4=modified).
census duplicates <dir> | --manifest <manifest>
Local-only duplicate listing by SHA-256. Live mode scans a directory; manifest mode reuses preserved schema v5 locations without rescanning. Reports duplicate groups, duplicate file observations and wasted bytes without API calls, manifest mutation or destructive cleanup.
| Option | Description |
|---|---|
--manifest PATH | Read duplicate locations from an existing manifest without rescanning |
--include/--exclude | Glob patterns for filtering |
--min-size/--max-size | Size filters (e.g. 1K, 100M) |
--workers N | Parallel hashing (1–8) |
--format text|json|csv|html | Output format |
--output PATH | Save report to file |
--json | Machine-readable output |
census assurance score --manifest <manifest>
Local-only evidence-readiness score for a Census manifest. Reports a 0-100 score, grade, aggregate signals and explainable findings without contacting the CertiSigma API or making legal compliance claims.
| Option | Description |
|---|---|
--manifest PATH | Census manifest to score |
--format text|json | Output format |
--json | Machine-readable output |
--seal-key KEY | Optional HMAC key for local manifest seal verification |
Container-member-only observations are treated as local analysis evidence; the score checks outer artifact backing rather than expecting internal member attestation.
census policy init | check
Local assurance policy-as-code gates over census assurance score. Designed for CI and release review: reads the policy TOML, manifest database and optional local seal sidecar, then returns deterministic pass/fail output without API calls or legal compliance claims.
census policy init --output census-policy.toml
census policy init --profile strict --output census-policy.toml
census policy check --policy census-policy.toml --manifest inventory.db
census policy check --policy census-policy.toml --manifest inventory.db --format sarif| Option | Description |
|---|---|
--output PATH | Policy template path for init; result file for check |
--profile baseline|strict | Template profile for init |
--force | Allow init to overwrite an existing policy file |
--json | Machine-readable output for init or shorthand for check --format json |
--policy PATH | Census assurance policy TOML file for check |
--manifest PATH | Census manifest to evaluate |
--format text|json|sarif | Output format for policy results |
--seal-key KEY | Optional HMAC key for local manifest seal verification |
--exit-zero | Render the result but always exit 0 |
Exit codes: 0 passed, 1 policy failed, 2 usage or invalid policy. Future gates for T2, SBOM, provenance, drift, KEV, secrets and certificate expiry are disabled placeholders that fail closed if explicitly enabled before their evidence inputs exist.
census release pack | receipt generate | receipt verify
Local release evidence packaging and public receipts. Creates a ZIP with release-evidence.json, receipt.json, VERIFY.md and SHA256SUMS. No API calls, no pack attestation and no legal compliance verdict.
census release pack 1.28.2 --artifact dist/pkg.whl --manifest inventory.db --policy census-policy.toml --output release-evidence.zip
census receipt generate --release-evidence release-evidence.zip --output receipt.json
census receipt verify receipt.json --release-evidence release-evidence.zip| Option | Description |
|---|---|
--artifact PATH | Release artifact to hash; repeatable and required |
--manifest PATH | Optional Census manifest for embedded assurance score |
--policy PATH | Optional Census policy TOML; requires --manifest |
--sbom PATH / --provenance PATH | Selected evidence files for the pack |
--git-ref-snapshot PATH / --git-drift-report PATH | Optional Git release-ref evidence files for the pack |
--include-artifacts | Copy artifact bytes into the ZIP; default is digest-only artifacts |
--path-policy basename|relative|full | Path labels stored in evidence; default is basename |
--release-evidence PATH | ZIP pack or release-evidence.json used by receipt commands |
Receipt verification is offline: it checks receipt/evidence consistency and ZIP SHA256SUMS. Exit codes: 0 valid, 1 mismatch, 2 usage or invalid input.
census git ref-snapshot | tag-drift
Read-only local Git release evidence. Captures branch/tag/HEAD/remote state, redacts remote credentials and compares the current repository against a prior snapshot. No fetch, push, ref repair, API call or proof-of-compromise claim.
census git ref-snapshot --repo . --output git-refs.json
census git tag-drift --baseline git-refs.json --repo . --release-ref v1.28.2 --format json --output git-drift.json| Option | Description |
|---|---|
--repo PATH | Git repository path; default current directory |
--baseline PATH | Baseline ref snapshot JSON for drift comparison |
--release-ref REF | Optional tag/branch/ref expected to match current HEAD |
--format text|json|sarif | Drift report format |
--output PATH | Write snapshot or drift report |
--exit-zero | Render drift report but always exit 0 |
Exit codes: 0 no high/medium drift, 1 drift detected, 2 usage or invalid input. Commit messages, authors, file paths and diffs are not captured.
census tls snapshot <domain>
Passive TLS trust surface snapshot evidence for one explicit endpoint. Captures certificate metadata, SANs, issuer, expiry, algorithms, fingerprints and a canonical snapshot hash. No crawling, active vulnerability test, HTTP fetch, port scan, API call, legal conclusion or policy result.
census tls snapshot example.com
census tls snapshot example.com --format json --output tls-snapshot.json| Option | Description |
|---|---|
--port N | TLS port; default 443 |
--timeout SECONDS | Socket timeout, max 10 seconds |
--server-name NAME | Optional SNI/hostname override |
--format text|json | Output format |
--json | Machine-readable JSON output |
--output PATH | Write snapshot evidence to file |
census dns snapshot <domain>
Passive DNS trust surface snapshot evidence for one explicit domain. Queries bounded DNS records against the system resolver or an explicit resolver, records SPF/DMARC evidence, explicit DKIM selector evidence, DNSSEC-related DS/DNSKEY records when available and a canonical snapshot hash. No zone transfer, zone walking, subdomain enumeration, DKIM selector guessing, active vulnerability test, API call, legal conclusion or policy result.
