Compare · software trust evidence
Open-source scanner vs evidence packet
An open-source scanner tells you a dependency has a known issue. An evidence packet keeps that finding next to the human decision you made about it and signs the result, so the record survives the scan and a buyer can read it.
| Open-source scanner | Evidence packet | |
|---|---|---|
| What it produces | A list of findings, regenerated each run | A signed record of the finding plus the decision |
| The human decision | Outside its scope; lives in a thread or ticket | Recorded with an owner and an expiry, finding kept visible |
| Buyer can independently check | Buyer re-runs their own scan to reproduce | Buyer checks the signature for integrity and origin |
| Re-run vs durable record | Re-runs on demand; nothing fixed in place | A durable packet bound to the exact version |
| Scope | Surfaces known issues in dependencies | Preserves the finding and the decision around it |
What open-source scanners do well
Open-source scanners are excellent at the first job: they cross-reference your dependency tree against known-issue databases and surface CVEs fast, on every install and every pull request. They are the cheapest, quickest way to learn that a vulnerable version is in your build, and a good one catches the issue the moment it lands. OpenSoyce starts with a scanner too, because surfacing the finding is the right first step.
Where the scope stops
A scanner's scope ends at the finding. It re-runs and re-flags the same issue each time without recording who looked, what they concluded, or why a known risk was left open on purpose. Because the output is regenerated on demand rather than fixed in place, there is nothing durable to hand a buyer that ties a specific decision to the exact package version that shipped.
What evidence packet adds
OpenSoyce runs the scan, then keeps going past the finding. It records the human risk decision next to the original signal, including an owner and an expiry, without resolving or hiding the underlying issue. It assembles the finding plus the decision into a signed evidence packet and a buyer-readable dossier, and surfaces where sources contradict each other as review signals rather than smoothing them over. A JSON export and signed webhook events carry the same record downstream, and a buyer can independently check the signature, which attests integrity and origin of the artifact.
When to use which
Use both. Run the scanner for what it does best: catching known issues in your dependencies fast, on every change. Reach for OpenSoyce when you need the finding and the decision around it to outlive the scan as a signed, buyer-checkable record, since the scanner is the start and the packet is the durable handoff.
The boundary
OpenSoyce preserves and explains the finding and the decision around it; it does not certify, verify, or approve anything. A signature proves integrity and origin, not that a finding is resolved, and your buyer's policy decides trust.