HN Showcase
Back to browse
EvidentTrail – Turn GitHub activity into continuous SOC2 audit evidence

EvidentTrail – Turn GitHub activity into continuous SOC2 audit evidence

by elviro·Feb 25, 2026·2 points·0 comments
Visit ProjectView on HN

AI Analysis

●●●BangerSolve My ProblemShip ItSlick

Replaces audit spreadsheet hell with tamper-evident GitHub-sourced evidence packs.

Strengths
  • Detects branch protection drift via hash-based snapshots—catches silent security downgrades auditors would miss.
  • AI-assisted code detection (co-authored-by trailers, bot authors) with human review verification—new audit requirement, no competitor shipping this.
  • SHA-256 manifests mean evidence integrity proven at export time, not just capture—auditor-grade cryptographic evidence chain.
Weaknesses
  • No users yet and no public pricing—unclear if this actually solves auditor pain or just feels right in theory.
  • Solves a real problem but only for teams already using GitHub; won't help GitLab, Gitea, or on-prem shops.
Category
SaaS
Target Audience

Engineering teams preparing for SOC 2, ISO 27001, or EU AI Act compliance audits

Similar To

Vanta · Drata · Secureframe

Post Description

Built this after watching engineering teams lose weeks before every SOC 2 audit rebuilding the same evidence trail from scratch — screenshots, PR links, spreadsheets — for work that was already documented in GitHub.

EvidentTrail connects via GitHub App and captures PR approvals, branch protection changes, CI results, and AI-assisted commits as structured, tamper-evident evidence mapped to specific controls (SOC 2 CC8.1, ISO 27001 A.8.32, etc.).

A few things that might be interesting to this crowd:

- AI-assisted code detection: we identify co-authored-by trailers, bot authors, and PR labels to flag AI-generated code, then verify a human reviewed it before merge - Branch protection drift: hash-based snapshots detect when someone quietly reduces required reviewers or removes a required status check - Evidence packs: SHA-256 manifest + PDF/CSV/JSON export so the evidence is tamper-evident at export time, not just at capture time

First launch, no users yet. Happy to answer questions about the implementation or the compliance angle.

Similar Projects

Security●●Solid

Air – Open-source black box for AI agents (tamper-evident audit trails)

Instead of another observability dashboard, this project builds a provable audit trail: an OpenAI-compatible reverse proxy that vaults prompts in MinIO and links calls with an HMAC-SHA256 tamper-evident chain, plus replay tooling (replayctl) and Jaeger traces. The cryptographic audit chain and the one-line SDK wrap are clever and practical; the real operational work left to teams will be key management and storage/retention strategy.

WizardryNiche Gem
shotwellj
213mo ago