Overview
The Corsair pipeline transforms security tool output into cryptographically signed, universally verifiable Certificates of Proof of Operational Effectiveness (CPOEs). The default path is fully deterministic — no AI, no judgment, just provenance recording, Ed25519 signing, and verifiable transparency.
EVIDENCE → SIGN → LOG → PUBLISH → VERIFY → DIFF → SIGNAL
FLAGSHIP delivers real-time compliance change notifications via SSF/SET/CAEP.
Core Pipeline
EVIDENCE — Tool Output Acceptance
Accepts structured output from security scanning tools and compliance platforms, normalizing it into a canonical control format for signing.
Supported inputs (mapping-first):
mapping-pack— Tool-native outputs mapped via the registry (auto-detected)generic— Pre-structured control data from any source{ metadata, controls[] }
Mapping registry (tool-agnostic): Mappings extract controls or passthrough fields without code changes. Load mappings via CORSAIR_MAPPING_DIR, CORSAIR_MAPPING_FILE, the CLI --mapping flag, or corsair mappings add. Evidence-only mappings still produce valid CPOEs and store passthrough data under credentialSubject.extensions. Mappings are evaluated by priority (higher wins), then filename order. Build packs with corsair mappings pack and sign them with corsair mappings sign — signed packs are verified when CORSAIR_MAPPING_PACK_PUBKEY is set.
Output: Structured controls with evidence references, provenance metadata, and pass/fail status.
corsair sign --file tool-output.json --mapping ./mappings/toolx.json
SIGN — Provenance Recording + Ed25519 Signing
The signing stage records provenance (who produced the evidence) and signs the result as a JWT-VC:
| Provenance | Meaning |
|---|---|
| self | Organization self-attests without automated evidence |
| tool | Security tool output produced the evidence |
| auditor | Independent third party reviewed and verified the assessment |
CPOE format:
Header: { "alg": "EdDSA", "typ": "vc+jwt", "kid": "did:web:grcorsair.com#key-1" }
Payload: { "iss": "did:web:grcorsair.com", "vc": { ... CPOE ... }, "parley": "2.0" }
Signature: Ed25519
Corsair does not judge evidence quality. It records where the evidence came from, signs it, and lets buyers decide what's sufficient.
Dependency proofs (--dependency) let you link upstream CPOEs and build a trust graph.
LOG — SCITT Transparency Registration
CPOEs are registered with an IETF SCITT transparency log. Registration produces a COSE receipt proving inclusion in the append-only log:
- Non-repudiation — The issuer cannot deny having issued the attestation at the recorded time
- Discoverability — Third parties can audit the transparency log to verify CPOE history
The SCITT registry uses SHA-256 Merkle tree hashing with COSE_Sign1 signed receipts (RFC 9052, Ed25519).
Proof-only mode registers only the hash commitment (no CPOE stored):
corsair log register --file cpoe.jwt --scitt https://log.example.com/scitt/entries --proof-only
If you don’t operate your own log, you can use the hosted Corsair log:
corsair log register --file cpoe.jwt --scitt https://api.grcorsair.com/scitt/entries --proof-only
PUBLISH — trust.txt Discovery
Publish a machine-readable discovery file at /.well-known/trust.txt so any agent can find your DID, CPOEs, SCITT log, catalog, and FLAGSHIP stream:
corsair trust-txt generate --did did:web:acme.com --scitt https://log.acme.com/scitt/entries
Host the output at https://<domain>/.well-known/trust.txt, then verify it from the outside:
corsair trust-txt discover acme.com --verify
Note: If your GRC team doesn’t control the root domain, request a delegated subdomain (for example
trust.example.com) and publish trust.txt there. Use the IT request template.
VERIFY — Signature + Provenance Verification
Anyone with the issuer's public key (resolved via did:web) can verify a CPOE:
- Decode the JWT header + payload (base64url)
- Resolve the issuer's DID document via HTTPS
- Extract the public key matching
header.kid - Verify Ed25519 signature
No server, no account, no data sharing required.
DIFF — Compare CPOEs Over Time
Track compliance changes between assessments — like git diff for compliance:
corsair diff --current cpoe-v2.jwt --previous cpoe-v1.jwt
Shows control-level additions, removals, and status changes.
SIGNAL — Real-Time Change Notifications
FLAGSHIP delivers standardized compliance change notifications via the OpenID Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP). See FLAGSHIP Events for details.
RENEW — Re-sign CPOEs
Re-sign an existing CPOE with fresh dates, or with new evidence while preserving scope and DID:
corsair renew --file cpoe.jwt --output renewed.jwt
corsair renew --file cpoe.jwt --evidence new-findings.json --output renewed.jwt