A technical brief for security and compliance teams in regulated sectors. goju runs entirely inside your environment — static, dynamic, supply-chain and regulatory analysis in one signed binary — and turns every scan into auditor- and board-ready evidence. No upload step. No telemetry. Air-gap capable.
Most code-security vendors are SaaS: your source, dependency trees and findings leave your control to be analysed. For a bank, hospital or government team that is the wrong default — and it still doesn't answer the question your regulator actually asks: show me the evidence.
Source code and lockfiles are among your most sensitive assets. Uploading them to a third-party analyser creates exposure, contractual risk and cross-border data-transfer questions you have to defend.
DORA, NIS2 and the EU CRA expect demonstrable control of your software supply chain — measured, dated, attributable. A green dashboard isn't evidence; a scored control with the finding behind it is.
Shai-Hulud, event-stream, tj-actions, XZ — the recent high-impact incidents are supply-chain compromises, not classic CVEs. CVE scanners report yesterday's known bugs; they don't detect the compromise pattern itself.
Model artifacts (.pkl/.pt/.ckpt) can carry code-execution payloads, and LLM-backed features add a fresh class of application risk. Most toolchains have no coverage here at all.
goju is a single statically-linked Go binary with no external service dependencies. It runs on a laptop, a build agent, a VM or a Kubernetes pod in your own network. Here is exactly what it does — and does not — touch.
Everything by default. Source, lockfiles, scan results, findings and the SQLite datastore live on the host you run it on. There is no goju cloud and no account.
~227k known-malicious packages and the typosquat corpus are baked into the binary. Supply-chain matching needs no network call — it runs fully air-gapped.
No phone-home. goju emits no usage analytics. The only outbound traffic is what you configure — e.g. a Slack/webhook alert or an SMTP report.
goju serve for the dashboard, container image and Kubernetes manifests with TLS for a shared internal deployment.Three fronts are deep, built-in and run offline; the fourth orchestrates the industry-standard dynamic engines against your running apps.
node_modules, .venv, vendor/pull_request_targetDetection is measured, not asserted: every release is scored against a labelled benchmark corpus (make bench), and the numbers are published in the repository. The headline figure on our supply-chain corpus is 100% detection at 0% false positives.
goju's compliance engine reads your real findings and posture and computes, per framework, a scored report your auditors can actually use — every control backed by the data behind it, with the gaps and remediations made explicit.
Each framework breaks into controls with a status — met, partial, not met or manual — derived from the underlying findings, plus an overall score and auto-evidenced coverage percentage.
Open gaps are listed with priority and the specific requirement or article they map to, each paired with a concrete recommendation — so remediation is a work-list, not a research project.
Incident-reporting clocks for DORA and NIS2 (initial notification, intermediate, final report) are surfaced where the obligation actually bites — in the Legal & Compliance cockpit.
Scores reflect what goju can evidence directly from scans. Controls that require human attestation are flagged manual rather than silently passed — so the number you present is defensible, and you know exactly what is left to attest.
The same posture data feeds every audience — from a one-page board PDF to a per-repository owner's report to a machine-readable export for your SIEM or code-scanning UI.
A formal, printable posture report — overall grade, risk KPIs, regulatory posture, top critical findings and methodology. Print or save as PDF for the CISO, board or auditors.
PDF · white-labelA modelled posture sparkline over the quarter, with grade delta (e.g. F → C) — the trajectory, not just today's number, for the board narrative.
90-day trendEach framework's controls, gaps and recommendations as a printable report or raw JSON — drop straight into an audit folder or GRC tool.
printable · JSONThe same template scoped to a single repository, for application-team owners to act on their own posture and criticals.
scopedA monthly (or weekly) posture email to your distribution list, with a link to the live report — sent via your own SMTP, on your schedule.
SMTP · monthlyBrand reports with your organisation's name and logo. Export findings as SARIF, CSV or JSON; generate SBOMs (CycloneDX / SPDX) per project.
SARIF · SBOM · brandingA starting map from each regime to the goju capability that produces the evidence. Indicative, not a substitute for your own control mapping — but a concrete place to begin the conversation.
| Framework | What goju evidences | Output |
|---|---|---|
| DORA | ICT third-party / supply-chain risk in code, vulnerability management posture, incident-reporting clocks. | Scored report · deadlines · digest |
| NIS2 | Supply-chain security, vulnerability handling and disclosure posture, evidence of continuous scanning. | Scored report · deadlines |
| EU CRA | Secure-development evidence, SBOM, known-vulnerability and malicious-component handling across the dependency tree. | Scored report · SBOM |
| SOC 2 | Change/vulnerability-management controls, secrets handling, audit trail of security activity. | Scored report · audit log |
| GDPR | PII / personal-data detection in source, secrets exposure, data-handling risk surfaced for review. | Scored report |
| PCI-DSS | Cardholder-data detection, secure-coding (SAST), dependency and secrets controls in the CDE codebase. | Scored report |
--fail-on-criticalDesigned to prove value inside your perimeter in days, not quarters, with nothing leaving your environment.
Drop the binary on a build agent and point it at a representative service. No account, no upload, no database to stand up.
Walk the supply-chain findings and the scored compliance reports with your security and GRC leads. Check them against your own corpus.
Stand up goju serve with SSO and TLS for a shared view; wire a CI gate on a pilot pipeline.
Enable scheduled scans and the monthly posture digest; brand the reports; roll out across teams behind RBAC.
We'll help you map goju to your control framework, stand up an air-gapped or on-prem deployment, and run it against a representative slice of your estate — all inside your boundary.