Certus logoCertusby Octave-X

Product of Octave-X

Compliance at the merge gate.

Certus is the Octave-X product for governed delivery. It scans pull requests, signs the evidence, and posts the certus/compliance merge-gate status that GitHub branch protection can require before code ships.

<48 h target per compliance PR

<2% target 14-day revert risk

Per-PR signed evidence

Ticket to evidence

A merge-gate workflow, not a post-audit dashboard

1Linear logo

Ticket

A tracked issue or PR request starts the run

2GitHub logo

PR

GitHub App evaluates the pull request

3GitHub Actions logo

Checks

Tests, SAST, SBOM, secrets, and policy gates

4Notion logo

Evidence

Signed pack for reviewers and evidence export

certus scan -> policy gate -> signed evidence
review export -> PR comment -> merge decision

What the product does

Certus is the release-control layer for teams that need engineering, security, and audit evidence on the same path. Every pull request is scanned, mapped to controls, graded for audit posture, and evaluated against a merge-gate policy that GitHub can enforce through required status checks.

Framework coverage

SOC 2, HIPAA, PCI DSS, ISO 27001, NIST, FedRAMP, CMMC, GDPR, and related control sets.

Blueprint library

Auth hardening, security headers, audit logs, secrets rotation, CI/CD, runtime shielding.

Scanner pipeline

Tests, SAST, SBOM, IaC, and secrets scanning feed the signed evidence path.

CLI and dashboard

One package for local operation, one review surface for merge approval and evidence access.

What reviewers receive

PR comments and status checks attached directly to the pull request

Required certus/compliance status for protected branches

Policy gates before merge approval

Signed evidence with control-to-code mapping

Reviewer-facing proof for security and audit

Exportable artifacts for downstream assurance workflows

Product surface

Web application

Login, review flow, evidence viewer, and organization settings

CLI package

Local scans, verification, export, policy explain, and signed evidence tools

Automation engine

Webhook intake, runner orchestration, checks, and artifact signing

GitHub control plane

Check runs, PR comments, merge gating, and branch protection handoff

Evidence storage

Signed packs, reviewer exports, retention policy, and audit retrieval

Data and network posture

Hosted deployments keep the Certus control plane managed by Octave-X with encrypted artifacts, signed evidence, and configurable retention.

Enterprise deployments can run in a customer VPC or on-prem environment so repositories, runners, keys, and evidence stay inside the network boundary you operate.

Operational boundary

Certus manages merge-gate evaluation, evidence integrity, and review surfaces. Customers manage repository permissions, runner placement, dependency policy, approval rules, and GitHub branch protection requiring certus/compliance.

Live now

What pilots can test today.

CLI scans with tests, SAST, SBOM, IaC, and secrets inputs

Signed evidence packs with hash verification and optional JWS signing

GitHub PR comments, commit status, and check-run output where permissions allow

Dry-run remediation plans and selected repository hygiene fixes

In progress

What is still expanding.

Deeper authored control coverage across every framework family

Ticket-driven remediation automation beyond the current evidence workflow

Broader GitHub App check-run write coverage without PAT fallback

More authoritative framework-specific gates as scanner trust coverage expands

Deployment options

Hosted SaaS

Fastest start; pre-audit teams

Signed evidence, 30-day artifacts

VPC Helm

Regulated data; strict compliance

Customer keys, SIEM export, custom retention

On-prem

No egress environments

Private registry and offline bundle

Pilot lane

Start narrow and prove the merge gate on one repo.

Certus pilots are designed to protect a single active pull request lane first. That keeps setup, reviewer feedback, and evidence review concrete enough to decide rollout quickly.

Day 1

Connect one repository and set the merge gate policy.

Week 1

Run real PRs through reviewer evidence and failing-pass scenarios.

Week 2

Decide rollout based on blocked PRs, evidence quality, and reviewer fit.

First-run path

1. Connect repository

Use the dashboard repository surface to connect the first GitHub repo.

2. Set policy and merge gate

Pick the first framework priorities and configure the PR blocking threshold.

3. Review evidence on live PRs

Inspect the signed pack, PR comment, and reviewer export before widening rollout.

Product by Octave-X

A product surface for governed delivery, not another post-audit dashboard.

Certus is a product of Octave-X Inc. built to keep engineering, security, and audit review aligned from request intake through merge approval.