Wisec offers a robust suite of features designed to secure your CI/CD pipelines and software supply chain from end to end.
Wisec leverages decentralized storage (IPFS) and cryptographic signatures (ED25519) to create a verifiable and tamper-proof provenance trail for your software artifacts, fully compatible with SLSA principles. Every significant step in your build process is logged, signed, and stored immutably.
Transparent Build Logging: Every step of the build process is recorded.
Cryptographic Signatures (ED25519): All events are cryptographically signed to ensure integrity and authenticity.
IPFS Storage: Events are stored on IPFS (InterPlanetary File System) for decentralized and immutable persistence.
SLSA Compatible: Our approach aligns with Supply chain Levels for Software Artifacts (SLSA) framework for enhanced security.
Verifiable Provenance: A tamper-proof record ensures the origin and integrity of your software.
Our AI engine continuously learns the normal behavior of your CI/CD pipelines to detect and flag suspicious activities that deviate from established patterns.
New Dependencies Introduced: Flags the introduction of new external libraries or packages into your project, alerting you to potential risks from untrusted code.
Unusual Commit Times: Detects commits pushed during atypical hours for a given project or contributor, often a sign of unauthorized access or malicious activity.
Hardcoded Secrets Detection: Scans for and identifies sensitive information (API keys, tokens, passwords) committed directly into the codebase using advanced tools like gitleaks, preventing accidental exposure.
Critical File Deletion: Alerts on the removal of essential configuration, infrastructure-as-code (e.g., Terraform), or core project files, indicating potential sabotage or misconfiguration.
Build Duration Anomaly: Flags builds that take significantly longer or shorter than their historical average, which can signal performance issues, resource hijacking, or hidden malicious processes.
Suspicious Dependency Source: (Keyword-based) Detects dependencies from potentially untrusted or unusual sources by analyzing package names and metadata, helping to prevent supply chain attacks.
Modified Files Count Anomaly: Identifies an unusually high number of changed files in a single commit or build, which can indicate automated attacks or large, unreviewed code injections.
Sensitive File Modified: Specifically alerts on modifications to critical security files (e.g., SSH keys, .env files, Dockerfiles) or files in sensitive directories.
New Contributor: Alerts when a previously unknown or unapproved contributor pushes code to a project, providing oversight on new team members or external collaborators.
Vulnerability Scanning (CVE): Scans project dependencies against public vulnerability databases (e.g., OSV API) for known Common Vulnerabilities and Exposures (CVEs), ensuring your software is not built with compromised components.
Typosquatting Detection: Identifies dependencies with names highly similar to popular packages, indicating potential supply chain attacks where attackers register similarly named packages to trick developers.
Gain a single pane of glass view into the security posture of your entire software supply chain. Our intuitive dashboard provides real-time insights, risk assessments, and actionable recommendations.
Centralized Security Posture: Visualize the security status of all your projects.
Dynamic Risk Scoring: Projects are assigned a risk score (0-100) based on detected anomalies and security findings.
Detailed Anomaly Display: Drill down into specific alerts with comprehensive context.
Project Management: Easily create, manage, and delete your projects.
Builds & Events Overview: View all build events with advanced filtering (project, branch, status, time range) and dynamic sorting.
Alerts Management: Grouped alerts by project with severity indicators and filters.
Security Score Trends: Visualize historical risk score evolution with trend graphs.
Real-time Data Polling: Dashboard data updates regularly for up-to-date information.
Flexible Teaming: Supports both Light and Dark modes.
API Key & Agent Signing Key Management: Generate and manage keys directly from the dashboard for secure agent communication.
β Supply chain provenance (IPFS + ED25519 signatures)
β Anomaly detection (11 behavioral rules + heuristics)
β SBOM Generation & Certification (CycloneDX 1.4)
β Build event correlation
β Real-time alerting (Email, Dashboard)
β RBAC and team management
β Compliance audit trails (SOC2/ISO27001 ready)
π§ SAST integration (SonarQube, Semgrep)
π§ Container scanning (Trivy integration)
π§ SPDX format support for SBOMs
π§ Webhooks (Slack, Teams, PagerDuty)
π§ Sigstore/Cosign integration
β Full SAST/DAST replacement
β Runtime application protection
β Cloud security posture management
β Penetration testing tool
β Wisec focuses on supply chain + provenance, not entire AppSec.
Immutable storage traceability and AI anomaly detection for modern DevSecOps teams
Wisec Β© 2026 π«π·
