epack is a CLI for creating, signing, and verifying Evidence Packs, cryptographically sealed bundles of compliance evidence. Collect security posture from cloud providers, identity systems, and SaaS tools. Sign with Sigstore. Share verifiable evidence with auditors and customers.
| Problem | epack Solution |
|---|---|
| Evidence scattered across tools | Bundle everything into one portable pack |
| "Trust me" screenshots | Cryptographic signatures prove who collected what, when |
| Manual evidence collection | Automated collectors gather evidence from APIs |
| Comparing audit periods | epack diff shows exactly what changed |
| Sharing evidence securely | Push to registries, pull with verification |
# Homebrew (macOS/Linux)
brew install locktivity/tap/epack
# Go
go install -tags components github.com/locktivity/epack/cmd/epack@latest
# Binary releases (with SLSA Level 3 provenance)
# → github.com/locktivity/epack/releasesOption A: Build from files you already have
epack build evidence.pack ./reports/*.json --stream myorg/security
epack sign evidence.pack
epack verify evidence.packOption B: Automated collection pipeline
epack new my-pipeline && cd my-pipeline
# Edit epack.yaml to add collectors (GitHub, AWS, Okta, etc.)
export GITHUB_TOKEN=ghp_...
epack collect # Lock deps → sync binaries → run collectors → build pack
epack sign *.pack| Command | What it does |
|---|---|
epack build |
Create a pack from files |
epack sign |
Sign with Sigstore (keyless or key-based) |
epack verify |
Verify integrity and signatures |
epack inspect |
Show pack contents and metadata |
epack diff |
Compare two packs (what changed?) |
epack collect |
Run collectors and build a pack |
evidence.pack/
├── manifest.json # Metadata + SHA-256 digests
├── artifacts/ # Your evidence files
│ ├── github-posture.json
│ ├── aws-config.json
│ └── soc2-report.pdf
└── attestations/ # Sigstore signatures
└── manifest.json.sigstore.json
epack is extensible through a component system:
| Component | Purpose | Scope | Example |
|---|---|---|---|
| Collectors | Gather evidence from APIs | Project | epack-collector-github |
| Tools | Analyze pack contents | Project | epack-tool-policy |
| Remotes | Push/pull to registries | Project | epack-remote-s3 |
| Utilities | Standalone helper apps | User | epack-util-viewer |
# Search the catalog
epack catalog search github
# Install a collector (project-scoped)
epack install collector github
# Install a utility (user-scoped, global)
epack utility install viewer
# Run an installed utility
epack utility viewer evidence.packGood fit:
- Multi-source evidence collection (GitHub + AWS + Okta + ...)
- Audit trails requiring cryptographic proof
- Sharing evidence between organizations
- Comparing security posture over time
- CI/CD evidence pipelines
Consider alternatives if:
- Simple file archiving (use tar/zip)
- Real-time monitoring (use observability tools)
- Single-file attestations (use cosign directly)
| Variant | Use Case |
|---|---|
epack |
Full features: collectors, tools, remotes, utilities |
epack-core |
Pack operations only (no subprocess execution) |
Use epack-core for verification-only workflows (CI, auditors) where you don't need component orchestration.
Getting Started
User Guides
Reference
For Component Authors
Security
Specification
import (
"github.com/locktivity/epack/pack"
"github.com/locktivity/epack/pack/builder"
)
// Build
b := builder.New("myorg/stream")
b.AddFile("./config.json")
b.Write("evidence.pack")
// Read and verify
p, _ := pack.Open("evidence.pack")
defer p.Close()
p.VerifyIntegrity()git clone https://github.com/locktivity/epack.git
cd epack
make test-allSee CONTRIBUTING.md for development setup and guidelines.
Apache License 2.0
Built by Locktivity
Locktivity builds tools for third-party security. We're developing epack in the open because portable, verifiable security evidence is a problem bigger than any one vendor.