ProvenPROVEN.DEV
Proven Code

Every AI pull request. Certified.

A GitHub Action that creates a cryptographic attestation for every PR. No source code uploaded — only hashes, stats, and metadata. Verify any change, by any actor, at any time.

Zero Source Upload

Only SHA-256 hashes, diff stats, and metadata leave your repo. Your code stays yours.

Ed25519 Signed

Every attestation gets a cryptographic seal — verifiable offline, tamper-proof forever.

Full Transparency

Public attestation reports show exactly what changed, who did it, and whether it followed policy.

How it works

Three steps. Two minutes. Every PR attested.

01

PR opens → Action runs

The GitHub Action triggers on every pull request. It computes SHA-256 hashes of the diff, counts lines changed, and detects whether the actor is human or bot.

02

Hashes sent → Report certified

Only hashes and metadata are sent to Proven. We validate the payload, sign it with Ed25519, generate a ProvenSeal, and create a permanent attestation report.

03

Badge posted → PR annotated

A comment is posted on the PR with the trust badge, report link, and seal ID. Anyone can click to verify. The attestation lives forever.

Install in 2 minutes

Copy this workflow into .github/workflows/proven-code.yml

proven-code.yml
name: Proven Code

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  pull-requests: write

jobs:
  attest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: proven-dev/proven-code@v1
        with:
          proven_api_key: ${{ secrets.PROVEN_API_KEY }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Then add your PROVEN_API_KEY to your repo's secrets. Get your key →

Two modes. One mission.

Start with V1 for instant value. Upgrade to V2 when you need deeper analysis.

V1Diff ModeAvailable Now
  • SHA-256 patch hash
  • Per-file content hashes
  • Line-level numstat (add/del)
  • Actor detection (human vs bot)
  • Ed25519 dual-signed receipt
  • ProvenSeal with QR code
  • PR comment with badge
V2Graph ModeComing Soon
  • Everything in V1, plus:
  • AST-level function/class tracking
  • Module dependency drift detection
  • Graph alignment scoring
  • Risk assessment with thresholds
  • Policy compliance checking
  • Fail-on-risk CI gating

What gets sent. What doesn't.

Transparency is the whole point. Here's exactly what crosses the wire.

What we receive

  • SHA-256 hash of the full diff
  • Per-file content hashes
  • File paths and change status
  • Lines added/deleted counts
  • PR number, title, branch names
  • Repo owner/name (not content)
  • Actor login and type (human/bot)
  • Timestamp

What stays in your repo

  • Source code (never uploaded)
  • Diff content / patch text
  • Environment variables
  • Secrets and credentials
  • Build artifacts
  • Test results
  • Internal documentation
  • Anything not listed above

Built for teams that ship with AI

AI-Augmented Teams

Using Copilot, Cursor, or Devin? Proven Code creates an audit trail for every AI-generated change.

Compliance & SOC2

Cryptographic proof that every code change was reviewed and attested. Auditors love receipts.

Engineering Metrics

Track human vs AI contribution ratios, change velocity, and risk patterns across your org.

Risk Management

V2 graph mode detects dependency drift and risky patterns before they reach production.

Start certifying today

Free for public repos. Add the Action, get your API key, and every PR gets a permanent attestation.