Eleven gates. Every push. Real time.
RAMPART evaluates every commit against compliance requirements the moment code lands in your repository. No human triggers. No scheduled scans. PASS or BLOCK — with specific, citable NIST control evidence.
What RAMPART evaluates on every push
| Gate | What it checks | NIST Controls |
|---|---|---|
| Vulnerability | CVEs in packages (SCA) | SI-2, RA-5 |
| IaC Compliance | Terraform, Bicep, K8s, Dockerfile | CM-6, SC-7 |
| SBOM Integrity | Software bill of materials | SA-12, CM-8 |
| Image Digest | Container sha256 pinning | CM-7, SA-22 |
| Secret Detection | Credentials in source code | IA-5, CM-6 |
| Code Quality | SonarQube security rules | SI-10, SA-11 |
| Supply Chain | Checkov + Trivy + OSV-Scanner | SA-12, SR-4 |
| ACAS Findings | Nessus / IAVA compliance | SI-2, RA-5 |
| SLCM Assessment | Software lifecycle compliance | SA-3, CM-3 |
| Privacy Controls | PT family attestation status | PT-2, PT-5 |
| Network Boundary | Diagram currency and scope | SC-7, PL-8 |
RAMPART blocks. ADVERSARIUS fixes.
When a gate fails, RAMPART does not create a ticket for a human to read. It publishes the finding to ADVERSARIUS, which analyzes the code, generates a patch, builds it, verifies it across three independent scanner passes, and creates a formal CCB change request. The remediation loop closes without a developer writing a line of code.
Every non-automatable finding enters the CCB.
Findings that cannot be automatically remediated enter the Change Control Board workflow with separation of duties: ISSO initiates, a second reviewer approves, the change is merged, and the evaluation re-runs to verify closure. Every step Cosign-signed and anchored to Rekor.
Authorization is not a destination.
It is a system property.
REAEGIS is the infrastructure that maintains it — converting every commit, scan, and approval into evidence your Authorizing Official can act on.