Skip to content


identifies and tracks artifacts to quickly
react to risky components and meet compliance objectives.


Real-time tracking of attestations and vendor risk profiles.

What our customers love about us

  • Risk management:
    Know in real time new threats arising from existing in-house developed and external applications.

  • Focus on real threats:
    Filter out real threats by eliminating false positives.

  • VEX curation:
    Manage the real impact of found vulnerabilities by applying curated VEX.

  • Effective notification:
    Get notifications when real intervention is required or a software supplier needs to update their software.
  • Vendor risk profile:
    Create and maintain a software vendor risk profile for procurement, CISO office or application owner.

  • Continuity:
    Continuously track attestation, vendors’s and vendor’s application risk profile over time.

  • Actions:
    Point to actions to take to reduce the risk of vulnerabilities or exploits.

  • Subscription:
    Stay alerted by subscribing to the risk and risk changes by application, application stack or dependency.
  • Identification and tracking of artifacts
  • VEX (Vulnerability Exploitability eXchange) enablement 
  • World class SBOM management
  • Support all SBOMs standards (import, export)
  • Artifact-based attestation
  • Risk scoring for your apps
  • Runtime protection from unwanted components
  • Isolation of dangerous artifacts
  • Compliance with cybersecurity regulations

Whitepaper: SBOMs and VEX real-world application usage 

Industry Leading SBOM management

Import and export SBOMs from any format to any format. Generate detailed SBOMs for open source applications or containers. Analyze and gain new insights from your SBOMs.

Secure the integrity of software supply chains and all the components used.


Enable VEX

Create an ongoing curated list of the vulnerabilities and exploits based on the particular organization's needs. Manage vendor VEX information and SBOMs in one dashboard.

Leverage the combination of SBOMs, VEX, and Context awareness for meaningful risk mitigation.

Trusted artifacts exclusively

Unauthorized access to software repositories and build systems allows attackers to insert malicious code and components into software to be released. Trustcenter alerts you whenever unknown and/or trust components are detected!

Only bake components into their applications that are known and trusted.

Track your components

Discover and catalog your workloads across all environments and track all the components in your software projects and their dependencies.

Trustcenter supports billions of artifacts!

Track the lifecycle of components

Tracking of the change in status of all components with a tamperproof audit trail.

Auditable provenance and tracking and reporting.

Continuous enforcement

Enforce the deployment of container images built with known and trusted components.

Re-evaluate all components continuously at rest and at runtime.


Codenotary is the leader in software supply chain security, protecting over 55,000 software projects today.

  • Find and remove all unwanted artifacts (like Log4j) within minutes instead of days or weeks.
  • Expose security issues earlier and lower remediation costs by up to 80%
  • Comply with and monitor cybersecurity regulation and auditor demands

Manage and Analyze SBOM and VEX

Produce accurate SBOMs or import SBOMs from external vendors

  • Support for CycloneDX, VEX and SPDX
  • Automatically generate precise VEX file 
  • Manage versions of SBOMs and VEX
  • Trust or untrust components within individual projects

Know your components

Detection and management of application components

  • Maintain an open-source list with continuous updates
  • Generate SBOMs for open-source applications
  • Manage imported SBOMs from software vendors
  • Keep an eye on all the open source components in your software and their dependencies
  • Tracking of provenance and trust level of each component

Know what's exploitable

Quickly search and spot any open-source components in your software and know the risk scores

  • Search and discover known vulnerable components such as Log4j
  • Using runtime analysis, see if the discovered components are exploitable
  • Detect license violations

Map your component journey

From CI/CD pipeline to apps to production

  • Monitor and track the dependencies of your app silos and establish cryptographic provenance for your artifact
  • Comply with artifact attestation guidelines like in-toto

Patent pending TrueSBOM® technology

Using our TrueSBOM® technology, the latest SBOM of running applications can be extracted

  • TrueSBOM® monitors changes in your components at runtime, even for self-updating applications
  • X-ray of all container image layers, independent of the source and language
  • Detects encrypted code when loaded (f. e. encrypted Java files)

Some of our integrations

  • CI/CD and SCM tools
  • Docker and OCI registries
  • Several vulnerability scanners (Snyk, Aqua, JFrog)
  • Bindings for Java, C++, Python, NodeJS, Go, Rust, PHP
  • Digital Signature platforms


Interested in Trustcenter/Enterprise? Pricing starts at $5500 per year.