Pull hardened.
Ship compliant.
Every time.

Every image in the Factory registry ships with a signed SBOM, zero critical CVEs, and pre-mapped controls for HIPAA, SOC 2, PCI, and FedRAMP — rebuilt weekly so your compliance posture never drifts.

Zero criticals on pull
Every image passes a zero-critical CVE gate before it enters the registry. Rebuilt weekly so it stays that way.
Signed on every build
Cosign signature, CycloneDX SBOM, and digest pinning generated automatically — verifiable before you deploy.
Five frameworks, pre-mapped
HIPAA, SOC 2, PCI, NIST, and FedRAMP controls tied to every image at the layer level. Audit evidence included.
Browse image library View pricing
registry.opencentric.ai/baseline-soc2:latest360° container analysis
layer analysis running
registry.opencentric.ai/baseline-soc2:latest
scan complete
SBOM generated
0
Criticals
0
Highs
8
Medium
signed
SBOM
Platform overview

Built for the entire software supply chain — end to end.

From first commit to edge delivery, every stage is secured, audited, and mapped to your compliance framework. No gaps, no manual handoffs.

100%End-to-end supply chain coverage
10+Security controls per build
200+Vulnerability pattern types
0Manual release handoffs

Every commit progresses through twelve defined stages, each with enforced security gates. A gate failure halts promotion — no exceptions, no bypasses.

01
Plan & Review

Opens PR, checks ownership, required reviewers, change scope, linked ticket and control evidence.

Branch protectionCODEOWNERSApproval policy
02
Preflight Scan

Fast checks before build: secrets, dependency manifests, IaC scanning, and repo hygiene.

Secret blockSASTIaC policy
03
Build & Unit Test

Compiles code, runs unit tests, produces raw build output with reproducibility guarantees.

Test thresholdBuild provenance
04
Package & SBOM

Creates container and package artifacts, generates SBOM before publishing to the registry.

SBOM requiredLicense policy
05
Sign & Attest

Signs the artifact digest and attaches SLSA provenance evidence for full supply chain verification.

Signature verificationProvenance check
06
Artifact Store

Stores immutable, versioned artifacts in the registry or package store with retention enforcement.

Retention policyImmutabilityVulnerability rescan
07
Integration Test

Deploys into an ephemeral test environment and runs contract, API, and end-to-end test suites.

Contract testsAPI security checks
08
Policy Approval

Evaluates compliance rules and risk score before any promotion to staging or production.

Admission policyRisk score gate
09
Progressive Deploy

Canary or blue-green rollout with automated health checks and instant rollback on failure.

Error budgetSmoke testsRollback trigger
10
Runtime Guard

Watches live workloads continuously for behavioral drift, suspicious activity, and post-deploy CVEs.

Runtime monitorDrift detection
11
Edge Delivery

Replicates approved artifacts to fleet devices, IoT endpoints, edge nodes, and customer delivery zones.

Device/fleet policyCert validation
12
Evidence Export

Emits the full audit trail including SBOM, signatures, test results, and compliance control mappings.

Audit completeness check
Pipeline stage
Security gate — non-bypassable
Full audit trail at every step
12pipeline stages
25+security gates
100%automated — no manual steps
1tamper-evident audit record

Coverage score reflects feature parity across each supply chain capability area. Higher scores mean deeper integration with compliance frameworks and security controls.

Container & OCI Artifacts
99%
Full coverage

Versioned, signed container image storage with lifecycle management, global distribution, and immutable digest pinning.

Docker / OCIHelm ChartsImage SigningLifecycle Policies
Package Repositories
88%
Full coverage

Secure, proxied package hosting for major ecosystem formats with upstream caching, license audit, and dependency graph analysis.

npm · Maven · PyPINuGet · CargoUpstream ProxyLicense Audit
Vulnerability Scanning
98%
Full coverage

Multi-layer CVE analysis across OS packages, application dependencies, and container layers with continuous NVD sync.

CVE / CVSSSBOM GenerationContinuous SweepZero-day Alerts
CI/CD Pipeline
99%
Full coverage

Fully automated build, test, scan, sign, and deploy with non-bypassable policy enforcement at every stage gate.

Security GatesAudit TrailGitOps DeployInstant Rollback
Secrets Detection
99%
Full coverage

200+ token pattern library with push protection that blocks credential leaks before they ever reach version control.

Pre-commit BlockPush Protection200+ PatternsValidity Check
Runtime Protection
96%
Full coverage

Behavioral threat detection across live workloads with sub-second alerting, automatic quarantine, and full forensic capture.

