Product
From scanner observations to continuously defensible governance.
Faultline sits between local scanning and executive accountability, turning repository signals into ownership lineage, suppression controls, policy evidence, incident context, and signed audit exports.
Category
Detection scaled faster than accountability.
Organizations mistake scanner output for governance maturity. Faultline is the control layer for what happens after findings exist: ownership lineage, suppression lifecycle, policy evidence, accountability continuity, and signed audit exports.
Scanner coverage is not governance coverage
Scanners produce observations. They do not prove accountability lineage.
Ticket assignment is not ownership integrity
A Jira assignee can disappear, churn teams, or inherit risk without context.
Accepted risk without review becomes permanent exposure
Suppressions need owner, reason, expiry, review, and proof that the assumption still holds.
Manual compliance evidence is already degraded evidence
Evidence reconstructed after the fact depends on memory, screenshots, and partial system state.
Workflow
From local signals to organization-level accountability.
Scan locally
Run the OSS scanner in your shell or CI runner, where source code already lives.
Upload metadata only
Send faultline.snapshot.v1 repository facts, package records, findings, suppressions, ownership, and policy signals - not source code.
Expose governance decay
Normalize snapshots into owner gaps, orphaned findings, stale suppressions, policy drift, dependency health, incidents, and repo trends before context disappears.
Preserve accountability continuity
Move PR advisories, owner reviews, Jira/Slack activity, and weekly digests into an evidence trail that survives team churn.
Export evidence
Preserve signed exports and audit trails that make accepted risk continuously explainable.
Proof
See the evidence chain before you start a trial.
A qualified visitor should not have to imagine the product. This is the first-value path Faultline is built to produce: local scan, source-free receipt, governance map, weekly digest, and signed evidence.
faultline scan ./...
--format snapshot
--out faultline.snapshot.json
--enterprise-url https://api.gofaultline.dev
--enterprise-org-id ce28dedc-be2e-410a-b65d-4b51be891f47Source-free snapshot receipt
The scanner emits metadata that Enterprise can govern without receiving source code.
- repos
- 5
- packages
- 148
- findings
- 37
- source uploaded
- no
Governance map
One view shows the repos that need ownership, suppression, policy, or evidence review before risk is accepted again.
| Repo | Risk | Owner gaps | Suppressions | Policy | Evidence |
|---|---|---|---|---|---|
| payments-api | High | 3 | 2 expiring | drift | needs export |
| identity-gateway | Medium | 2 | current | CODEOWNERS stale | digest queued |
| billing-worker | High | 1 | 4 stale | review required | owner review |
| audit-exporter | Low | 0 | none | current | signed |
Signed audit export
Exportable records let leadership, customers, and compliance reviewers inspect what changed and verify the bytes they received.
- generated
- 2026-05-05T20:26:45Z
- records
- 26
- digest
- sha256: verified
- signature
- current
- includes
- snapshots, tokens, policy events, exports
Download the sanitized sample evidence pack
These static files make the proof portable. Use them to inspect the shape of Faultline evidence before connecting a real repository.
This is the conversion point: if the first few repos reveal real gaps, the rollout question changes from "what is Faultline?" to "why is this not watching every production Go repo?"
Identify Orphaned FindingsProduct
The operating view for production Go repos whose governance story may not survive scrutiny.
Each view answers the question engineering leaders eventually get asked: what is risky, who owns it now, why was it accepted, what changed, and what proof can we export?
Governance exposure map
Show which repositories carry unresolved owner gaps, undefended suppressions, policy drift, and audit exposure before someone asks for proof.
Ownership integrity
Identify services where CODEOWNERS, recent authorship, and operational accountability cannot survive staffing churn.
Suppression lifecycle control
Keep accepted risk from becoming invisible permanent exposure with owners, reasons, expiry, review state, and evidence history.
Policy enforcement lineage
Turn architecture rules and governance standards into versioned policy that leaves reviewable evidence.
PR advisory risk gates
Surface package risk, policy drift, owner gaps, and suppression context before another repository inherits debt without context.
Dependency health
Persist dependency metadata and enrich GitHub-hosted modules with maintenance, archived, and stale signals.
Incident correlation
Connect high-risk packages to incident history so review work starts where governance failure already hurt.
Accountability routing
Route owner gaps, expiring suppressions, and policy review into Slack and Jira without pretending those tools are governance systems.
Weekly governance digests
Keep accountable recipients current before orphaned findings, expiring suppressions, and policy drift become institutional memory loss.
Signed audit exports
Export signed evidence packages that show what changed, who reviewed it, and which governance decisions can survive scrutiny.
Evidence model
Signals are advisory, reviewable, and exportable.
No invented certifications
Faultline reports its actual controls and deployment posture. Formal certifications are not claimed on this site.
No incident-prevention claims
Faultline identifies structural risk. It does not promise that outages or incidents are prevented.
Open-core by design
The OSS scanner remains useful on its own. Enterprise adds accountability continuity, evidence, and organization-scale governance.
Find the continuity gaps your current tooling cannot prove away.
You may have findings, scanners, and tickets. Under scrutiny, that still may not prove governance continuity.