Proprietary Framework · Code Trust Assurance

NS-CTAF v1.0

The Nucleus Systems Code Trust Assurance Framework — a comprehensive technical trust and software supply chain security framework that turns point-in-time security scans into continuous, cryptographically verifiable trust assurance. The only code security framework that requires evidence of security posture, not self-reported status.

86Trust Controls

6Trust Domains

430Maturity Interpretations

CTA-4Highest Certification

30+Frameworks Aligned

Controls 86 Code Trust Controls across 6 Trust Domains Certification CTA-1 Entry → CTA-4 Advanced Trust Assurance Certification Coverage SBOM · Secrets Management · SCA · SAST · Dependency Governance AI Code 430 Maturity Interpretations · AI-Generated Code Audit Aligned NIST SSDF · SLSA · OpenSSF · CycloneDX · SPDX · OWASP Supply Chain Software Supply Chain Risk · Third-Party Open-Source Governance Platform Paxley · GitHub-Native Continuous NS-CTAF Enforcement Controls 86 Code Trust Controls across 6 Trust Domains Certification CTA-1 Entry → CTA-4 Advanced Trust Assurance Certification Coverage SBOM · Secrets Management · SCA · SAST · Dependency Governance AI Code 430 Maturity Interpretations · AI-Generated Code Audit Aligned NIST SSDF · SLSA · OpenSSF · CycloneDX · SPDX · OWASP Supply Chain Software Supply Chain Risk · Third-Party Open-Source Governance Platform Paxley · GitHub-Native Continuous NS-CTAF Enforcement

Beyond Point-in-Time Scanning

Most code security programmes depend on one-time scans, annual penetration tests, and self-reported attestations. These create false confidence — a system that passed a scan 90 days ago may have been compromised, updated with vulnerable dependencies, or modified by an unauthorised change since. Point-in-time security tells you where you were, not where you are.

NS-CTAF reframes code security as a continuous trust problem. The framework's 86 controls, structured across 6 trust domains, are designed to produce cryptographically verifiable trust evidence — SBOM attestations, provenance records, pipeline integrity proofs, and signed scan artefacts — that continuously demonstrate that a software system is built correctly, by authorised processes, from verified components.

Delivery is through the Paxley Code Security Platform, which provides the scanning infrastructure underlying the framework: SAST across 15+ languages, SCA, CycloneDX and SPDX SBOM generation, IaC security analysis, container scanning, and secrets detection across 200+ secret patterns. Together, NS-CTAF and Paxley replace a stack of disconnected point-in-time tools with a unified, continuously operating trust assurance system.

The Problem

Point-in-time scanning creates security theatre

Annual pen tests, one-time SAST runs, and self-attested compliance leave organisations unable to answer the question that regulators and customers now ask: "Is your software trusted right now, and can you prove it?"

The Differentiator

Cryptographic evidence — not attestations

NS-CTAF is the only code security framework that requires cryptographic evidence of security posture. Signed SBOMs, in-toto provenance records, Sigstore transparency log entries, and pipeline artefact signatures create an unforgeable audit trail.

The Alignment

Built for SLSA, EU CRA, and EO 14028

NS-CTAF controls map to NIST SSDF SP 800-218, SLSA L1–L4, in-toto, Sigstore, OWASP SAMM, BSIMM, ISO/IEC 27001, EU Cyber Resilience Act, US Executive Order 14028, NIS2, DORA, and PCI DSS v4 software security requirements.

Framework Architecture

6 Trust Domains & Coverage

86 controls across 6 trust domains covering the full software trust lifecycle. Domain weighting reflects the typical risk distribution in modern software supply chains — Secure Development and Supply Chain together represent over 40% of the control surface.

D118%

D218%

D322%

D420%

D514%

D68%

D1 — Identity · 18%Developer, System, and Pipeline IdentityCryptographic identity for developers, CI/CD systems, and build pipelines. Sigstore keyless signing, OIDC-bound pipeline identities, SSH/GPG commit signing policy, bot and service account identity governance, and access token scope minimisation.

18%16 CONTROLS

D2 — Integrity · 18%Build, Artefact, and Deployment IntegrityHermetic build integrity, artefact signing and verification, SLSA provenance generation, in-toto supply chain metadata, container image signing (Cosign), deployment integrity gates, and Sigstore transparency log verification.

18%16 CONTROLS

D3 — Secure Development · 22%SAST, SCA, IaC, Secrets, and Container SecuritySAST integration across 15+ languages (CI/CD gating), SCA with exploitability scoring, IaC security analysis (Terraform, Helm, Kubernetes manifests), container and base image vulnerability scanning, secrets detection across 200+ patterns, and IDE developer security feedback loops.