Behavioral AnalysisZero-dayAuto-quarantineForensics
Edge & IoT Delivery
95%
Full coverage

Over-the-air artifact delivery to device fleets with automatic rollback, certificate rotation, and per-device anomaly detection.

OTA UpdatesFleet RollbackCert RotationDevice Anomaly
AI / ML Governance
94%
Full coverage

Versioned model registry with approval gates, full lineage tracking, NIST AI RMF alignment, and artifact security scanning.

Model LineageApproval GatesNIST AI RMFAudit Evidence
Policy Enforcement
97%
Full coverage

Admission control evaluated at deploy time and continuously mapped to your active compliance frameworks with drift detection.

FedRAMP · ATONIST · PCIAdmission ControlDrift Detection
Distribution
85%
Full coverage

Multi-region artifact replication with edge caching, GovCloud support, and geo-routing for reliable, compliant delivery worldwide.

GovCloud ReadyMulti-regionEdge CachingGeo-routing
Overall platform coverage
Weighted average across all capability areas
100%

The platform is organized into six discrete layers. Each layer has a defined security and compliance role. Click any layer to expand its capabilities.

Every actor — human or machine — operates under short-lived, scoped credentials. No static keys. Every access event logged and attributable.

Zero static service account keys
Short-lived token exchange at every boundary
Full access audit log with correlation IDs
Cross-platform federation — any team, any environment

All six layers share a single event bus. A finding in Layer 2 (Security) automatically surfaces in Layer 3 (Artifact Management) as a policy violation and is reflected in your compliance evidence record — no manual correlation required.

Coverage across the major vulnerability and weakness classification systems. Every category below is actively scanned at one or more stages of the pipeline — not just at build time.

100%
CWE Top 25
All 25 most dangerous weaknesses addressed
100%
OWASP Top 10
Every web application risk category covered
100%
OWASP API Top 10
Full API security risk coverage
200+
Secret Patterns
Token & credential types detected at push
SLSA 3
Supply Chain
Level 3 attestation; Level 4 on Enterprise
CycloneDX
SBOM Format
SPDX also supported — every build, every image
99%+
CVE Coverage
Continuous sync with NVD and advisory feeds
24 / 7
Monitoring
Always-on — continuous, not periodic
CWE Weakness Category Coverage
Addressed through scanning at build, registry, admission, and runtime stages
CWE Top 25
Injection FlawsSQL · Command · LDAP · XPath
100%
Authentication & SessionBroken auth · Session fixation
100%
Sensitive Data ExposureHardcoded secrets · PII · Keys
98%
Supply Chain AttacksConfusion · Typosquatting
97%
Memory CorruptionBuffer overflow · Use-after-free
95%
MisconfigurationOpen ports · Excessive permissions
93%

Coverage is verified continuously — not at point-in-time assessment. New CVEs and CWE mappings are ingested within 24 hours of NVD publication and reflected in active scans automatically.