census dns snapshot example.com
census dns snapshot example.com --record MX --record TXT --dkim-selector default
census dns snapshot example.com --format json --output dns-snapshot.json| Option | Description |
|---|---|
--resolver IP | Explicit DNS resolver IP; default is the first system resolver |
--timeout SECONDS | UDP query timeout, max 10 seconds |
--record A|AAAA|MX|TXT|CAA|NS|DS|DNSKEY | DNS record type to query; can be repeated |
--dkim-selector SELECTOR | Query only the explicit DKIM selector; can be repeated |
--format text|json | Output format |
--json | Machine-readable JSON output |
--output PATH | Write snapshot evidence to file |
census web snapshot <url>
Passive web/header trust surface snapshot evidence for one explicit HTTP(S) URL. Captures status, redirects, sanitized headers, common web header evidence, canonical URL evidence from the final URL or HTTP Link header, bounded content digest and a canonical snapshot hash. With --seo-geo, it adds bounded same-origin robots.txt, sitemap.xml, llms.txt, HTML canonical/hreflang and schema.org/JSON-LD evidence. Response bodies and artifact bodies are not stored; query strings and sensitive headers are redacted in rendered evidence. No crawling, sitemap URL fetching, form submission, JavaScript execution, browser/headless runtime, active vulnerability test, API call, legal conclusion or policy result.
census web snapshot https://example.com/
census web snapshot https://example.com/ --seo-geo --json
census web snapshot https://example.com/ --method HEAD
census web snapshot https://example.com/ --timeout 3 --max-redirects 3 --max-bytes 1M --format json --output web-snapshot.json| Option | Description |
|---|---|
--method GET|HEAD | HTTP method; default GET |
--timeout SECONDS | HTTP timeout, max 10 seconds |
--max-redirects N | Redirect hops to follow, max 10 |
--max-bytes SIZE | Response body bytes to hash, max 5M |
--user-agent TEXT | Optional declared User-Agent |
--seo-geo | Add bounded same-origin robots/sitemap/llms and HTML SEO/GEO evidence |
--format text|json | Output format |
--json | Machine-readable JSON output |
--output PATH | Write snapshot evidence to file |
census snapshot diff --snapshot-files <old.json> <new.json>
Local trust surface snapshot diff evidence for saved TLS/DNS/web snapshot JSON files. Compares files of the same snapshot kind, ignores runtime-only metadata such as generation timestamps and wrapper timing, emits deterministic findings and a canonical diff hash. It does not capture new evidence, crawl, probe, attest, call the API, or make legal or policy conclusions.
census snapshot diff --snapshot-files old-tls.json new-tls.json
census snapshot diff --snapshot-files old-dns.json new-dns.json --json
census snapshot diff --snapshot-files old-web.json new-web.json --format json --output snapshot-diff.json --exit-zero| Option | Description |
|---|---|
--snapshot-files | Interpret the two diff arguments as trust surface snapshot JSON files |
--format text|json | Output format |
--json | Machine-readable JSON output |
--output PATH | Write snapshot diff evidence to file |
--exit-zero | Return zero while still rendering drift evidence |
census container inspect <artifact.zip>
Local-only ZIP/TAR/GZIP-family container inventory. Reports outer artifact hash, member hashes, sizes, compression methods, CRCs and safety findings without extracting members or attesting internal files.
| Option | Description |
|---|---|
--format text|json|html | Output format |
--output PATH | Save report to file |
--json | Machine-readable output |
--max-members N | Maximum entries to analyze |
--max-member-size SIZE | Per-member uncompressed size limit |
--max-total-size SIZE | Total uncompressed size limit |
--max-ratio N | Maximum expansion ratio |
census zip inspect is an alias. archive inspect is deferred to preserve the existing census archive MANIFEST command.
census container report <artifact.zip>
Reviewable HTML/JSON/text report and optional local evidence bundle. --attest-container attests only the outer artifact SHA-256; --attest-report attests only the rendered report SHA-256. Internal members remain local analysis evidence.
| Option | Description |
|---|---|
--format html|json|text | Output format |
--output PATH | Save report to file |
--evidence-bundle PATH | ZIP bundle with inspect JSON, rendered report, metadata and SHA256SUMS |
--attest-container | Explicitly attest the outer artifact hash only |
--attest-report | Explicitly attest the rendered report hash only |
census container duplicates / diff / drift
Local-only review commands built on container inspect. They report duplicate member hashes, duplicate ZIP names, added/removed/modified members, metadata drift and safety-finding drift without extraction, remediation or member attestation.
| Command | Purpose |
|---|---|
container duplicates ARTIFACT | Duplicate member content and repeated member names |
container diff OLD NEW | Added, removed, modified and metadata-drifted members |
container drift ARTIFACT --baseline analysis.json | Compare against a prior inspect JSON baseline |
Outputs are text or JSON. Baseline JSON is size-limited and schema-validated before drift analysis.
census bulk-scan <dir>
Bulk inventory matching via /scan endpoint. Up to 50K hashes per call with auto-chunking.
