SignedOff — Verifiable Dependency Compliance

SignedOff is an autonomous compliance officer for Python software supply chains. Given a requirements.txt, it resolves the full dependency tree, evaluates every package's license against your declared use case, identifies known CVEs, generates contextualized risk scores, and routes findings through a policy-driven decision gate with human-in-the-loop review. What makes SignedOff different from existing scanners (Snyk, FOSSA, Black Duck, Dependabot): 1. Hash-chained, tamper-evident audit trail. Every decision — automatic or human — is sealed with SHA-256 into a verifiable chain. Tampering with any past entry invalidates all subsequent hashes. Built for SOC 2, FedRAMP, CMMC, and HIPAA audits where "show me your evidence" is the question that matters. 2. Use-case-aware risk contextualization. The same Django CVE has different urgency in a public-facing SaaS deployment versus internal tooling versus a distributed binary. SignedOff's LLM contextualizes severity against your declared deployment model — not generic CVSS scores. 3. Citation integrity guarantees. LLMs interpret evidence; they never generate citation URLs or identifiers. Every finding is backed by an OSV.dev record, GHSA advisory, or SPDX license entry — never hallucinated. The "citation integrity guardrail" forces human review when evidence is weak, regardless of severity. 4. Two-dimensional risk. License risk and security risk shown as parallel dimensions, never fused. Legal and security teams read the same dashboard and get their own answers. 5. Policy-as-code. POLICY.yml declares organizational risk tolerance in version-controlled YAML. Per-use-case license rules, severity thresholds, citation requirements. Applied uniformly across every reviewer. Built solo over 8 days with LangGraph, FastAPI, Anthropic API, OSV.dev. Open data sources only — no vendor lock-in. Try it: https://signedoff.onrender.com