Back to Docs

Platform Architecture Reference

Canonical architecture and data-flow reference for Scanner, CI Enforcement, Runtime Verification, and evidence retention.

Core Components

Scanner Engine

Analyzes source, dependency, IaC, and container definitions. Produces normalized findings.

Policy Engine

Applies repository/org policy and computes pass/fail outcomes for CI and merge gates.

Runtime Verifier

Compares deployed state with approved baseline and emits drift/integrity signals.

Evidence Store

Retains finding, policy, and verification records for auditability and reporting.

High-Level Data Flow

  1. Code or config change triggers Scanner execution.
  2. Scanner findings are normalized and persisted.
  3. Policy engine evaluates findings against configured thresholds.
  4. CI status and merge-gate decision are published.
  5. Runtime verifier continuously checks deployed state against baseline.
  6. All decisions and events are retained in the evidence layer.

Trust Boundaries

  • Source control and CI systems are external event producers.
  • Policy definitions are customer-controlled inputs.
  • Runtime telemetry is environment-derived and must be authenticated.
  • Evidence retention boundary separates operational telemetry from reporting consumers.

Failure and Degradation Model

  • Scanner unavailability: policy decisions should fail closed or defer by explicit configuration.
  • Policy engine unavailable: CI decision cannot be finalized; status marked indeterminate.
  • Runtime feed interruption: verification status degrades to stale and emits operational alert.
  • Evidence write failure: event queued for retry; alert generated if retention SLA is at risk.