Attestation type registry
Stable predicateType URIs for every signed event dpndncY emits, each with a versioned JSON Schema. Use this to parse, validate, and store attestations in your own systems.
Types
| predicateType | Subject | Key fields |
|---|---|---|
https://dpndncy.io/scan/v1 | the scanned project / commit | findings[] (rule, cwe, severity, tier, signals), policyVersion, verdict |
https://dpndncy.io/firewall/v1 | the package@version | verdict, tier, slaHours, ruleId, signals, mode |
https://dpndncy.io/agent/runtime-trace/v1 | the CI job | window, mode, events{connect,exec,file,dns}, decisions, traceLogSha256, topEgress[] |
Example — runtime-trace/v1 predicate
predicate
{
"builder": { "id": "urn:dpndncy:agent", "version": "0.1.0" },
"mode": "observe",
"window": { "start": "2026-05-26T10:00:00Z", "end": "2026-05-26T10:14:32Z" },
"events": { "connect": 412, "exec": 58, "file": 4, "dns": 23 },
"decisions": { "allow": 489, "warn": 8, "review": 0, "block": 0 },
"traceLog": { "sha256": "a1b2c3…", "size": 384921, "format": "ndjson" },
"topEgress": [ { "host": "registry.npmjs.org:443", "count": 37 } ]
}Versioning policy
Minor changes are additive (new optional fields) under the same
v1 URI. A breaking change gets a new major URI (/v2). The verifier accepts any v1 minor, so consumers don’t break on additive updates.