Software Bill of Materials (SBOM)
Generated, signed, and attached to every artifact on every build — no manual steps
CycloneDX 1.5SPDX 2.3
CycloneDX 1.5
Primary format — full component graph, vulnerabilities, licenses, services.
SPDX 2.3
Secondary format for tool interoperability and NTIA compliance.
Every build, signed
SBOM generated and cryptographically attested on every pipeline run.
CVE-correlated
Findings automatically linked to known vulnerabilities in the component list.
License audit
All open-source licenses identified and flagged against your policy.
Auditor export
One-click export in JSON, XML, or CSV for auditors and procurement teams.
Full control suite — 68+ frameworks · mapped & continuously verified
Government & Federal
FedRAMP Moderate✓ Mapped
SI-2 · SA-11 · CA-7 · RA-5
Flaw remediation, monitoring, vulnerability scanning
FedRAMP High✓ Mapped
SI-3 · SI-7 · AU-12 · IR-4
Software integrity, audit generation, incident response
GovCloud / IL4✓ Mapped
AC-2 · CM-3 · SC-28 · AU-9
Identity, config management, encryption at rest, audit
DoD IL5✓ Mapped
NIST 800-171 · CUI controls
Controlled unclassified information protection
ATO✓ Mapped
CA-2 · CA-7 · PL-2 · RA-3
Security assessment, continuous monitoring, risk
CMMC Level 2✓ Mapped
AC · IA · SI · CM · AU · IR
110 practices across 14 NIST 800-171 domains
CJIS✓ Mapped
Policy 5.9 · AC · AU · IA · SC
Criminal justice information security controls
IRS 1075✓ Mapped
FTI Safeguards · TCC controls
Federal tax information protection and audit
ITAR / EAR✓ Mapped
DFARS 252.204-7012 · EAR Part 740
Export control, CUI handling, foreign access
Healthcare
HIPAA Security✓ Mapped
164.306 · 164.308 · 164.312
Administrative, physical, technical safeguards
HIPAA Privacy✓ Mapped
164.502 · 164.514 · 164.530
PHI use, minimum necessary, de-identification
HITECH Act✓ Mapped
§13402 · §13407 · §13410
Breach notification, enforcement, audit
HITRUST CSF r2✓ Mapped
09.ab · 09.ac · 01.d · 06.d
Information protection, access, risk management
21 CFR Part 11✓ Mapped
§11.10 · §11.50 · §11.70
Electronic records, audit trail, signatures
HL7 FHIR Security✓ Mapped
SMART · OAuth2 · Audit · TLS
API authentication, audit logging, encryption
NIST 800-66 r2✓ Mapped
HIPAA SC mapping · AC · AU
HIPAA Security Rule implementation guide
Financial Services
PCI DSS v4.0✓ Mapped
Req 6.3 · 6.4 · 11.3 · 12.3
Vulnerability mgmt, penetration testing, risk
SOX✓ Mapped
§302 · §404 · §409 · ITGC
Financial reporting, IT general controls, audit
GLBA Safeguards✓ Mapped
16 CFR Part 314 · FTC Rule
Customer financial data protection program
FFIEC CAT✓ Mapped
IT Booklet · Cybersecurity CAT
Cybersecurity maturity assessment, audit readiness
NY DFS 23 NYCRR 500✓ Mapped
§500.02 · §500.05 · §500.14
Cybersecurity program, pen testing, training
DORA✓ Mapped
Art. 9 · Art. 11 · Art. 13 · Art. 25
ICT resilience, incident reporting, testing
MAS TRM✓ Mapped
§12 · §13 · §14
Technology risk, software development, audit
Education & Student Data
FERPA✓ Mapped
§99.31 · §99.33 · §99.35
Student education record access and disclosure
COPPA✓ Mapped
16 CFR §312 · Verifiable consent
Children's online privacy, data minimization
SOPPA / IL✓ Mapped
105 ILCS 85 · Operator duties
Student online personal protection, deletion
Student DPA (SDPC)✓ Mapped
SDPC framework · State addenda
Data privacy agreements, permitted uses
NY SHIELD Act✓ Mapped
GBL §899-aa · §899-bb
Reasonable security, breach notification
Data Privacy & Sovereignty
GDPR✓ Mapped
Art. 25 · Art. 32 · Art. 35 · Art. 44
Privacy by design, security measures, DPIAs, transfers
CCPA / CPRA✓ Mapped
§1798.100 · §1798.150 · §1798.185
Consumer rights, data sharing, security audits
LGPD (Brazil)✓ Mapped
Art. 46 · Art. 48 · Art. 49
Data protection, breach notification, security
PIPL (China)✓ Mapped
Art. 51 · Art. 55 · Art. 63
