The official CLI and Go SDK for working with Evidence Packs. Create packs from artifacts, sign with Sigstore, push to registries, and compare over time.
Open source. Apache 2.0 licensed.
brew install locktivity/tap/epack
A ZIP archive with a manifest, your evidence artifacts, and optional signatures.
evidence.epack/ ├── manifest.json # Metadata, digests, sources ├── artifacts/ # Your evidence files │ ├── soc2-report.pdf │ ├── pentest-summary.pdf │ └── github-posture.json └── attestations/ # Optional signatures └── manifest.json.sigstore.json
Lists every file with its SHA-256 fingerprint. This is what makes packs verifiable and diffable.
The actual evidence: audit reports, pentest summaries, compliance docs, configuration exports.
Sigstore signatures from tools or humans. Proves who created or verified the pack.
Try it in 30 seconds.
epack new my-project && cd my-project
Creates a project with a sample pack and a managed .gitignore that keeps .epack/hooks/ tracked for repo-owned customization.
epack inspect sample.epack epack verify sample.epack
# Build a pack from your files epack build evidence.epack ./reports/*.pdf --stream myorg/security # Sign with Sigstore (opens browser) epack sign evidence.epack
Stop assembling packs by hand. Collectors pull evidence from your systems, tools analyze what you've gathered, utilities help you work with packs, and remotes push them to registries.
Pull posture data from GitHub, AWS, Okta, Jira, Slack, and other systems.
Run on a schedule or trigger from CI.
Run policy checks, framework crosswalks, timeline analysis, and risk assessments.
Compliance analysis workflows.
View packs interactively, query with AI, diff periods, and export to auditor formats.
Helper tools for GRC workflows.
Push packs to registries with one command. Versioning and access control built-in.
Configure once, push anywhere.
Browse available components
Collectors for GitHub, AWS, Okta, Jira, and Slack. Tools for policy checks and risk assessment. Utilities for viewing and exporting packs. Add them to your epack.yaml and run epack collect.
Everything you need to work with Evidence Packs.
Install the CLI and build your first pack in under a minute.
Step-by-step tutorials for common workflows and use cases.
CLI commands, Go SDK, configuration, and error codes.
Understand trust levels, profiles, and continuous assurance.
Looking for the Evidence Pack specification?
The format spec, governance model, and narrative documentation live at evidencepack.org.
brew install locktivity/tap/epack. Alternatively, if you have Go installed, run go install -tags components github.com/locktivity/epack/cmd/epack@v0.1.31. You can also download pre-built binaries from the GitHub releases page.
epack sign and authenticate via your identity provider (GitHub, Google, Microsoft). Every signature is recorded in a public transparency log, so verification works offline.
id-token: write and run epack sign. In other CI/CD systems, pass EPACK_OIDC_TOKEN explicitly. The Sigstore certificate embeds the commit SHA, repository, and workflow path, so the signature proves exactly which code generated the evidence.
pack, pack/builder, pack/verify, and sign packages are available for programmatic use. See the Go SDK reference for details.
epack diff old.epack new.epack. The output shows added, removed, and modified artifacts. Use --json for machine-readable output.
Initiated by
Locktivity
We built Evidence Packs in the open because portable, verifiable assurance is a problem bigger than any one vendor.