MOUNTSMY MOUNTSMY
0 %
Initializing systems v2.0
Home Products Security Compliance Management
Product · DevSecOps Platform

Tamper-proofbuild evidence,on autopilot.

Security Compliance Management captures every software build, generates SBOM & Pipeline BOM, maps live vulnerabilities, detects security drift, and exports SEBI CSCRF-ready audit packs — turning manual compliance into a single command.

Book a demo Explore capabilities
security-compliance — capture · build #2841
$ scm capture --stack java --ci github
• Build identity locked · runner-7f3a · vishal@re
→ Resolving dependency tree (Maven)...
✓ 247 components · full transitive graph
✓ SHA-256 hashed every component + artifact
✓ Encryption libs: AES-256, RSA-2048
⚠ 3 known vulnerabilities mapped (OSV / GHSA)
→ Signing metadata with OIDC (GitHub)...
✓ Build attested & sealed · tamper-proof
$ scm export --sebi-cscrf
✓ Audit pack (.docx) · Annexure-X ✓
$
<5min
Signup to first build
100%
CSCRF fields covered
<5%
Build-time overhead
SHA-256
Integrity on every build
01 / Capture Agent

One CLI command. Every build, captured.

A single statically-linked Go binary intercepts your build commands, runner identity, and environment — zero dependencies, zero config drift. From signup to your first captured build in under five minutes.

  • Generated curl install script tailored to your stack & OS
  • Records Build Identity — Runner ID, timestamp, and user
  • Java (Maven / Ant) and Node.js pipeline support
  • Runs in GitHub Actions & Azure DevOps with < 5% overhead
  • Statically-linked — nothing to install, nothing to break
pipelock — capture · build #2841 $pipelock capture --stack java --ci github • Build identity locked · runner-7f3a · vishal@re → Resolving dependency tree (Maven)... ✓ 247 components · full transitive graph ✓ SHA-256 hashed every component + artifact ✓ Encryption libs detected: AES-256, RSA-2048 ⚠ 3 known vulnerabilities mapped (OSV / GHSA) → Signing metadata with OIDC (GitHub)... ✓ Build attested & sealed · tamper-proof SBOM + PBOM written · ready for export $pipelock export --sebi-cscrf ✓ Audit pack (.docx) generated · Annexure-X ✓ $
02 / SBOM & Drift

A complete SBOM — and the drift between builds.

PipeLock parses your full transitive dependency tree into a CSCRF-grade SBOM, maps every component against OSV and the GitHub Advisory database, then diffs against your previous release to surface new risk the moment it appears.

  • Supplier, component, version & PURL for every package
  • SHA-256 integrity hash on each component and the final artifact
  • Real-time CVE lookup across OSV & GitHub Advisory
  • Visual build-to-build “diff” for dependency & environment drift
  • Flags “Known Unknowns” — legacy or unidentifiable libraries
app.mountsmy.com/sbom P SBOM · build #2841 247 COMPONENTS COMPONENTVERSIONPURL / SUPPLIERSHA-256CRYPTO spring-core 5.3.27 pkg:maven/org.springframework a3f9b1… none jackson-databind 2.13.4 pkg:maven/com.fasterxml 7c21de… none bcprov-jdk18on 1.76 pkg:maven/org.bouncycastle e80a44… AES/RSA log4j-core 2.17.1 pkg:maven/org.apache.logging f1029c… none legacy-utils 0.4.2 pkg:maven/internal · unknown b55e7a… unknown node-forge 1.3.1 pkg:npm/node-forge 9d3b08… AES/RSA express 4.18.2 pkg:npm/express 2ab7f0… none
app.mountsmy.com/security-drift Security Drift · #2840 → #2841 2 NEW CRITICAL 1 HIGH + CVE-2024-1597 log4j-core 2.17.1 → RCE risk · CRITICAL + CVE-2024-2044 jackson-databind · deserialization · CRITICAL + CVE-2023-9981 express 4.18.2 · ReDoS · HIGH ~ spring-core 5.3.26 → 5.3.27 · version drift − CVE-2023-4412 resolved · bcprov upgraded ~ ENV OS image ubuntu-22.04 → ubuntu-24.04 Verdict ⚠ Build blocked — 2 new critical findings require sign-off
03 / SEBI CSCRF

Compliance evidence, in one click.

Toggle “SEBI CSCRF Mode” and PipeLock enforces every mandatory data field, then exports a professional .docx audit pack — cover page, vulnerability summary, the full Annexure-X table, and an OIDC-verified attestation log.

  • One-click .docx “Audit Pack” export
  • Cover page with project, build ID & compliance status
  • Summary table — Critical / High / Medium counts
  • Annexure-X table with all 10+ mandatory SEBI fields
  • Attestation log with digital signature & OIDC proof
app.mountsmy.com/audit-pack P CSCRF Audit Pack build #2841 · Jan 09, 2026 COMPLIANT ANNEXURE-X · MANDATORY FIELDSSupplier Nameorg.springframeworkComponent Identity + PURL247 mappedCryptographic Hash (SHA-256)verified ✓Encryption StatusAES-256 / RSA-2048Dependency Relationshipgraph attachedKnown Unknowns1 flaggedOIDC AttestationGitHub ✓ ⬇ Export complete · PipeLock_AuditPack_2841.docx
Under the hood

Built on tools you already trust

Open standards and battle-tested data sources — no black boxes.

🐹
Go
CLI Agent
🗂
CycloneDX
SBOM Format
🔎
Google OSV
Vuln DB
🛡
GitHub Advisory
Vuln DB
🔐
OIDC
Signing
#️⃣
SHA-256
Integrity
📦
Maven / Ant
Java Builds
Node.js
npm Builds
🐙
GitHub Actions
CI
Azure DevOps
CI
📄
.docx Export
Audit Pack
SEBI CSCRF
Framework
How it works

From install to audit pack — 4 steps

No agents to babysit, no spreadsheets to maintain — Security Compliance Management runs inside your pipeline and produces evidence automatically.

Step 01
Onboard
Pick your stack, build tool and OS in a web form — Security Compliance Management generates a one-line install script tailored to you.
Step 02
Capture
The CLI agent records build identity, the full dependency tree, and SHA-256 hashes — then signs it all with OIDC.
Step 03
Analyse
Vulnerabilities are mapped against OSV & GHSA and diffed against your last build to flag any security drift.
Step 04
Export
One click produces a SEBI CSCRF-ready .docx audit pack — Annexure-X, vulnerability summary and attestation log.
Live · DevSecOps Platform

Ready to automate your build evidence?

Book a 30-minute walkthrough. Bring your CI pipeline — we'll show you a captured build, a live SBOM, and a SEBI-ready audit pack end to end.

Book a demo All products
100%
CSCRF coverage
<5min
To first build
Onboarding new
teams now