NUCLEUS VERIFY

The trust layer for software verification.

Nucleus runs the tools you already trust — Semgrep, Bandit, Gitleaks, OSV-Scanner, your own tests — combines their output, signs the aggregate, and publishes it to a public transparency log. Anyone can verify it offline. Anyone can reproduce it byte-for-byte. Works on any code: AI-generated, hand-written, or anywhere in between.

Try the live demo Verify a Repository Benchmark
What's included in every scan
Live demo
Paste code, see a signed attestation
Five scanners + a sandbox run in ~5 seconds. No signup.
Transparency log
Every certificate recorded, hash-chained
Detectable forgery even if our server is compromised.
Offline verification
One Python file, PyNaCl only
Revocation enforced. Works without our server.
Seven gates · Five scanners
Semgrep · Bandit · Gitleaks · OSV
Plus structural, determinism, contract, build, sandbox.
Verification Corpus
Frozen Benchmark
0
Repos scanned
0
Consistency errors
Live Corpus
0
Repos verified
0
Certificates
0
Lines of code
0
Findings
0
Proof packs
Artifact Integrity Determinism Contract Adherence Build Validation Structural Integrity External Scanners Sandboxed Execution

Verify a Repository

Public GitHub, GitLab, and Bitbucket repositories. Results in 15 seconds to 5 minutes depending on repository size. Large repos processed asynchronously.

Try an example:

Real scan of expressjs/express. All values deterministic and independently verifiable.

What you receive after a scan

📄

Verification Report

Full analysis report with gate results, security findings, code metrics, and improvement suggestions.

View Example →
🔒

Signed Certificate

Ed25519 signed PDF certificate with cryptographic proof hashes, independently verifiable by anyone.

View Example →
🔗

Proof Pack

Downloadable proof pack containing all artifacts needed to independently replay and verify the result.

View Example →
📁
Drop a ZIP file here or click to browse
Extension determines language detection

Paste the full AI response including code blocks. Nucleus will extract the code and verify the implementation against your claims.

Optional: list what the AI claims to have implemented
🔒
Deterministic Replay
Same inputs, same hash, every time
📜
Signed Certificates
Ed25519 offline verification
Honest Disclosure
Every cert says what was NOT checked
Large repositories supported. Very large scans are processed asynchronously.

Languages we sandbox

Every scan runs your code inside a hardened bubblewrap sandbox — no network, nobody uid, dropped caps. Compile & syntax-check steps are wired for each of the languages below.

Python JavaScript TypeScript Go Rust Java Kotlin Scala Groovy Clojure Ruby PHP C C++ C# Objective-C Elixir Erlang Haskell Lua R Julia Perl OCaml Racket Ada D Nim Pascal COBOL Assembly Shell Crystal

Five SAST engines on every scan: Semgrep · Bandit · Gitleaks · OSV-Scanner · CodeQL Deep Analysis

False-positive suppression via .nucleus-ignore

Nucleus Verify blocks the verdict on hardcoded secrets, command injection, and critical IaC misconfigurations. If a match is a known false positive, drop a .nucleus-ignore file at your repo root to suppress it.

Read suppression syntax →

How it works

1

Submit your code

Provide a public repository URL, upload a ZIP archive, or paste source code directly. Nucleus Verify clones the repository, indexes every file, and builds a complete artifact map before analysis begins.

2

Seven deterministic gates

Every scan passes through the same pipeline: gate_v2 (artifact integrity, JSON-canonical tree hashing), gate_d (determinism — same inputs always yield the same det_hash), contract (structural evidence matches the prompt or README), build (syntax & manifest), gate_s (995 structural operators for auth gaps, dead routes, hallucinated APIs, secrets), gate_scanners (external SAST, see below), and gate_exec (sandboxed compile + tests inside bubblewrap). Each gate produces a pass/fail result with evidence.

3

Five external scanners, versions pinned

On every scan, Nucleus runs Semgrep (p/security-audit — CWE Top 25 coverage), Bandit (Python-specific), Gitleaks (hardcoded secrets), and OSV-Scanner (250,000+ dependency CVEs). The version, binary, and finding fingerprint of each tool is recorded on the attestation, so a third party re-running the same tools on the same artifacts gets byte-identical results. Business plans unlock 8 enhanced operator packs (Semgrep Pro rule sets, AI analysis, custom compliance). Enterprise customers can request custom operators mapped to their specific frameworks.

4

Signed attestation, published to the transparency log

You receive an Ed25519-signed certificate, an in-toto / SLSA v1 DSSE envelope, and a SARIF 2.1.0 report for your existing security tooling. The signature is appended to a public hash-chained transparency log, so forgery is detectable even without trusting us.