22%19 CONTROLS

D4 — Supply Chain · 20%SBOM, Dependency Governance, and Third-Party RiskAutomated CycloneDX and SPDX SBOM generation, SBOM integrity signing and verification, dependency risk scoring and approval workflows, VEX (Vulnerability Exploitability eXchange) statements, open source licence compliance, and third-party component provenance tracking.

20%17 CONTROLS

D5 — Runtime · 14%Runtime Integrity, Vulnerability Response, and MonitoringRuntime software composition monitoring, deployed SBOM drift detection, CVE patch SLA enforcement, emergency patch escalation procedures, runtime container security policy (Falco/AppArmor), and production integrity alerting.

14%12 CONTROLS

D6 — Governance · 8%Policy, Metrics, and Regulatory EvidenceSoftware security policy lifecycle management, trust posture metrics and KPIs, regulatory evidence packaging for EU CRA, EO 14028, NIS2, DORA, and PCI DSS v4 audits, and executive trust reporting aligned to NS-CMMF oversight obligations.

8%6 CONTROLS

CTA Certification Levels

Four progressive trust certification tiers — each building on the one below, each representing a verifiable and auditable statement about an organisation's software trust posture.

CTA-1

Transparent

Foundational visibility. SBOM generation active, dependencies inventoried, SAST and secrets scanning integrated into CI/CD pipelines. The organisation knows what its software is built from and has automated detection of common vulnerabilities. Prerequisite: all subsequent tiers.

CTA-2

Verified

Evidence-backed controls. Build integrity verified via signed artefacts, SBOMs attested with cryptographic signatures, pipeline identity established via OIDC, and exploitable vulnerabilities subject to SLA-governed remediation. Scanning gates block vulnerable releases from reaching production.

CTA-3

Assured

Supply chain trust at scale. Full SLSA L3 provenance, in-toto supply chain metadata, Sigstore transparency log verification for all release artefacts, third-party dependency provenance documented, and VEX statements issued for all critical CVEs. Suitable for regulated-sector and public-sector supplier qualification.

CTA-4

Adaptive Trust

Continuous, self-healing trust posture. Runtime integrity monitoring, SBOM drift detection in production, automated threat response with integrity-preserving rollback capability, zero-trust software supply chain architecture, and executive trust posture dashboards updated continuously from live scan evidence.

Framework Specification

NS-CTAF operationalises the software supply chain security obligations that regulators now mandate but do not prescribe — mapping 86 controls to the evidence standards that auditors and customers require.

Controls	86 trust controls across 6 domains — each addresses one specific software trust requirement. 430 maturity-level interpretations define exactly what each control requires at CTA-1 through CTA-4, removing ambiguity from security posture assessment.
Paxley Platform	Delivered through Paxley Code Security Platform — the scanning infrastructure that produces the evidence NS-CTAF controls require: SAST (15+ languages), SCA with exploitability scoring, SBOM generation (CycloneDX / SPDX), IaC security analysis, container scanning, secrets detection (200+ patterns), and artefact signing with Cosign and Sigstore.
Regulatory Alignment	Controls map to 30+ frameworks: NIST SSDF SP 800-218 · SLSA (L1–L4) · in-toto · Sigstore · OWASP SAMM · BSIMM · ISO/IEC 27001 · EU Cyber Resilience Act (Art. 13–15 security requirements) · US EO 14028 (SBOM, SLSA, secure development attestation) · NIS2 · DORA · PCI DSS v4 software security requirements.
Cryptographic Evidence	The defining differentiator of NS-CTAF: every CTA-2+ control requires cryptographic evidence — not a scan report, not a self-attested checklist. Signed SBOMs, in-toto provenance metadata, Sigstore transparency log entries, and Cosign-signed container images create an unforgeable, independently verifiable evidence chain that third parties (customers, auditors, regulators) can verify without trusting the attester.
NS-CMMF Integration	NS-CTAF is the technical implementation layer beneath NS-CMMF's D7 Code Integrity and D8 Cyber Risk domains. NS-CMMF establishes board-level accountability; NS-CTAF provides the measurable, evidence-backed controls that demonstrate compliance. Trust posture metrics from Paxley feed directly into NS-CMMF executive reporting and NS-AIGF D6 AI Security controls.

Delivery Platform

Paxley Code Security Platform

Paxley is the scanning, attestation, and trust evidence platform that makes NS-CTAF controls measurable. While other frameworks reference scanning in their requirements, NS-CTAF is built around Paxley's continuous output — turning every build into a verifiable trust event. SAST · SCA · SBOM · IaC · Container · Secrets · Artefact Signing.

Explore Paxley → Request a Demo →

Turn point-in-time security scans into continuous, cryptographically verifiable trust assurance

We assess your current software trust posture against all 6 NS-CTAF domains, identify your CTA certification path, and deliver a remediation roadmap aligned to EU CRA, SLSA, and EO 14028 requirements.

Start your trust assessment →Explore Core Pillar 3 →