| Option | Description |
|---|---|
--dry-run | Hash only, no API call |
--exit-zero | Report-only mode |
--summary | Counts only |
--source LABEL | Incident tracking label |
census verify <hash|--file>
Verify a hash or file against the registry. Full T0/T1/T2 evidence chain. No API key required.
census verify-manifest <manifest>
Full-chain verification: all manifest hashes against the registry.
census update <manifest>
AIDE-style baseline update: detect → review → accept. New entries are unattested.
census report <manifest> -o <file>
Forensic reports: HTML (zero deps), PDF (fpdf2), evidence bundles (ZIP with OTS proofs). Chain of custody metadata adds examiner, case ID, organization, and signature lines.
| Option | Description |
|---|---|
-o / --output PATH | Output file (.html, .pdf, or .json) |
--evidence | Include full T0/T1/T2 evidence chain |
--bundle | ZIP evidence bundle (report + OTS proofs + SHA256SUMS + chain_of_custody.json) |
--attest | Attest the report hash for tamper-evidence |
--integrity | Include integrity check results |
--examiner TEXT | Forensic examiner name (chain of custody) |
--case-id TEXT | Case identifier (chain of custody) |
--organization TEXT | Organization name (chain of custody) |
--notes TEXT | Free-text notes (chain of custody) |
census watch <dir>
Continuous filesystem monitoring via native OS events (inotify/FSEvents). Batched attestation with debouncing. Requires [watch] extra.
| Option | Description |
|---|---|
--on-change CMD | Shell command on file change (JSON on stdin) |
--on-attest CMD | Shell command after attestation (JSON on stdin) |
--on-t1 CMD | Shell command on T1 (TSA) webhook event |
--on-t2 CMD | Shell command on T2 (Bitcoin) webhook event |
--webhook-secret-file PATH | Signing secret for embedded webhook receiver |
--webhook-port N | Webhook receiver port (default: 9514) |
--webhook-bind ADDR | Webhook bind address (default: 127.0.0.1) |
--debounce SEC | Debounce interval (default: 2) |
--scan-on-start / --no-scan-on-start | Full scan at startup |
--include/--exclude | Glob patterns for filtering |
--alert-threshold N | Fire velocity alert when events exceed N in window |
--alert-window SEC | Rolling window for velocity alerting (default: 300 seconds) |
--alert-cooldown SEC | Minimum time between alerts (default: 600 seconds) |
--on-alert CMD | Shell command on velocity alert (JSON on stdin) |
--alert-threshold enables rolling-window event counting that flags unusual bulk activity, including scenarios that may warrant investigation for suspected exfiltration or ransomware. Alerts fire via --on-alert hook with full forensic payload. See velocity-alerting.md.--on-t1 / --on-t2 with --webhook-secret-file to start an embedded webhook receiver alongside the watcher. See Webhooks section.census seal / verify-seal
HMAC-SHA256 tamper-evidence seal for manifests (Tripwire/AIDE pattern).
census log seal | verify
Local append-only log evidence sidecars. log seal streams one explicit local log file, creates SHA-256/Merkle windows and writes a JSON .logseal sidecar without raw log lines. log verify recomputes the same evidence and reports findings without shipping logs, monitoring, calling the API, attesting automatically or making legal/security/compliance conclusions.
census log seal audit.jsonl --window 1h
census log seal audit.jsonl --window 15m --output audit.jsonl.logseal --json
census log verify audit.jsonl.logseal
census log verify audit.jsonl.logseal --log audit.jsonl --json| Option | Description |
|---|---|
--window DURATION | Evidence window such as 30s, 15m, 1h or 1d |
--output PATH | Write sidecar path for log seal |
--log PATH | Explicit log path for log verify |
--format text|json | Output format |
--json | Machine-readable JSON output |
--exit-zero | Return zero while still rendering verification findings |
census track <attestation_id>
Track attestation status and T0/T1/T2 progression. Poll until a target proof level is reached.
| Option | Description |
|---|---|
--poll | Poll until target level is reached |
--level T1|T2 | Target proof level (default: T2). Use T1 for faster TSA-only. |
--poll-interval SEC | Seconds between polls (default: 60) |
--timeout SEC | Max seconds to poll (default: 3600) |
--json | Machine-readable output |
census archive <manifest>
Create a forensic evidence preservation package (ZIP) from a manifest. Includes manifest, inventory, chain of custody metadata, and SHA256SUMS integrity file.
| Option | Description |
|---|---|
-o, --output PATH | Output ZIP path (default: evidence-YYYY-MM-DD.census.zip) |
--examiner TEXT | Examiner name (chain of custody) |
--case-id TEXT | Case identifier (chain of custody) |
--organization TEXT | Organization name (chain of custody) |
--notes TEXT | Free-text notes (chain of custody) |
--no-compress | Store files without compression |
--no-seal | Exclude manifest seal even if present |
--json | Machine-readable JSON output |
census verify-archive <archive>
Verify the integrity of a forensic archive package using the embedded SHA256SUMS file.
census webhook register | list | delete | deliveries | verify-payload | serve
Webhook management for T1/T2 lifecycle push notifications. See Webhooks section for full documentation.
census export / hash / stats
Manifest export (CSV/JSON/sha256sum), standalone hashing, org statistics.
census merge <manifest1> <manifest2> ... -o <output>
Merge multiple manifests into one. Same-hash entries preserve attestation state; same-path conflicts keep the latest mtime.
