corsair
HTTPS proved websites are real.
Corsair proves compliance is real.
Your security tools already know if controls work. Corsair signs that into a cryptographic proof anyone can verify.
How do you want to use Corsair?
by Ayoub Fandi · GRC Engineer
did:web:grcorsair.com
tool / Scanner v1.2
AWS Production Baseline
47/51 passed
92%
6 Primitives
Sign · Log · Verify · Diff · Signal · Publish
Ed25519 Signed
Cryptographic proof of compliance
1 Dependency
jose — nothing else at runtime
Open Protocol
Apache 2.0 · No lock-in
See It In Action
Six primitives. One protocol.
The Protocol
Like git for compliance. Each primitive does one thing.
Quick Start
Sign tool output. Verify any CPOE. Diff over time. Log and publish proofs. Signal changes in real time. No API keys needed to get started (OIDC tokens work for production).
# Install (pick one)npm install -g @grcorsair/cli # npmbrew install grcorsair/corsair/corsair # homebrewnpx skills add grcorsair/corsair # AI agent skill# Runtime# Bun is required to run the CLI. Homebrew installs Bun automatically via the oven-sh/bun tap; npm does not.# Initialize (generates keys + example evidence)corsair init# Generate DID + JWKS for did:web verificationcorsair did generate --domain your-domain.com --output did.jsoncorsair did jwks --domain your-domain.com --output jwks.json# Sign tool output into a CPOE (like git commit)# Keys are auto-generated on first use — no setup neededcorsair sign --file evidence.jsoncorsair sign --file evidence.json --strict# Verify any CPOE (always free, no account needed)corsair verify --file evidence.cpoe.jwt# Compare two CPOEs (like git diff)corsair diff --current new.jwt --previous old.jwt# Query the SCITT transparency log (like git log)corsair log --last 10