Status: Active Development Assessors Studio is currently under active development and is not yet ready for production use.
Assessors Studio is a purpose built platform for operationalizing CycloneDX Attestations (CDXA). It enables organizations to perform structured assessments, gather verifiable evidence, assert claims, and issue machine readable attestations using CycloneDX, an internationally recognized standard for software and system transparency.
Built for modern assurance workflows, Assessors Studio transforms compliance from static documentation into structured, automatable, and exchangeable artifacts.
CycloneDX Attestations extend traditional SBOMs into formalized claims and verifiable statements. Instead of PDFs, spreadsheets, or point in time audit reports, attestations are machine readable, traceable to supporting evidence, designed for automated validation, and exchangeable across organizational boundaries.
CDXA supports both electronic signatures and digital signatures, enabling attestations to serve operational, contractual, and legally binding purposes when required.
The model structures assurance around requirements (what must be satisfied), claims (assertions of conformance), evidence (artifacts supporting those claims), and attestations (signed statements asserting truthfulness).
Conduct repeatable assessments aligned to defined requirements, with workflow support for contributors, reviewers, and approvers. Role based access control ensures that administrators, assessors, assessees, standards managers, and standards approvers each have appropriate visibility and authority throughout the process.
Attach documentation, scan results, test artifacts, third party reports, and other supporting materials directly to claims while preserving provenance and traceability.
Express conformance statements in a standardized format that downstream systems can parse, validate, and automate against. Claims can reference both supporting evidence and counter evidence, with mitigation strategies where applicable.
Generate CycloneDX attestation documents that can be consumed by governance, risk, compliance, procurement, and security automation platforms.
Support for both electronic and cryptographic digital signatures enables flexible deployment models, from internal approvals to externally verifiable, legally binding B2B or B2G attestations.
Import and manage machine readable standards from the growing CycloneDX standards ecosystem. Map internal controls to recognized frameworks, reuse requirement definitions across assessments, and generate attestations aligned to multiple standards simultaneously.
A widget based dashboard provides at a glance visibility into assessment activity, compliance posture, and organizational progress. Users can arrange, resize, and configure widgets to match their workflow.
The interface ships with seven language translations (English, French, German, Spanish, Chinese, Japanese, and Russian) and supports dark and light themes.
Cyber Resilience Act (CRA) readiness, NIST SSDF alignment, PCI DSS assessments, and internal secure development policy verification.
Supplier security posture validation, third party risk documentation, contractual security claim exchange, and automated intake and validation of vendor attestations.
Secure design confirmation, threat modeling verification, code review attestation, and release readiness approval.
Customer facing trust statements, standardized security posture disclosures, and machine readable product assurance artifacts.
Structured evidence of control maturity, automated compliance dashboards, and audit ready artifact generation.
Because attestations are structured data artifacts, not static documents, they can be validated automatically, electronically or digitally signed, verified independently, integrated into CI/CD pipelines, and exchanged via transparency and assurance ecosystems such as the Transparency Exchange API.
Assessors Studio enables a shift from narrative compliance to computational, machine verifiable trust.
Product Security teams, Governance Risk and Compliance (GRC) leaders, Open Source Program Offices (OSPOs), procurement and vendor risk teams, and independent assessors and auditors.
Assessors Studio is a full stack web application with a Vue 3 frontend and a Node.js/Express backend. The backend uses Kysely as its query builder and supports both an embedded PGlite database for local development and PostgreSQL for production deployments. The frontend uses Element Plus as its component library with a custom design token system for theming. Both halves are written in TypeScript.
Node.js 24 or later is required.
npm run install:allcp backend/.env.example backend/.envReview and update the environment configuration as needed.
npm run dev:backendThe embedded PGlite database is created and migrated automatically on first start.
To start both the backend and frontend simultaneously:
npm run devThe frontend dev server proxies API requests to the backend, so both must be running for the application to function.
npm run buildnpm testnpm run typecheckContributions are welcome. Please open an issue to discuss proposed changes before submitting a pull request.
Apache 2.0. See the LICENSE file for details.