| Option | Description |
|---|---|
-o, --output PATH | Output manifest path (required) |
--json | Machine-readable JSON summary |
census compliance-report <manifest>
Generate local evidence cross-reference reports using the legacy compliance-report command name. Profiles summarize manifest and integrity signals against NIS2, DORA or ISO/IEC 27001 evidence objectives; they do not determine applicability or conformity. No API calls.
census compliance-report manifest.db -o report.html
census compliance-report manifest.db --template dora -o report.html
census compliance-report manifest.db --template iso27001 --json
census compliance-report manifest.db --integrity -o report.html| Option | Description |
|---|---|
--template nis2|dora|iso27001 | Evidence cross-reference profile (default: nis2) |
-o, --output PATH | Output file (.html or .json) |
--integrity / --no-integrity | Run integrity check and include results |
--json | Machine-readable JSON output |
census ai-policy init | apply | report
AI governance: classify inventoried assets for ML/AI training compliance.
census ai-policy init # generate .census-ai-policy.toml template
census ai-policy apply manifest.db --dry-run # classify only, no API calls
census ai-policy apply manifest.db # classify and tag attestations
census ai-policy report manifest.db -o ai.html # HTML compliance report
census ai-policy report manifest.db --json # JSON output| Option | Description |
|---|---|
-p, --policy PATH | TOML policy file (default: .census-ai-policy.toml) |
--dry-run | Classify only, do not tag attestations |
-o, --output PATH | Save report to file (.html or .json) |
--json | Machine-readable JSON output |
Policy files use TOML with [policy] section and [[rules]] array. Rules support glob patterns (*.md, docs/*.txt), size filters (min_size, max_size), and regulatory framework mapping (eu-ai-act, iso42001, c2pa). Safety-first: default_action = "exclude". Most-restrictive-wins on shared attestation IDs.
census sbom validate | diff | bundle | pipeline | vuln | vex | intake | attest | verify | summary
SBOM assurance: validate local evidence readiness, compare release-to-release drift, create local evidence bundles, generate CI reference workflows, match explicit local vulnerability feeds, summarize VEX/CSAF status evidence, evaluate supplier intake policy results, parse SPDX 2.x / 3.0.1 and CycloneDX JSON, extract SHA-256 component hashes, and batch-attest or verify hashes via the CertiSigma API.
census sbom validate bom.cdx.json --profile bsi --json
census sbom validate bom.cdx.json --profile enterprise --report-format sarif
census sbom diff old-bom.cdx.json new-bom.cdx.json --json
census sbom bundle bom.cdx.json --output sbom-evidence.zip
census sbom pipeline init --generator syft --profile bsi
census sbom vuln cache --feed osv.json --source osv --cache-dir .census/sbom-vuln
census sbom vuln match bom.cdx.json --cache-dir .census/sbom-vuln --report-format sarif
census sbom vex summarize supplier-vex.json --json
census sbom intake supplier-bom.cdx.json --policy supplier-policy.toml --json
census sbom attest sbom.spdx.json --source "ci-pipeline"
census sbom attest sbom.spdx.json --attest-document --source "ci-pipeline"
census sbom attest bom.cdx.json --dry-run --json
census sbom verify sbom.spdx.json --json
census sbom verify bom.cdx.json --exit-zero --detailed
census sbom summary sbom.spdx.json --json| Option | Description |
|---|---|
--format auto|spdx|cyclonedx | Force SBOM format (auto-detected by default) |
--profile cra-minimal|bsi|enterprise | Local evidence-readiness profile (validate only) |
--report-format text|json|sarif | Validation or diff report format |
--output PATH | Save validation/diff report or SBOM evidence ZIP |
--validation-report PATH | Include validation evidence in an SBOM bundle |
--diff-report PATH | Include diff evidence in an SBOM bundle |
--include-sbom | Copy the original SBOM body into the bundle (bundle only) |
--generator syft|cyclonedx-py | External SBOM generator family to reference (pipeline init only) |
--baseline-sbom PATH | Add a generated sbom diff step (pipeline init only) |
--attest | Add generated attestation step using CI secret CERTISIGMA_API_KEY (pipeline init only) |
--feed PATH | Explicit local vulnerability feed to ingest (vuln cache only) |
--source osv|nvd|ghsa|kev|epss|census | Local vulnerability feed source format (vuln cache only) |
--cache-dir PATH | Local vulnerability cache directory (vuln only) |
--vex PATH | Apply or include local VEX/CSAF evidence (vuln match / intake) |
--policy PATH | Supplier intake TOML policy (intake only) |
--vulnerability-report PATH | Local Census vulnerability evidence report (intake only) |
--source LABEL | Source label for attestations (attest only) |
--manifest PATH | Save attested hashes to manifest (attest only) |
--dry-run | Parse only, do not call the API (attest only) |
--attest-document | Also attest the exact SBOM document SHA-256 (attest only) |
--detailed | Include attestation level, source, timestamps (verify only) |
--exit-zero | Always exit 0, report-only mode for CI (validate/diff/verify/vuln/intake) |
--json | Machine-readable JSON output |
Supports SPDX 2.2/2.3 JSON, SPDX 3.0.1 JSON-LD and CycloneDX 1.4/1.5/1.6 JSON. File size limit: 100 MB. No external SBOM libraries required for parsing. Hashes are normalised to lowercase hex and deduplicated before submission. Document attestation sends only the exact SBOM SHA-256 digest. Validation, diff, bundle, pipeline generation, vulnerability matching, VEX/CSAF summary and intake are local-only; pipeline init writes a template and does not install external generators. Bundles exclude the original SBOM body unless --include-sbom is explicit. Reports describe evidence readiness, vulnerability evidence and policy result, not legal compliance verdicts.
