Deliberry is a CI/CD and delivery platform with governance built into the pipeline — not bolted on after. Every release runs an immutable, platform-owned assessment and ships a cryptographically signed, tamper-evident passport. Compliance is proven, continuously — not promised at audit time.
The problem
Shipping code is a solved problem. Proving — continuously, to an auditor's standard — that every release actually met policy is where regulated teams bleed time, money and risk.
Evidence is reassembled by hand each cycle — screenshots, spreadsheets, Slack threads. It's stale the day after it's collected, and proves a moment, not the months in between.
When the pipeline that builds the artifact also declares it compliant, the green check is a claim, not proof — and anyone with pipeline access can quietly weaken the gate.
A thousand findings, no order, no "so what." Teams chase theoretical highs while the one exploited-in-the-wild CVE that actually matters hides in the pile.
Controls sit beside delivery, so they're slow and optional. The fastest route to prod is the one that skips them, and standards lose to deadlines.
Per-repo dashboards can't answer "is the whole portfolio compliant, and is it getting better or worse?" — the exact question leadership and regulators ask.
If a release record can be edited after the fact, it isn't evidence. Without tamper-evidence, provenance is just another document nobody can stand behind.
What Deliberry does
Teams get one paved road to production. Deliberry runs the build, then an immutable assessment pipeline the platform owns renders the verdict — an external pipeline can never self-certify. The result is a hash-chained, signed release passport: a complete, tamper-evident account of what was accepted at release time, and why.
The governed path is the quickest path to production, so teams adopt it because it's easier — not because they're forced to.
The build recipe is yours; the assessment and verdict are the platform's. The governance moat can't leak, and can't be weakened by a lower layer.
Every passport is Ed25519-signed and exported as an in-toto/DSSE attestation — an auditor verifies it offline with the public key alone.
Why teams buy Deliberry
Continuous compliance replaces the point-in-time scramble. You see drift the moment a deployment stops being compliant, and the evidence is exportable in one click.
Controls are re-evaluated live and mapped to your frameworks. Posture, coverage and a governance trajectory across the whole estate — at a glance.
Every release record is hash-chained; the ledger is verified end-to-end. Alter one field after the fact and the chain breaks. One-click, framework-mapped audit packs.
Gate on what's exploited in the wild (CISA KEV, refreshed live) and on the fixable-critical subset — not raw counts. Block the one CVE that matters, not a hundred theoretical highs.
Findings synthesize into one prioritized fix list — per module and across the whole portfolio: "do these N things, here's what each clears, across how many apps."
Layered floor → org → app → env rules, strictest-wins. A lower layer can never loosen a higher one — the safety property is structural, not a review checklist.
Estate-scale by design — bounded queries, pagination, no N+1. Governance that stays fast whether you run ten services or ten thousand.
Capabilities
Ed25519 / in-toto / DSSE attestations with per-org signing keys and key rotation. Publicly verifiable — no account required.
Per-CVE findings with CVSS, KEV exploitability and per-severity fixability — and gates for each.
Committed-secret and infrastructure-as-code misconfiguration detection, on the golden path and the on-ramp alike.
Estate posture, governance coverage, drift, waivers and a climbing trajectory — the whole portfolio in one cockpit.
Bring an existing pipeline: submit evidence, Deliberry renders the verdict. A scoped CLI and service tokens included.
GitLab, SonarQube, Vault, Jira (export remediation as tickets) and Slack (proactive blocked-deploy alerts).
How it works
Your recipe, your toolchain — the one part that's customizable.
The immutable, platform-owned pipeline scans across every governance axis.
Policy-as-code renders PASS · WAIVED · BLOCKED — evidence in, verdict out.
A hash-chained, Ed25519-signed release passport is issued and sealed.
Verify offline, export the audit pack, and see estate posture live.
Anatomy of a passport
Zero-trust provenance
The signed DSSE passport travels with the release — no account and no API call needed.
Published at a public, unauthenticated endpoint; pin it once for fully offline checks.
Standard tooling verifies the Ed25519 signature and the hash chain. Valid ⇒ no field was altered after release.
An auditor trusts the math — not our word, and not our uptime.
Two ways to adopt
The fastest route to prod, governed by construction.
Keep your pipeline; let Deliberry render the verdict.
See it in action
A build hits the immutable assessment, policy renders the verdict, and a signed passport is issued — then verified offline. In two minutes.
Pricing
Every plan includes the immutable assessment pipeline and cryptographically signed provenance. Billed annually.
Get one product onto a governed, provable delivery path.
Continuous, framework-mapped compliance for the whole portfolio.
Self-hosted, audit-ready, and licensed for scale.
Volume, multi-org and on-prem licensing available. Not sure which fits? Book a demo and we'll map it to your estate.
Questions
Scanners tell you what's wrong. Deliberry turns findings across every axis — vulns, KEV, secrets, IaC, SBOM, quality — into a policy verdict, then into a signed, tamper-evident record of that decision, tracked continuously across the whole estate. The scan is one input; governance is the product.
No. The assessment and verdict are owned by the platform, not the pipeline — an external build can never self-certify. Policy is layered floor → org → app → env and strictest-wins, so a lower layer can only tighten, never loosen. The safety property is structural, not a review checklist.
No. Each passport is an Ed25519-signed in-toto / DSSE attestation, verifiable offline with the public key alone — no account, no API, no dependency on our uptime. The hash chain proves nothing was altered after release.
Gating is exploitability-first: known-exploited CVEs (CISA KEV, refreshed live) and the fixable-critical subset count for more than raw totals. Findings collapse into one prioritized fix list — per module and across the portfolio — that says do these N things, here's what each clears, across how many apps.
Yes — the on-ramp lets your pipeline submit evidence and receive the verdict, using a scoped CLI and service tokens. You get the same signed passport without a rip-and-replace, and a path onto the golden path whenever you want it.
Controls map to the frameworks you report against — DORA, PCI-DSS, SOC 2, ISO 27001 — with one-click, framework-mapped audit packs. Integrations include GitLab, SonarQube, Vault, Jira and Slack.
Yes. Enterprise runs self-hosted / on-premises, with per-org signing keys, key rotation and fully offline provenance. It's built for thousands of applications — bounded queries, pagination, no N+1 — so governance stays fast at estate scale.
Book a demo
A 30-minute walkthrough tailored to your stack. We'll show a real blocked deploy, a remediation, and an audit pack you can verify yourself.