Compliance, declared honestly.
Every framework runs on the same honest pattern. A tool can disprove a control — a fired check is a real failure — but it can never prove conformance. So Watchdog does the provable part rigorously: it evidences the automatable slice, blocks you from passing a control it caught failing without a recorded reason, and leaves the rest where it belongs — with a named person who self-declares. We measure; you declare. We never certify.
A clean automated result is necessary, not sufficient — a green Watchdog score is never, by itself, a compliance claim.
The honest truth most compliance tools won't tell you.
- A "compliant" badge from a scanner that only ever saw the markup or the manifest
- Dashboards that quietly turn "no automated finding" into "passed"
- Most of these regimes are organizational; tooling touches only a slice
- No tool is accepted as proof of conformance under any of these laws — none
- A tool can prove a failure (a live CVE, a leaked secret, a missing label) but never the absence of all failures
- The automatable evidence it CAN produce is concrete: SCA across NuGet & npm, a CycloneDX SBOM every scan, and security findings tagged with their MITRE CWE id — the supply-chain trail CRA / DORA / NIS2 ask for
- Conformance rests on human judgement + process the analyzer cannot see
- These regimes make the organization declare and be supervised — accountability sits with management
- So the only honest tool does the provable part and is candid about the rest
Ten frameworks, one honest pattern.
Each is a catalog of controls plus exactly which of them Watchdog can evidence. The failure-gate, the self-assessment lifecycle, the signed artifact and the optional contract clause are identical for all — only the catalog and the regulation change. Browse every one, with its tool-vs-human coverage, in the catalog.
How a control gets evaluated — what a tool can do, and where a human must.
Controls with an automatable surface (a live CVE, a committed secret, a missing label). A failure here is real, pre-set to Fail, and gates sign-off.
Needs a rendered runtime, assistive tech, or operational evidence (contrast, focus order, access control, backups). You evaluate it; we record the basis.
Process and meaning no tool decides — governance, incident handling, the resilience-testing programme, whether an alt text is equivalent. You judge it.
The integrity keystone: we won't let you pass what we caught failing.
When static analysis catches a real failure on a control, the self-assessment pre-sets it to Fail and locks it. To mark it Pass anyway, you must record a written justification — reproduced, in full, in an Integrity section of the artifact. A thermometer you can hide readings from is rigged; this one can't be.
Each control's verdict says how it was reached — tool-verified, evidence-assisted, AI-drafted-and-reviewed, or human attestation — so a buyer, an auditor, or a competent authority can see exactly which claims a machine stands behind and which a person does.
The workflow — identical for every framework.
Scan & enable.
Watchdog assesses the automatable surface. Each framework is Automatic / On / Off per repository; Automatic turns one on (and asks you to keep it) when your codebase is mature for it.
Self-assess & evidence.
A signed-in member works through every control — the gate enforcing honesty as they go — adds notes and reference links, and attaches supporting documents (a pentest, a manual test report) that each control can cite. Every upload is hashed.
Sign.
A named declarant signs; the declaration freezes into immutable, tamper-evident bytes (a SHA-256 you can re-verify). It may honestly conclude "does not fully conform" — signing attests the evaluation is complete and accurate, not that everything passed.
Export & require.
Download one artifact — the declaration with its evidence travelling inside it (embedded, or referenced with its hash in an evidence register) — and optionally bind a contract profile to require a current signed declaration before a delivery passes.
Keep it current.
Each declaration is anchored to one scan. Extend re-issues it for the latest scan in one click — carrying your answers, re-running the gate so any regression surfaces, and superseding the prior one. An archive keeps the full, audit-ready lineage.
What Watchdog will never claim.
- We do not certify and are not a notified body or competent authority
- A Watchdog score is not a compliance claim
- "Tool clean" means no automated failure — necessary, not sufficient
- We never auto-pass a control on your behalf — nothing is signed without a human
- Organizational controls are recorded as human attestation, never dressed up as tool-evidenced
A compliance claim is only worth what its honesty can survive. By doing the provable part rigorously and refusing to fake the rest, Watchdog gives you a declaration that holds up to an auditor, a regulator, and a court — not just a marketing page.