ShakerScanRun Public DAST Preview

Docs

Verify the security decision, not just the report.

ShakerScan attestations let a release system verify that an AI Gate decision matches the expected repo, commit, target, environment, policy, probe pack, and evidence hash.

Run Public DAST PreviewInstall GitHub App

Sample gate decision

allow

Verified allow decision

The deploy proceeds because the attestation signature is valid and every expected scope field matches the current release.

signature:verified
predicate type:shakerscan.ai_gate.v1
repo:acme/support-bot
commit:9f31c2a
target:support-chat-api
environment:preview
decision:allow
1

AI Gate produces findings and policy output.

2

ShakerScan creates an evidence bundle and stable hash.

3

A signed attestation binds the decision to release scope.

4

The CLI or API verifies signature validity and expected predicate fields.

5

CI proceeds only when the verified decision satisfies policy.

Why ShakerScan

The output is a release control, not just a report.

ShakerScan is built around release evidence: a tested target, a policy result, a verifier command, and an approval path when risk needs human review.

Signed evidence

Evidence hashes and AI Gate attestations bind the decision to the target, environment, policy, probe pack, and release scope when signing is configured.

CI-verifiable decision

GitHub Actions or the shakerscan CLI can verify that the decision matches the expected repo, commit, branch, environment, target, policy, and evidence hash.

Approval workflow

When an eligible workflow is approved, scoped approval tokens record the reason, audience, expiry, and decision path instead of bypassing the gate silently.

Checklist

Verification checklist

Verify the signature and attestation schema.

Use shakerscan gate verify in CI to compare the signed predicate against the current release scope.

Check repo, branch, commit, target, environment, policy, probe pack, and decision.

Reject stale or mismatched evidence hashes.

Require a scoped approval token when policy returns needs_approval.

Limitations

What this page does not claim

ShakerScan does not replace human security review, threat modeling, or a scoped penetration test.

AI Gate decisions depend on the configured target, probe pack, policy, scan profile, and available evidence.

Production targets require authorization, safe scope, rate limits, and operational approval.

FAQ

Is ShakerScan an AI pentesting replacement?

No. ShakerScan is a verifiable security gate for release workflows. It complements deeper manual testing by producing repeatable runtime evidence and CI-verifiable allow, block, or needs_approval decisions.

Can ShakerScan scan any target?

No. Targets must be owned by the customer or explicitly authorized. Production scans should use safe profiles, rate limits, and defined scope.