Measured compliance — we evidence the automatable slice, you declare the rest, a named person signs.
A control Watchdog catches failing can't be silently passed — overriding it is recorded, in full, in the artifact. We measure the automatable slice of each framework; you declare the rest; a named person signs. We measure; you declare; we never certify — the honesty model an auditor trusts and a vendor can't game.
Non-technical by design — the verdict is in plain language; your security engineer drills the findings behind it.
The Security & Compliance lens rolls up real scanning — and feeds the conformance verdict, not a self-assessment.
A vendor's self-assessment isn't audit-defensible.
"We're NIS2-ready" on a supplier's letterhead is the party with the most to lose grading their own work. An auditor, a regulator or a counterparty needs measured evidence, frozen at signature time, that a control was actually checked — and a record of every control that was overridden.
A self-declared "compliant" with nothing behind it — no evidence the gate was met, no record when it wasn't, nothing that survives an audit.
The automatable slice is measured; a control caught failing is gated (overriding it is recorded in the artifact); the rest you declare and a named person signs — frozen to a commit and a rubric version.
One conformance home — the verdict up front, the findings a drill-down.
The most buried-but-built surface, consolidated: the framework verdict, what's missing, the evidence register and the signed pack — in plain language, with the engineer's findings one click away.
The evidence behind the declaration
Live from published reports: the conformance posture per framework (with honest status — a draft is shown as a draft), the security-relevant findings and conclusions, and the SARIF + SBOM artifacts that back a declaration.
Loading real published surveys…
Real published surveys, selected for this audience — each widget shows only when the repo has that signal. Browse every published survey →
NIS2, DORA and GDPR up front — the pressing obligations — then SSDF, SLSA, OWASP ASVS, WCAG 2.2, ISO 27001, CRA and EN 301 549. The full catalog →
A PDF an auditor accepts: what's met, what's missing, exactly what's needed, and every override on the record — frozen to a commit + a pinned rubric so it reproduces.
Each declaration frozen and signed at signature time, with a CycloneDX SBOM and the PII data-flow map — the supply-chain evidence a CRA or DORA reviewer asks for.
Self-assess for free; sign when you're ready.
Watchdog evidences the automatable slice of each framework from the code and its supply chain — no questionnaire.
A control caught failing can't be passed silently; the override is recorded, in full, in the pack.
You declare the controls a tool can't see; the verdict shows measured vs declared, never blurring the two.
A named person signs; the pack is frozen to a commit + rubric version. Self-assessment is free; signing into a Conformance Pack is part of the compliance module.
An auditor can re-run the measurement themselves.
The conformance verdict rolls up the CAI, an open, reproducible standard — the algorithm, lenses and rubric are public, and the reference scorer is open source. An auditor or counterparty can re-run the open scorer over the evidence and get the same number; the pack stands up because it's checkable, not because we said so. The CAI standard → cai.canine.dev · Reproduce a survey →
Stop signing compliance you can't evidence. Measure it.
Sign in with GitHub · No card · We measure; you declare; we never certify.