Skip to content


identifies and tracks artifacts to quickly
react to risky components and meet compliance objectives.


Real-time tracking of attestations and vendor risk profiles.

What our customers love about us

  • Risk management:
    Know in real time new threats arising from existing in-house developed and external applications.

  • Focus on real threats:
    Filter out real threats by eliminating false positives.

  • VEX curation:
    Manage the real impact of found vulnerabilities by applying curated VEX.

  • Effective notification:
    Get notifications when real intervention is required or a software supplier needs to update their software.
  • Vendor risk profile:
    Create and maintain a software vendor risk profile for procurement, CISO office or application owner.

  • Continuity:
    Continuously track attestation, vendors’s and vendor’s application risk profile over time.

  • Actions:
    Point to actions to take to reduce the risk of vulnerabilities or exploits.

  • MLOps and MLSecOps:
    Know what model is being used and track components and their provenance.

Identification and tracking of artifacts

VEX (Vulnerability Exploitability eXchange) enablement 

World class SBOM management

Support all SBOMs standards (import, export)

Artifact-based attestation

Risk scoring for your apps

Runtime protection from unwanted components

Compliance with cybersecurity regulations


Whitepaper: SBOMs and VEX real-world application usage 

Industry Leading SBOM management

Import and export SBOMs from any format to any format. Generate detailed SBOMs for open source applications or containers. Analyze and gain new insights from your SBOMs.

Secure the integrity of software supply chains and all the components used.


Enable VEX

Create an ongoing curated list of the vulnerabilities and exploits based on the particular organization's needs. Manage vendor VEX information and SBOMs in one dashboard.

Leverage the combination of SBOMs, VEX, and Context awareness for meaningful risk mitigation.

Trusted artifacts exclusively

Unauthorized access to software repositories and build systems allows attackers to insert malicious code and components into software to be released. Trustcenter alerts you whenever unknown and/or trust components are detected!

Only bake components into their applications that are known and trusted.

Track your components

Discover and catalog your workloads across all environments and track the state of all the components in your software projects and their dependencies.

Trustcenter supports billions of artifacts!

MLOps & MLSecOps

What's in that Artifact? Does it comply with business policies? Track which model is being used? Know who brought the model into the organization?

Auditable provenance and tracking and reporting for ML Models.

Continuous enforcement

Enforce the deployment of container images built with known and trusted components.

Re-evaluate all components continuously at rest and at runtime.


Codenotary is the leader in software supply chain security, protecting over 155,000 software projects today.

Find and remove all unwanted artifacts (like Log4j) within minutes instead of days or weeks

Expose security issues earlier and lower remediation costs by up to 80%

Comply with and monitor cybersecurity regulation and auditor demands


Manage and Analyze SBOM and VEX

Produce accurate SBOMs or import SBOMs from external vendors

Support today for CycloneDX 1.6, VEX and SPDX 3.0

Automatically generate precise VEX file 

Manage versions of SBOMs and VEX

Trust or untrust components within individual projects

Know your components

Detection and management of application components

Maintain an open-source list with continuous updates

Generate SBOMs for open-source applications

Manage imported SBOMs from software vendors

Keep an eye on all the open source components in your software and their dependencies

Tracking of provenance and trust level of each component

Know what's exploitable

Quickly search and spot any open-source components in your software and know the risk scores

Search and discover known vulnerable components such as Log4j

Using runtime analysis, see if the discovered components are exploitable

Detect license violations

Map your component journey

From CI/CD pipeline to apps to production

Monitor your software vendors risk profile

Track software license compliance

Monitor and track the dependencies of your app silos and establish cryptographic provenance for your artifact

Comply with artifact attestation guidelines like in-toto

Patent pending TrueSBOM® technology

Using our TrueSBOM® technology, the latest SBOM of running applications can be extracted

TrueSBOM® monitors changes in your components at runtime, even for self-updating applications

X-ray of all container image layers, independent of the source and language

Detects encrypted code when loaded (f. e. encrypted Java files)


Interested in Trustcenter/Enterprise?
Pricing starts at $5500 per year.

Some of our integrations

CI/CD and SCM tools

Docker and OCI registries

Several vulnerability scanners (Snyk, Aqua, JFrog)

Bindings for Java, C++, Python, NodeJS, Go, Rust, PHP

Digital Signature platforms