census status <manifest>
Show manifest summary: content objects, preserved locations, attested/pending counts, files/strings breakdown, root directory, schema version, and federation metadata (if present).
census doctor / config / completion
Self-diagnostic (--manifest, --json), TOML configuration (config init, config show, config paths), shell completions (bash/zsh/fish).
census git-hook install | uninstall | status | run
Git integration: automatic attestation on commit. Post-commit hook hashes changed files, records in manifest, and batch-attests with commit SHA provenance.
| Option | Description |
|---|---|
--repo DIR | Git repository root (default: auto-detect) |
--manifest PATH | Manifest path relative to repo |
--source LABEL | Source label for attestations |
--dry-run | Hash only, no attestation |
--json | Machine-readable JSON output |
census provenance generate | verify
SLSA v1.0 provenance generation and verification. Creates in-toto Statement v1 envelopes with SLSA provenance predicates that document what was scanned, when, and by whom — anchored by CertiSigma three-layer proof.
census provenance generate manifest.db --source "release-v2.1"
census provenance generate manifest.db --commit abc123 --attest
census provenance generate manifest.db --sbom bom.json --embed-materials
census provenance generate manifest.db --format intoto-jsonl
census provenance verify manifest.db.provenance.json --strict --json| Option | Description |
|---|---|
--source TEXT | Source label for the scan |
--commit TEXT | Git commit SHA |
--builder-id TEXT | Builder identity URI |
--sbom PATH | Link SBOM components as resolvedDependencies |
--embed-materials | Include individual file digests (max 10K) |
--format json|intoto-jsonl | Output format |
--attest | Attest provenance hash via CertiSigma API |
--strict | Exit 1 if any subject is unverified |
Auto-detects CI environments: GitHub Actions, GitLab CI, Jenkins. Builder metadata (repo URL, commit SHA, workflow, run ID) is populated automatically.
census timeline build | query | stats
Forensic timeline — queryable SQLite index over the tamper-evident audit log. Supports time-range, action, path, and hash filters. Export to standard DFIR formats for direct import into Autopsy, AXIOM, X-Ways, and Plaso.
census timeline build --manifest .census-manifest.db
census timeline query --action scan --start -7d
census timeline query --format bodyfile --output timeline.bodyfile
census timeline query --format case-json --output case.json --case-name "Investigation-2026"
census timeline query --format l2tcsv --output timeline.csv
census timeline query --format html --output timeline.html
census timeline stats --window 1h --json| Option | Description |
|---|---|
--format bodyfile|l2tcsv|case-json|html|json|jsonl|csv | DFIR export format |
--action TEXT | Filter by action prefix (repeatable) |
--start / --end | Time range (ISO-8601 or relative: -1h, -7d) |
--around TIMESTAMP | Anchor for relative window query |
--window INT | Window size in seconds (with --around, default 300) |
--attested / --unattested | Filter by attestation status |
--case-name / --examiner | Metadata for CASE/UCO and HTML exports |
Timeline DB is always rebuildable from the audit log — it is a derived index, never the authoritative record.
census correlate run | list-rules | validate | init
SIEM-native event correlation — evaluate rules against the forensic timeline index. Output as text, JSON, JSONL, ArcSight CEF, or Elastic ECS for SOC/SIEM pipelines.
census correlate run
census correlate run --rules census-correlate.toml
census correlate run --format jsonl --timeline-dir ./timeline-db
census correlate run --format cef -o alerts.cef --start -24h
census correlate run --format ecs -o alerts.ndjson --hostname prod-host-01| Option | Description |
|---|---|
--rules PATH | Custom rules file (TOML or YAML, repeatable) |
--no-builtin | Disable built-in rules |
--format text|json|jsonl|cef|ecs | Output format |
-o / --output PATH | Write output to file (required for CEF/ECS file export) |
--severity info|low|medium|high|critical | Minimum severity to report |
--timeline-dir PATH | Timeline DB directory (repeatable for multi-manifest) |
--start / --end | Time window (ISO 8601 or relative, e.g. -24h) |
--hostname TEXT | Override hostname for ECS output |
--dry-run | Count matching events per rule without correlation |
--json | Shorthand for --format json |
-q / --quiet | Suppress informational output |
-v / --verbose | Verbose logging |
census correlate list-rules
| Option | Description |
|---|---|
--rules PATH | Include custom rules file (repeatable) |
--no-builtin | Omit built-in rules from the listing |
--json | Machine-readable JSON output |
census correlate validate RULES_FILE
| Argument / option | Description |
|---|---|
RULES_FILE | Rules file path to validate |
--json | Machine-readable JSON output |
census correlate init
| Option | Description |
|---|---|
-o / --output PATH | Output path (default: census-correlate.toml) |
census attest --string | --strings-file
Cryptographic attestation of string identifiers (serial numbers, license keys, URNs). Hashes identifiers via SHA-256, attests in batch, and saves to the manifest with entry_type=string.