5

Verifiable offline — by anyone, without us

Download our single-file Python verifier (only dependency: PyNaCl) and the public-key bundle. Your auditor can confirm any Nucleus certificate without a network call to us. Revoked keys are rejected automatically.

6

Wire it into your CI in three lines

Add Nucleus to GitHub Actions, GitLab CI, CircleCI, or any pipeline that can POST to an API. Attestation links are posted on every PR. View on GitHub →

Seven gates. Five scanners. Every verification.

Every run is deterministic. Every tool's version is recorded. Every result is signed and published to a public log.

gate_v2 — Artifact Integrity
Structure, file-tree hash, completeness. JSON-canonical hashing so filenames with special characters cannot forge digests.
gate_d — Determinism
Identical inputs always produce identical det_hash. Verified with three artifact orderings.
contract — Contract Adherence
Structural evidence in the code matches the prompt or README claims.
build — Build Validation
Syntax valid, manifest present, no blocking errors.
gate_s — Structural Integrity
995 operators. Auth without authorisation, missing pagination, dead routes, AI-hallucination patterns, secrets, insecure dependencies.
gate_scanners — External SAST
Semgrep (p/security-audit), Bandit (Python), Gitleaks (secrets), OSV-Scanner (CVE database). Each tool’s version and finding fingerprint is recorded and signed.
gate_exec — Sandboxed Execution
Code is actually compiled and its tests actually run inside bubblewrap: no network, read-only filesystem, resource caps. If the code doesn’t work, the verdict drops.
gate_scanners — External Scanners (SAST)
Five independent engines run on every artifact: Semgrep (semantic patterns), Bandit (Python security), Gitleaks (secrets), OSV-Scanner (known CVEs), and CodeQL (GitHub’s semantic data-flow engine — CWE-22, CWE-78, CWE-89, CWE-94, CWE-611, CWE-918 and more). Gate passes only when no critical findings remain.
gate_exec — Sandboxed Execution
Code compiles and tests pass inside a bubblewrap sandbox with no network, no host FS, dropped capabilities. 33 runtimes supported: Python, JavaScript, TypeScript, Go, Rust, Java, Kotlin, Scala, Groovy, Clojure, Ruby, PHP, C, C++, C#, Objective-C, Elixir, Erlang, Haskell, Lua, R, Julia, Perl, OCaml, Racket, Ada, D, Nim, Pascal, COBOL, Assembly, Shell, Crystal. Proves the code is not only well-formed but also runnable in a hostile environment.

What Nucleus Verify still does not check: business logic correctness, runtime behaviour under production load, zero-day vulnerabilities, accessibility.

See all seven gates run on code you paste →

System Specification

Version 1.2.0 Verification gates 7 (v2, d, contract, build, s, scanners, exec) External scanners Semgrep · Bandit · Gitleaks · OSV-Scanner (versions recorded per scan) Transparency log /transparency-log — append-only, hash-chained Standard operators 995 across 31 families Enhanced operators 249 across 8 packs Total operators 681 Languages 19 source languages natively (65+ via Semgrep on Business) CVE database 250,000+ vulnerabilities (local OSV mirror) Certificate signing Ed25519 Hash algorithm SHA-256 Deterministic seed 42 Benchmark corpus 915 repos, 0 errors Test coverage 2623+ tests Framework mapping 11 frameworks: OWASP LLM, NIST AI RMF, ISO 27001, DORA, FCA, PSD2, SWIFT, GDPR, HIPAA, PCI-DSS, SOC2

Example Verification Result

VERIFIED
gate_v2 passed gate_d passed contract passed build passed gate_s passed gate_scanners passed gate_exec passed
Artifacts scanned 12
Stack detected node
Trust score 100/100 (A)
Scan grade A
Operators matched 55/995

Real result from a public repository verification. All values are deterministic and reproducible.

Deterministic Verification

Every verification run produces the same cryptographic hashes for the same input. You can independently replay any proof pack to confirm the result.

det_hash bfbe36be061fe607bc500ef270ef24f7309dcefce707952b9f6a9d708352b513
spec_hash 29c5e4a36eaa753a155fd1d4e931187c296746ee6309cf68ccd8b419021afccc
artifact_tree_hash 20b196389c6629eb204143556855b3095dc99462cc23a25ea9d18464e147d401
proof_pack_hash 33c0749da9aff525d4dd62bcf764e2cbf343609d21e78ca37465fec53a9e389b

Same repository, same seed, same hashes. Always.

