Docs // honest partial coverage
SLSA mapping
Scroll Gate provides governance-as-a-service aligned with SLSA Source/Build Level 1–2 concepts for commit provenance. We do not claim full SLSA Build Level 3 or platform certification.
SLSA mapping
Ed25519
commit envelopes
offline-verifiable proof
local-only
CLI & HOOKS
repo never uploaded
Scroll Gate
PR enforcement
signed vs unsigned
SSX360
control plane
identity · billing · audit
When hosted verify passes for a PR range, each commit has a cryptographically valid envelope (or warn-mode policy allows documented gaps). Verification is logged on ssx360.com for Team+ audit export. This maps to commit provenance, not full build-artifact SLSA.
Version control
- SLSA
- Source L1 — versioned changes
- SSX360 today
- Git + signed commit envelopes on governed commits
- Gap
- Scroll desktop client still rolling out
Retained history
- SLSA
- Source L1 — immutable history
- SSX360 today
- Git objects + hosted envelope storage (Team+)
- Gap
- Community tier: local / git-notes only
Authenticated source
- SLSA
- Source L2 — authenticated commits
- SSX360 today
- Ed25519 envelopes bind actor, tool, scope
- Gap
- Default emulated keys; SE050 hardware is pilot
Hosted build
- SLSA
- Build L2 — hosted build platform
- SSX360 today
- Partial — ci_step action envelopes + hosted verify API
- Gap
- Not a replacement for GitHub Actions / Cloud Build
Non-falsifiable provenance
- SLSA
- Build L3+
- SSX360 today
- Not claimed
- Gap
- Requires hardware signing + builder attestations (Layer 4)
What hosted verify proves
- Each commit in range has a valid Ed25519 envelope (or policy documents exceptions).
- Signatures verify against trusted keys / team policy when configured.
- Verification events are retained for Team+ audit export (metered on Community).