See your compliance posture
in seconds.

The free npx scan produces a visual readiness indicator for nine compliance frameworks based on the severity and class of findings detected in your code. Pass / warn / fail status, percentage toward each baseline, and the gap that's blocking it.

This is a preview indicator. The free scan uses regex-based detection and cannot see taint flows, control coverage, or SBOM health. Real audit-grade evidence (OSCAL packages, DORA pillar mapping, FedRAMP ConMon) requires the licensed scan.

Not regex. Not heuristics. Full abstract syntax tree parsing via tree-sitter, with inter-procedural call graph construction and cross-file taint analysis.

Every scanner produces findings in a normalized format. SARIF 2.1.0 output is standard. Cross-file taint analysis traces data flow across module boundaries.

Every SAST tool on the market tells you what’s broken. FedRAMP, SOC 2, and ISO 27001 also require evidence of what’s implemented — what controls are present, what policies are enforced, what security architecture is in place. That evidence doesn’t exist in a vulnerability report.

AEGIS detects implemented security controls directly from your codebase. 68 detection patterns across 12 NIST 800-53 control families. Each detection produces an OSCAL control implementation statement — the exact artifact auditors and 3PAOs consume.

Code scans cover technical controls. Organizational controls — access policies, incident response procedures, training requirements — live in ISMS documents. AEGIS ingests your ISMS markdown and maps 19 policy sections to 101 NIST controls, producing OSCAL statements for procedural evidence that code analysis can’t reach.

The merge logic prefers code evidence (automated, verifiable) and supplements with ISMS evidence for procedural controls. Controls covered by both sources receive a “defense-in-depth” designation — stronger evidence for auditors.

Every finding maps to controls across all twelve frameworks simultaneously. Context-aware risk adjustment factors reachability, exposure, and compensating controls into the final score.

No other scanning tool produces OSCAL, DORA pillar mapping, VEX, and CycloneDX SBOM from a single pass over the same provenance chain. Every report is signed, timestamped, and independently verifiable. Group them by who reads them:

Not just a scan report. A verifiable evidence chain. Every pipeline action produces a hash-chained provenance entry with algorithm-agile cryptography. SLSA-compatible export.

AEGIS is the entry point. Stage 0 is free and runs locally. Stages 1 and 2 unlock when you need audit-grade evidence or third-party certification.

AEGIS rebrands. Partners deploy the same engine under their own company name, logo, colors, and product name. Your prospects never need to know what AEGIS is — they see your brand and get a diagnostic from their own code.

When a prospect runs a white-labeled scan, the structured output (framework percentages, severity counts, missing capabilities) is exportable to the partner's CRM as structured fields. This is not a PDF attachment — it is lead qualification data that pre-scopes the engagement.

Every stage runs under consequence-tier gating (T1 reversible read → T4 external side effect). Each action produces a hash-chained provenance entry. The chain is append-only and independently verifiable.

Not hypothetical capabilities. Measured results against industry-standard test suites and production codebases.

AEGIS findings feed directly into the Raknor certification decision. The following cybersecurity conditions result in certification denial regardless of governance score: