Probes a GitHub repo, npm package, or website for the code-signing trust roots that gate your supply chain: Sigstore Cosign attestations, SLSA provenance level, in-toto attestations, npm --provenance flag, GitHub release artifact signatures. Flags ECDSA-only roots as PQC-migration targets per NIST guidance. Pairs with the PQC Analyzer and PQC Migration Plan Generator.
Read the story behind this tool: Why Code Signing Trust Audit Exists →