census attest --string "SN-2026-0042" --source "production-batch-Q1"
census attest --strings-file serial-numbers.txt --source "batch-registry" --json
census attest --strings-file ids.txt --source "inventory" --dry-run| Option | Description |
|---|---|
--string VALUE | Attest a single string identifier |
--strings-file PATH | Attest identifiers from file (one per line, # comments) |
--source LABEL | Source label (mandatory — PII protection) |
--manifest PATH | Manifest path (default: .census-strings-manifest.db) |
--dry-run | Hash only, no attestation |
--json | Machine-readable JSON output |
census federate <m1> <m2> ... -o <output>
Aggregate manifests from multiple sites, teams, or CI pipelines into a single federated manifest. Four conflict resolution strategies handle entries with the same path but different hashes.
census federate site-a.db site-b.db -o global.db
census federate *.db -o combined.db --strategy skip --show-conflicts
census federate prod.db staging.db -o merged.db --label production --label staging --json| Option | Description |
|---|---|
MANIFESTS | Two or more manifest paths (positional) |
-o / --output PATH | Output manifest path (required) |
--strategy | latest_mtime (default), latest_source, first, skip |
--label | Source label per manifest (repeatable) |
--show-conflicts | Show conflict details in output |
--encryption-key HEX | Encrypt the output manifest |
--json | Machine-readable JSON output |
census audit-log / snapshot
Tamper-evident JSONL audit log (audit-log show, verify, clear). Named snapshots for compliance baselines (snapshot create, list, diff, delete).
census share / tag / derived-list / annotate / metadata / key-rotate / key-gen
Forensic cooperation: share tokens, structured tagging, HMAC-derived lists, annotations, key rotation.
Output Formats #
| Format | Flag | Use case |
|---|---|---|
| Text | (default) | Human-readable terminal output |
| JSON | --json or --format json | CI/CD automation, machine parsing |
| JSONL | --format jsonl | SIEM/ELK streaming, log pipelines |
| SARIF | --format sarif | GitHub Security tab, VS Code, Defect Dojo |
| CSV | --output report.csv | Spreadsheets, compliance reporting |
| sha256sum | --format sha256sum | GNU coreutils compatible (sha256sum -c) |
| HTML/PDF | -o report.html, -o report.pdf | Forensic reports (census report, compliance-report) |
| ZIP | --bundle | Evidence bundle (report + OTS proofs + SHA256SUMS) |
All JSON output includes census_version and elapsed_seconds for forensic traceability. JSONL streams end with a _summary trailer.
Forensic Features #
- Evidence chain —
census verifywith T0/T1/T2 details, OTS proof export - Forensic reports — HTML, PDF, evidence bundles (ZIP with OTS proofs + SHA256SUMS + chain of custody)
- Chain of custody —
--examiner,--case-id,--organization,--notes— forensic provenance metadata with signature lines (PDF) and manifest SHA-256 binding. Aligned with NIST SP 800-86 and ISO/IEC 27037. - Audit log — Tamper-evident JSONL with SHA-256 hash chain (
census audit-log verify) - Append-only log seal — Local SHA-256/Merkle sidecars for retained logs (
census log seal,census log verify) - Named snapshots — Compliance baselines with diff comparison
- Manifest seal — HMAC-SHA256 tamper-evidence (Tripwire/AIDE pattern)
- Differential integrity —
--since auto --write-state autofor new-findings-only mode - Baseline update — AIDE-style detect → review → accept workflow
- Atomic integrity update —
--auto-updatecombines detection and baseline acceptance in a single atomic operation with backup. No TOCTOU window. - Forensic annotation — Case IDs, notes, tags with AES-256-GCM client-side encryption
- Forensic archive —
census archivepackages manifest, inventory, chain of custody, and SHA256SUMS into a verifiable ZIP.census verify-archivechecks integrity. - Webhook evidence —
census webhook verify-payloadcryptographically verifies a saved webhook delivery against its HMAC-SHA256 signature, proving authenticity in the evidence chain. - File attribution — Owner, group, and permissions captured during scan (schema v3), available in reports and archives.
- Attested reports —
census report --attestattests the report’s own hash for tamper-evidence.census verify-reportverifies it. - Git commit attestation —
census git-hook installattests changed files on every commit, creating commit-level cryptographic provenance.
Cooperation #
Share forensic data with third parties without exposing original content.
- Derived lists — HMAC-SHA256 opaque hash lists for third-party inventory matching. The third party can match suspects without seeing your inventory.
- Share tokens — Time-limited, use-limited tokens for chain of custody.
- Structured tagging — Key-value classification with encrypted tags and cursor-paginated query.
- Annotations — Add forensic notes, case IDs, and metadata to attestations.
# Create an opaque derived list from your manifest
census derived-list create --manifest ./inventory.db --label "Q1 2026"
# Third party matches their suspects
census derived-list match <list_id> --list-key <hex64> --hashes-file suspects.txt
CI/CD Integration #
Census is designed for automation. Exit codes, report-only mode, and SARIF output integrate with any CI/CD pipeline.
