CI/CD Integration

Quoderat transforms standard pipeline outputs into verification receipts. Your CI runs the work; Quoderat captures the evidence.

What this page can (and cannot) claim

✓
Claim (mechanical)

• We record what your CI tools reported (exit codes, logs, reports)
• Artifacts are content-identified by sha256
• Tamper-evidence applies to the finalized Evidence Envelope

✗
No claim (absolute)

• We do not claim tests are comprehensive
• We do not claim the code is correct or secure
• We do not claim secrets cannot leak in logs

Mental model

The CI UI is for status. The Envelope is the receipt.

Pipeline dashboards show real-time progress and badges. But for auditing, the authoritative record is the finalized Evidence Envelope—a JSON document you can validate offline.

Mapping: Pipeline → Envelope

How CI execution maps to Evidence Envelope fields:

Steps

Each CI job/step is recorded in execution.steps[]:

• kind — lint, test, build, etc.
• status — recorded outcome
• exit_code — tool-reported exit code

Artifacts

Logs, reports, and outputs become content-identified artifacts:

• sha256 — unique fingerprint of bytes
• content_uri — e.g., urn:sha256:...
• location_hints[] — optional storage pointers

Observations

Derived summaries (e.g., test counts) must cite their source:

• basis_artifact_ids[] — links to raw report artifacts

Runner context

Environment metadata for correlation:

• runner_context.runner_type = ci
• runner_context.toolchain — versions, OS, etc.

Illustrative mapping example

A minimal example showing how a CI test run maps to Envelope fields (non-normative):

execution.steps[0]

kind: test, exit_code: 0

artifacts[stdout_log]

sha256: a1b2c3...
content_uri: urn:sha256:a1b2c3...

observations[tests_passed]

value: { passed: 42, failed: 0 }
basis_artifact_ids: [stdout_log]

This is for illustration only; actual field names and values depend on your configuration.

Recommended consumer behavior

Non-normative guidance for consumers of Evidence Envelopes:

1
Treat badges as informative — CI dashboard status is for monitoring, not auditing
2
Fetch the finalized Envelope — the authoritative JSON record for the run
3
Validate integrity offline — RFC 8785 JCS canonicalization + SHA-256 hash chain
4
Re-hash artifact bytes — fetch via location_hints and compare to recorded sha256
5
Treat observations without basis as informational — not verified evidence

Recommended setup

Non-normative guidance for producing Evidence Envelopes from CI:

Store Envelope JSON — as a CI artifact or in object storage for later retrieval
Log evidence_id — for correlation between pipeline runs and Envelopes
Deny-by-default — Internal Envelope for operators; Public Pack for sharing (filtered by allowlist)

Troubleshooting

Missing artifacts / location_hints

Ensure your CI job captures tool outputs and stores them in a retrievable location. Location hints are best-effort pointers; if they expire, the sha256 content identity still holds.

Orphan observations (no basis)

Observations without basis_artifact_ids should be treated as informational only. Check that your tooling produces parseable reports.

Secrets in logs

This is a tooling/configuration issue. Redaction receipts (redactions[]) are best-effort and log what was masked, not a guarantee that no secrets exist elsewhere.

Non-finalized Envelope

The job may have terminated before finalization. Check the final run state and worker logs. An Envelope without integrity.hash_chain is incomplete.

Missing tool outputs (dependency/cache issues)

If CI dependencies or caches cause tool outputs to be missing, the Envelope will lack corresponding artifacts. This is a CI environment issue, not an Envelope issue.

Next steps

GitLab — map Git metadata to subjects and correlate runs
Events (SSE) — runtime signals vs authoritative record
Policies — masking rules and public/internal visibility
API — programmatic consumption and validation