Evidence
Source-free evidence reviewers can inspect before your first upload.
Faultline evidence is designed to answer governance questions without requiring source upload: what was scanned, which repos need review, what changed, who received the digest, and what export can be verified.
sample evidence pack
Sanitized. Downloadable. Source-free.
Review the example receipt, governance map, weekly digest, and audit export before connecting real repos.
Sample pack
Start with the same artifacts a pilot should produce.
Download the sanitized sample evidence pack
These static files make the proof portable. Use them to inspect the shape of Faultline evidence before connecting a real repository.
Proof
See the evidence chain before you start a trial.
A qualified visitor should not have to imagine the product. This is the first-value path Faultline is built to produce: local scan, source-free receipt, governance map, weekly digest, and signed evidence.
faultline scan ./...
--format snapshot
--out faultline.snapshot.json
--enterprise-url https://api.gofaultline.dev
--enterprise-org-id ce28dedc-be2e-410a-b65d-4b51be891f47Source-free snapshot receipt
The scanner emits metadata that Enterprise can govern without receiving source code.
- repos
- 5
- packages
- 148
- findings
- 37
- source uploaded
- no
Governance map
One view shows the repos that need ownership, suppression, policy, or evidence review before risk is accepted again.
| Repo | Risk | Owner gaps | Suppressions | Policy | Evidence |
|---|---|---|---|---|---|
| payments-api | High | 3 | 2 expiring | drift | needs export |
| identity-gateway | Medium | 2 | current | CODEOWNERS stale | digest queued |
| billing-worker | High | 1 | 4 stale | review required | owner review |
| audit-exporter | Low | 0 | none | current | signed |
Signed audit export
Exportable records let leadership, customers, and compliance reviewers inspect what changed and verify the bytes they received.
- generated
- 2026-05-05T20:26:45Z
- records
- 26
- digest
- sha256: verified
- signature
- current
- includes
- snapshots, tokens, policy events, exports
Download the sanitized sample evidence pack
These static files make the proof portable. Use them to inspect the shape of Faultline evidence before connecting a real repository.
This is the conversion point: if the first few repos reveal real gaps, the rollout question changes from "what is Faultline?" to "why is this not watching every production Go repo?"
Identify Orphaned FindingsEvidence boundary
The evidence model is intentionally metadata-first.
The point is not to become another source repository. The point is to preserve the governance facts a reviewer needs.
Included in the sample evidence model
- Snapshot receipts with repository, package, finding, and signal counts
- Repo-level governance maps with ownership, suppression, policy, and evidence status
- Weekly digest summaries for verified governance recipients
- Audit export records with timestamped actions and digest verification notes
- Source-free metadata proving what was reviewed and when
Not included by default
- Source code
- Full ASTs or compiled artifacts
- Runtime traces or production logs
- Developer workstation contents
- Private incident notes unless explicitly supplied by the customer
Reviewer questions
Each artifact answers a different stakeholder question.
VP Engineering
Which Go repos are risky, who owns them, and what changed since the last review?
Platform Engineering
What work should we route: owner gaps, stale suppressions, policy drift, or dependency health?
Security / Compliance
Can we inspect evidence without granting source access to another vendor?
Customer Diligence
Can we provide timestamped, exportable records that show governance activity?
Find the continuity gaps your current tooling cannot prove away.
You may have findings, scanners, and tickets. Under scrutiny, that still may not prove governance continuity.