| Feature | Description |
|---|---|
--exit-zero | Report-only: always exit 0 (upload SARIF without gating) |
--summary | Counts only, no match details (concise CI logs) |
--format sarif | SARIF v2.1.0 for GitHub Security tab upload |
--on-match CMD | Execute command with results on stdin when matches > 0 |
--format jsonl | Streaming output for SIEM/ELK log pipelines |
--no-color | Disable colored output (also respects NO_COLOR env var) |
-q / --quiet | Suppress info output (errors and JSON always shown) |
sbom verify --exit-zero | Verify SBOM components against the registry without gating the build |
sbom diff --report-format sarif | Report SBOM release drift in CI without uploading SBOM content |
sbom bundle --output evidence.zip | Package local SBOM evidence with SHA256SUMS and verification notes |
sbom pipeline init | Generate a reference GitHub Actions SBOM evidence workflow |
sbom attest --source ci | Attest SBOM component hashes as part of the build pipeline |
provenance generate --attest | Generate SLSA v1.0 provenance and attest provenance hash |
provenance verify --strict | Verify provenance subjects are attested (gate pipeline on failure) |
Exit Codes
| Code | Context | Meaning |
|---|---|---|
0 | All commands | Success (or --exit-zero report-only mode) |
1 | All commands | General error (API, I/O, config, or matches found) |
2 | All commands | Usage error (invalid arguments) |
1 | integrity --strict | Violations detected |
| bitmask | diff | 1=added, 2=removed, 4=modified (OR'd together) |
Webhooks #
Push-based T1/T2 lifecycle notifications. Instead of polling for attestation completion, register a webhook and receive server-side callbacks when proofs are ready.
Register a webhook
# Register and save the signing secret
census webhook register \
--url https://hooks.example.com/certisigma \
--events t1_complete,t2_complete \
--label prod-monitor \
--save-secret .census-webhook-secret
--save-secret to persist it with 0o600 permissions, or copy it immediately. It cannot be retrieved later.Manage webhooks
# List registered webhooks
census webhook list --json
# Show delivery history
census webhook deliveries wh_abc123
# Delete a webhook
census webhook delete wh_abc123
Receive webhooks
Start a lightweight HTTP receiver with HMAC-SHA256 verification, anti-replay guard, and hook dispatch:
# Standalone receiver with shell hooks
census webhook serve \
--secret-file .census-webhook-secret \
--on-t1 'notify-send "T1 certified"' \
--on-t2 'curl -X POST https://slack/hook -d @-'
# Or embed in watch mode for full lifecycle
census watch /data \
--on-change 'echo "changed"' \
--on-t1 'echo "T1 done"' \
--on-t2 'echo "T2 anchored"' \
--webhook-secret-file .census-webhook-secret
| Option | Description |
|---|---|
--secret-file PATH | Signing secret file (from register --save-secret) |
--on-t1 CMD | Shell command on T1 (TSA) event (JSON payload on stdin) |
--on-t2 CMD | Shell command on T2 (Bitcoin) event (JSON payload on stdin) |
--port N | Listen port (default: 9514) |
--bind ADDR | Bind address (default: 127.0.0.1 — loopback only) |
--tls-cert / --tls-key | PEM files for built-in TLS (reverse proxy recommended) |
--replay-window SEC | Anti-replay window in seconds (default: 300) |
Forensic verification
Verify a saved webhook delivery is authentic and unmodified:
census webhook verify-payload delivery.json \
--signature "sha256=abc..." \
--secret-file .census-webhook-secret
Security properties
- HMAC-SHA256 on every delivery — Signature verified before JSON parsing. Invalid signatures are rejected (401).
- Anti-replay guard — Bounded delivery ID deduplication (10K entries, FIFO) + timestamp window (300s). Prevents replay attacks.
- Secret file permissions —
--save-secretwrites with 0o600 (owner-only). Load strips comments and whitespace. - Loopback by default — Binds to
127.0.0.1. For public exposure, use--bind 0.0.0.0behind a reverse proxy with TLS termination. - Optional built-in TLS —
--tls-cert/--tls-keyfor environments without a reverse proxy. Minimum TLS 1.2. - Payload size limit — 1 MB maximum. Requests exceeding this are rejected before reading the body.
- Graceful shutdown — SIGINT/SIGTERM cleanly stops the receiver.
Configuration #
Census reads configuration from TOML files with user/project precedence:
- CLI flags (highest priority)
- Environment variables (
CERTISIGMA_API_KEY,CERTISIGMA_BASE_URL) - Project config (
.census.tomlin current directory) - User config (
~/.config/census/config.toml)
# Create a project config template
census config init --project
# View effective configuration
census config show
# Shell completions
eval "$(census completion bash)"
Security Model #
- Content bytes stay local — Census never uploads original file or inspected string bytes to CertiSigma. API-backed attestation and lookup operations transmit SHA-256 digests plus explicitly supplied operational metadata; metadata-oriented commands transmit only the fields required by the selected operation.
- Duplicate maps stay local —
census duplicatesemits path lists only to local stdout/files; the audit log records aggregate counts only. - Container member maps stay local —
census containeranalysis emits member names and hashes only to local stdout/files; audit entries contain aggregate counts only. - Opaque encrypted metadata — Annotations and tag values can be encrypted client-side with AES-256-GCM before sending to the API. The server stores ciphertext only.
- HMAC-derived lists — Third-party inventory matching uses HMAC-SHA256 derivation. The third party sees opaque derived hashes, not your original inventory.
- Manifest is local — The content/location mapping lives on your filesystem. CertiSigma never sees file paths, duplicate maps or directory structure.
- Manifest encryption at rest — Manifests can be encrypted with AES-256-GCM using
--encryption-keyorCENSUS_ENCRYPTION_KEYenv var. Encrypted files use a compact binary format with 96-bit random nonce and authenticated encryption. Auto-detected on load. - API key scoping — RBAC scoped keys allow read-only access for analysts with full audit trail.