AI-generated code: one use case among many

Nucleus works on any code — hand-written, AI-written, generated, vendored. AI output has characteristic failure modes (hallucinated APIs, missing implementations, fabricated dependencies), so we include AI-specific operators and differential-regeneration verification. But a Nucleus certificate is just as meaningful for a 2015 Python codebase.

PARTIAL
contract — feature_presence
Prompt claims ‘file_upload’ but no structural evidence found in artifacts
CV-B077F5

Real finding from a verification run. The AI claimed it implemented file upload, but the code contained no upload handling, multipart parsing, or file storage logic.

Frozen benchmark (March 2026)

915 public repositories. Python and JavaScript ecosystems. Zero consistency errors.

41%
Verified
38%
Partial
20%
None

A system that verifies 41% of real-world repositories is honest. A system that verifies 90% is lying.

What we still don't verify

  • Semantic correctness of business logic — if your AI wrote a 1% discount instead of 10%, Nucleus cannot tell.
  • Runtime behaviour under production load — sandboxed compile & test only, not stress or load.
  • Zero-day vulnerabilities — we run four industry-standard scanners, but they can only find what their rule authors have seen.
  • Accessibility (WCAG) — structural checks only, not formal conformance auditing.
  • Network-dependent CVEs — OSV-Scanner talks to a live CVE database; its results reflect the DB at scan time, not forever.

Every certificate explicitly lists the NOT_verified scope. We publish our CWE coverage matrix alongside every release.

Who it's for

Developers

Verify AI-generated code before it ships. Certificate in every PR. Know exactly what was built vs what was claimed.

Engineering Managers

Structural gaps caught before production. Audit trail for every decision. Trust scores you can track over time.

Enterprise & Compliance

SOC 2 ready. PostgreSQL audit log. Ed25519 signed. Independently replayable. Full chain of custody.

How Nucleus Verify differs from existing tools

Feature CodeQL SonarQube Snyk Nucleus Verify
Finds vulnerabilities
Cryptographic signing
Independent replay
Tamper-evident chain
Honest scope disclosure
DORA / FCA evidence
Works alongside existing tools

Nucleus Verify finds vulnerabilities and produces cryptographically signed proof that the review happened — independently verifiable by anyone. It works alongside your existing tools or as a complete verification solution on its own.

Pricing

Start free. Scale when you're ready.

Free
$0
forever
  • Live demo (/demo): paste & scan, no signup
  • 5 repo verifications / day
  • Full scan — 7 gates, 995 operators, 5 external scanners
  • Repos up to 50MB
  • ZIP uploads up to 5MB
  • Paste code up to 50KB
  • 7-day history retention
  • Public verification URL
  • 1 free enhanced scan trial (all 8 packs)
  • Async large repo scans
  • Full result download
  • Report PDF
  • PDF certificate
  • Enhanced packs ongoing
Get Started
Plus
$20
/month
  • 50 repo verifications / day
  • Full scan — 7 gates, 995 operators, 5 external scanners
  • Repos up to 500MB · ZIP up to 100MB · paste up to 500KB
  • Async large-repo scans
  • Full result download + SARIF export
  • Signed PDF certificate
  • 12-month history retention
  • API key for programmatic access
  • Outbound webhooks (scan.completed)
  • 1 free enhanced scan trial
  • Email support
  • Enhanced operator packs (ongoing)
  • AI Analysis Report
Business
$50
/seat/month
  • Unlimited verifications
  • Everything in Plus, plus:
  • Repos up to 2GB · ZIP up to 500MB · paste up to 5MB
  • All 8 enhanced operator packs (+249 operators)
  • Semgrep Pro rule sets (3,800+ rules, 65+ languages)
  • Local 250,000+ CVE database (offline, always fresh)
  • AI Analysis Report on every scan
  • Enhanced PDF certificate
  • Team seats + higher API-key rate limits
  • GitHub Actions & GitLab CI integrations
  • Full history retention
  • Priority support
Enterprise
Custom
annual contract
  • Everything in Business
  • Unlimited repo size
  • ZIP uploads up to 2GB
  • Paste code up to 50MB
  • CodeQL Deep Analysis (coming soon)
  • Custom operator support
  • Private repository verification
  • SSO / SAML integration
  • SLA & dedicated support
  • Custom compliance frameworks
  • CI/CD integration (GitHub, GitLab, Jenkins)
  • On-premise deployment option

Need just one certificate? $4.99 one-time per verification. Available on the result page.

For enterprise enquiries, custom plans, or volume pricing contact contact@altermenta.com