supership overview getting started api attestations benchmark privacy

attestations

what they contain, how to verify them, how they expire.

what is an attestation

a signed statement that a specific scan occurred at a specific time with specific results. it does not certify that code is secure. it proves detection happened before deploy.

contents

input_hashSHA-256 of the canonical file manifest

rule_pack_hashversion hash of the rules used

engine_versionscanner version that ran

findingsrule IDs, severities, file paths, line numbers

score / gradenumeric score and letter grade

timestampwhen the attestation was signed

signatureserver key signature over the full envelope

chain_anchortransaction hash on Base mainnet

lifecycle states

VALIDactive, within TTL, no superseding scan

EXPIREDTTL passed. re-scan required.

SUPERSEDEDnewer scan of the same input exists

REVOKEDwithdrawn due to engine bug

DISPUTEDflagged for review by a third party

verification

check the server signature against the supership public key
check the chain anchor to confirm the timestamp
clone the repo at the specified commit and re-run the same engine
compare the re-run output hash against the attestation's input_hash

Crest Deployment Systems LLC