- Webhook HMAC-SHA256 — Every webhook delivery is signed with a per-webhook secret. The receiver verifies signatures before processing. Anti-replay guard prevents stored replay attacks.
- Secret file management — Webhook secrets are written with 0o600 permissions (owner-only). Never logged, never committed. Display-once semantics at registration.
config show and doctor output.Evidence Mapping #
Census produces technical evidence that may support the objectives below. References are indicative, edition-specific cross-references: Census does not determine applicability or conformity, and this table is not legal advice or a certification statement. ISO references use ISO/IEC 27001:2022 Annex A.
| Evidence objective | Indicative reference | Census evidence |
|---|---|---|
| Asset inventory | NIS2 Art.21(2)(a); ISO/IEC 27001:2022 A.5.9 | census scan + manifest |
| Duplicate location review | ISO/IEC 27001:2022 A.5.9; DORA Art.9 | census duplicates or duplicates --manifest local evidence report |
| Archive/package review | NIS2 Art.21(2)(a), Art.21(2)(d); DORA Art.9 | census container local inspect/diff/drift evidence |
| Evidence readiness review | Internal assurance, supplier review | census assurance score + census policy check local score and CI gate with explainable findings; not a compliance verdict |
| Release handover evidence | Supplier review, procurement, internal audit | census release pack + receipt verify local evidence ZIP and receipt; not a compliance verdict |
| Release ref drift review | Supplier review, CI/CD assurance | census git ref-snapshot + tag-drift read-only local Git evidence; no remote fetch or compliance verdict |
| TLS/DNS/web trust surface evidence | NIS2 Art.21(2)(a), Art.21(2)(e); DORA Art.9; supplier review | census tls snapshot, census dns snapshot, census web snapshot and snapshot diff --snapshot-files passive snapshot and local drift evidence with no crawling, zone transfer, browser runtime, active testing, legal conclusion or policy result |
| Change detection | NIS2 Art.21(2)(a), Art.21(2)(f); DORA Art.9; ISO/IEC 27001:2022 A.8.9 | census integrity + differential |
| Incident response evidence | NIS2 Art.23, DORA Art.17 | census compare + forensic reports |
| Data integrity verification | DORA Art.11; ISO/IEC 27001:2022 A.8.9, A.8.32 | census verify-manifest |
| Audit trail | NIS2 Art.21(2); ISO/IEC 27001:2022 A.8.15, A.8.16 | census audit-log plus census log seal/verify local append-only log evidence |
| Third-party risk | NIS2 Art.21(2)(d); DORA Art.28 | Derived lists + share tokens |
| Data classification | ISO/IEC 27001:2022 A.5.12 | Structured tagging + encryption |
| Cryptographic controls | ISO/IEC 27001:2022 A.8.24; DORA Art.9 | T0/T1/T2 proof chain, AES-256-GCM |
| Supply chain integrity | NIS2 Art.21(2d) | census seal + verify-seal |
| Supply chain provenance | SLSA v1.0, EO 14028 | census provenance generate + verify |
| Forensic timeline | ISO 27037, NIST SP 800-86 | census timeline build + query --format bodyfile|l2tcsv|case-json |
| SIEM event correlation | NIST SP 800-92; ISO/IEC 27001:2022 A.8.15, A.8.16 | census correlate run + --format cef|ecs|jsonl |
| Asset identifier census | ISO/IEC 27001:2022 A.5.9 | census attest --string + --strings-file |
| Multi-site federation | NIS2 Art.21(2)(a) | census federate + --strategy latest_mtime|skip |
| Continuous monitoring | DORA Art.9(2) | census watch + webhooks + systemd |
| Evidence preservation | ISO/IEC 27001:2022 A.5.28 | census archive + verify-archive |
Architecture #
Census is a client of the CertiSigma API. It uses the published Python SDK and treats it as a black box.
| Component | Description |
|---|---|
| CLI | Click-based, 40+ commands, global flags (-v, -q, --no-color) |
| Manifest | SQLite (WAL mode), schema v5 objects/locations, auto-migration from JSON and SQLite v2-v4 |
| Scanner | Streamed SHA-256, parallel hashing (ProcessPoolExecutor), glob filters |
| Duplicates | Live or manifest-backed SHA-256 duplicate grouping with text, JSON, CSV and HTML output |
| Container | Local ZIP-family member inventory, duplicate analysis, diff/drift and JSON reports |
| Watcher | watchdog + producer/consumer, debounce, batch attestation, velocity alerting |
| Retry | Exponential backoff on 429/5xx with Retry-After header |
| Reports | HTML (zero deps), PDF (fpdf2), ZIP bundles with OTS proofs |
| Audit | JSONL with SHA-256 hash chain, tail-read for last hash |
| Webhooks | Lightweight HTTP receiver, HMAC-SHA256 verification, anti-replay guard, TLS optional |
| Archive | Forensic evidence ZIP packages with SHA256SUMS integrity |
Global Options #
| Option | Description |
|---|---|
-v / --verbose | Enable debug logging |
-q / --quiet | Suppress informational output |
--log-format text|json | Log output format |
--no-color | Disable colored output (also NO_COLOR env) |
--encryption-key HEX64 | AES-256-GCM key for manifest encryption at rest (or CENSUS_ENCRYPTION_KEY env) |
--version | Show version |