Personal info protection, cross-border restrictions
ISO 27701✓ Mapped
7.2 · 7.3 · 8.2 · 8.4
Privacy information management system
AI & Emerging Frameworks
NIST AI RMF 1.0✓ Mapped
GOVERN · MAP · MEASURE · MANAGE
AI risk lifecycle — all four core functions
OWASP LLM Top 10✓ Mapped
LLM01–LLM10 · Agents · RAG
Prompt injection, data leakage, insecure tool use, model supply chain
SOC 2 AI✓ Mapped
A1 · CC9 · PI1 · P8
AI availability, processing integrity, privacy
ISO 42001:2023✓ Mapped
§6.1 · §8.1 · §9.1 · §10.1
AI management system, risk treatment
EU AI Act✓ Mapped
High-risk · GPAI · Transparency
Risk classification, conformity, documentation
Application Security
OWASP ASVS✓ Mapped
V1–V14 · Level 1–3
Application security requirements validated by control level
OWASP Mobile Top 10✓ Mapped
M1–M10 · iOS · Android
Mobile auth, crypto, storage, communication, and supply-chain checks
Threat Models & Detection
MITRE ATT&CK✓ Mapped
Enterprise · Cloud · Mobile · ICS
Runtime findings mapped to attacker tactics and techniques
MITRE CAPEC✓ Mapped
Attack patterns · Exploit flows
Attack pattern coverage for injection, auth abuse, privilege escalation
Security Standards
NIST 800-53 r5✓ Mapped
SI · SA · RA · CA · AU · AC · IR
Full control families — 20 domains, 1,000+ controls
NIST CSF 2.0✓ Mapped
GV · ID · PR · DE · RS · RC
All six framework functions, full tier mapping
ISO 27001:2022✓ Mapped
A.8 · A.9 · A.12 · A.14
Information security management system (ISMS)
ISO 27017✓ Mapped
CLD.6 · CLD.9 · CLD.12
Cloud service security — provider & customer
ISO 27018✓ Mapped
PII processors in public cloud
Cloud PII protection, consent, transparency
CIS Controls v8✓ Mapped
IG1 · IG2 · IG3 — 18 controls
CIS-aligned scanning, hardening, and asset coverage
CIS Benchmarks✓ Mapped
K8s · Linux · Cloud · DB · Containers
Misconfigured workloads and images blocked before deploy
CSA CCM✓ Mapped
Cloud controls · Shared responsibility
Cloud control mapping for shared responsibility and audit exports
SOC 2 Type II✓ Mapped
CC6 · CC7 · CC8 · CC9
Logical access, change management, risk assessment
STIG Hardening
DISA STIG — App✓ Mapped
CAT I · CAT II · CAT III findings
Application-level security technical checklist
Windows Server STIG✓ Mapped
V-220000 series · WN19 checks
OS hardening, audit policy, access control
RHEL / Linux STIG✓ Mapped
V-230000 series · RHEL 8/9
SELinux, audit daemon, PAM hardening
Ubuntu STIG✓ Mapped
V-238200 series · UBTU-22
Audit, authentication, file permissions
Container / Docker✓ Mapped
V-235000 series · CIS Docker
Image hardening, runtime config, registry security
Kubernetes STIG✓ Mapped
V-245000 series · CIS K8s
RBAC, network policy, admission control, audit
MS SQL STIG✓ Mapped
V-213900 series · SQL Server 2019
Database audit, encryption, privilege management
Oracle DB STIG✓ Mapped
V-237000 series · Oracle 19c
Instance hardening, auditing, access controls
PostgreSQL STIG✓ Mapped
V-233000 series
Authentication, audit logging, connection security
Web Server STIG✓ Mapped
Apache · IIS · NGINX checklists
TLS config, security headers, access logging
ASD & Australian Controls
ASD Essential Eight✓ Mapped
Maturity Level 1 · 2 · 3
Application control, patching, MFA, backups
ASD ISM✓ Mapped
Guidelines 1–10 · 900+ controls
Information security manual — full control suite
ACSC Guidelines✓ Mapped
Cloud · Email · Network security
Hardening, incident response, secure admin
Transportation & Critical Infrastructure
TSA Cybersecurity✓ Mapped
SD-02D · SD-01C · Pipeline directives
Pipeline, rail, aviation cybersecurity requirements
NERC CIP✓ Mapped
CIP-003 · CIP-007 · CIP-010 · CIP-013
Bulk electric system supply chain & security
NIST 800-82 r3✓ Mapped
OT / ICS security controls
Industrial control systems, SCADA security
ISA/IEC 62443✓ Mapped
SL1–SL4 · Zone & conduit
Operational technology security levels
Every subscription includes

Not just an image. An operating layer.

Security evidence, registry access, and compliance artifacts are generated for every build.

Scan results

Weekly CVE sweep across OS and packages.

SBOM

CycloneDX bill of materials on every build.

Signed digest

Cosign signature — verify before you pull.

Posture score

Live compliance posture with trend history.

Control mapping

HIPAA / SOC 2 / NIST controls mapped per image.

Registry access

OCI pull credentials provisioned on subscribe.

Browse managed runtime packages

Review available image packages, included software, compliance mappings, and rebuild cadence before choosing a plan.

Browse library
Operating workflow

From trusted artifact to governed production

Factory turns every release into a signed, policy-verified artifact with SBOM, provenance, deployment guardrails, and continuous runtime evidence.

1
Configure
Connect systems

Git, registry, cloud, and deployment targets are linked with scoped credentials.

2
Configure
Define policies

Select frameworks, severity thresholds, approval rules, and runtime baselines.

3
Build
Build and test

Compile, test, lint, and package the artifact through automated pipelines.

4
Build
Scan and generate SBOM

Analyze dependencies, containers, IaC, secrets, licenses, and CVEs.

5
Govern
Sign and attest

Attach provenance, signed digest, SBOM, and tamper-evident evidence.

6
Govern
Promote artifact

Move through environments only when required policy gates pass.

7
Deploy
Deploy with controls

Release to Kubernetes, ECS, edge, or VM targets with admission policy enforced.

8
Operate
Monitor continuously

Track runtime behavior, drift, new CVEs, and audit evidence after release.

Verified deployment examplepolicy: fedramp-moderate
1. Authenticate
factory auth login \
--org northern-health
2. Verify
factory artifacts verify \
hipaa/node-api:20 \
--require-signature \
--require-sbom
3. Deploy
image:
repository: registry.opencentric.dev/hipaa/node-api
digest: sha256:8f31...
policy:
admission: enforced
provenance: required
Release evidence
SBOMsigned
ProvenanceSLSA
Policyenforced
Runtimemonitored
Customer security workspace

A dedicated dashboard for every customer environment

Each customer receives a private Factory dashboard with scan results, vulnerability trends, SBOM history, posture metrics, and compliance evidence scoped to their subscribed images, teams, and deployment environments.

Northern Health / Production Workspace
18 images · 4 environments · last scan 12 minutes ago
HIPAASOC 2NISTFedRAMP
Open vulnerabilities
11
-32% / 30d
Critical findings
0
SLA met
Images monitored
18
4 environments
Compliance coverage
96%
142 controls
Latest artifact scans
Prioritized by severity, environment, and policy state
healthy
Artifact
Env
Crit
High
SBOM
Status
hipaa/node-api:20
prod
0
1
signed
approved
pci/checkout-node:20
staging
0
2
signed
review
k8s/hardened-base:1.30
prod
0
0
signed
approved
Vulnerability trend
Open findings across monitored artifacts
Mon
Tue
Wed
Thu
Fri
Now
SOC 2 CC7.1
continuous monitoring
mapped
HIPAA 164.312
audit controls
mapped
NIST SI-2
flaw remediation
mapped
FedRAMP RA-5
vulnerability scanning
mapped
Pricing

$100 to $2,500 per month, based on complexity.

Factory packages give teams deployable images for applications and microservices with the security, evidence, and operating controls needed to support meaningful return potential in revenue-generating environments.

Start here
Essential image
$100/ month
$100-$500/mo based on image complexity

A focused image package for a single application, microservice, or controlled deployment path. Priced for teams that need hardened runtime coverage without overbuying.

  • 1 managed image package
  • Registry pull credentials
  • Signed SBOM and provenance history
  • Weekly rebuild notifications
  • Vulnerability scan history
  • Basic compliance mapping
  • Community support
Get started
Most popular
Best for teams deploying services
Production runtime
$500/ month
$500-$1,500/mo based on deployment scope

Managed image coverage for applications and microservices that need repeatable deployment, compliance evidence, and stronger operational guardrails.

  • Multiple image packages by workload
  • Private registry namespace
  • CI/CD pipeline templates (GitHub Actions) for ECS & K8s
  • Vulnerability dashboard with trend history
  • SBOM and archive history
  • SOC 2 / HIPAA / FedRAMP control mapping
  • POA&M report generation
  • Auditor evidence exports
  • Priority email + Slack support
Start Team
Complex + regulated
Advanced program
$1,500/ month
$1,500-$2,500/mo based on program complexity

Higher-complexity Factory support for regulated programs, private builds, hardened deployment paths, and customer-specific runtime requirements.

  • Expanded managed image packages
  • Custom image hardening to your spec
  • Dedicated registry namespace
  • Private builds — never on shared infra
  • GovCloud / FedRAMP alignment
  • POA&M support
  • Customer-specific exceptions and remediation
  • Managed CI/CD pipeline
  • Custom SLAs
  • Dedicated engineering contact
Contact sales
Stripe billing

Subscribe, pay monthly, cancel anytime. Registry credentials provisioned automatically.

No registry to manage

We run the registry. You get pull credentials and stay current on every rebuild.

Compliance built in

Every image ships with SBOM, signature, scan results, and control mappings — audit-ready from day one.

Need to scope a package before pricing?

Start with the image library to compare managed runtimes by workload, compliance framework, included software, and rebuild cadence.

Browse image library
Ready to get started?

Build trusted relationships.
Move from opportunity to delivery.

Publish a Venture Profile or describe what your organization needs. OpenCentric helps connect requirements, providers, agreements, and delivery into one governed workflow.

No credit card required·5 minute setup·End-to-end delivery support
OpenCentric | Factory