Anchor an SBOM. Independently. In under a minute.
Drop any CycloneDX, SPDX, or Syft SBOM — or any cosign signature / in-toto attestation. Knox computes the SHA-256 in your browser, anchors the hash to the Bitcoin blockchain via OpenTimestamps, and hands you back a court-ready FRE 902(13)/(14) affidavit. No account. No integration. No upload of the SBOM body.
Live anchor
Federal direction this aligns with
Every item below calls for external attestation, producer accountability, or tamper-evident provenance of software artifacts. None of them currently mandate a specific external-anchor mechanism. Knox fills that gap for agencies and primes who want an answer before the audit question is asked.
Executive Order 14028 — Improving the Nation's Cybersecurity
Requires each federal agency software producer to provide a Software Bill of Materials. Knox anchors each SBOM to Bitcoin so the producer cannot retroactively rewrite the contents after delivery.
OMB Memorandum M-22-18 + M-23-16 — Secure Software Development Attestation
Agencies must obtain a Secure Software Self-Attestation Form from each software producer before using that software. A self-attestation with no external anchor can be amended privately. Knox anchors the attestation form itself.
NIST SP 800-218 — Secure Software Development Framework (SSDF)
PS.3.2 (Provenance) and PW.4.4 (Source Code Integrity) benefit from external attestation anchored outside the producer's own build infrastructure.
CISA Secure Software Self-Attestation Common Form
The common form (SAF-001) is signed by a CEO or equivalent. A Knox-anchored receipt of the signed form adds external tamper-evidence independent of the producer's email or document-management systems.
Iron Bank / Platform One DevSecOps Reference Design
SBOM storage, cosign signatures, and in-toto attestations today live inside DoD-accredited registries and hardening pipelines. An external public anchor defends against insider-compromise scenarios that would otherwise rewrite those records with no external detection.
Integration paths
The anchoring primitive is one outbound HTTPS call. Every snippet below is paste-ready and failure-safe to the existing critical path. If Knox is unreachable, the build continues; the anchor is retried by the next hourly cron or can be re-fired manually.
Anchore Enterprise / Syft
Wrap the SBOM-publish step. A post-publish hook computes SHA-256 of the generated SBOM and posts to Knox. No interference with the existing publish flow.
# .github/workflows/sbom.yml
- name: Generate SBOM
run: syft packages ${{ env.IMAGE }} -o cyclonedx-json=sbom.json
- name: Anchor SBOM to Knox
run: |
HASH=$(sha256sum sbom.json | awk '{print $1}')
curl -s -X POST https://bonissystems.com/api/knox/public-anchor \
-H 'Content-Type: application/json' \
-d "{\"hash\":\"$HASH\",\"filename\":\"sbom.json\",\"sizeBytes\":$(wc -c < sbom.json),\"mimeType\":\"application/json\"}"cosign attest
Anchor the in-toto attestation payload produced by cosign. The anchor is a one-line post-sign step and does not alter the Sigstore trust model.
cosign attest --predicate sbom.json --type cyclonedx \
--key cosign.key registry.example/image:tag
# Capture the resulting attestation bundle and anchor:
PAYLOAD=$(cosign verify-attestation registry.example/image:tag --key cosign.pub --output-file attest.json)
HASH=$(sha256sum attest.json | awk '{print $1}')
curl -s -X POST https://bonissystems.com/api/knox/public-anchor \
-H 'Content-Type: application/json' \
-d "{\"hash\":\"$HASH\",\"filename\":\"attestation.intoto.json\",\"sizeBytes\":$(wc -c < attest.json),\"mimeType\":\"application/json\"}"GitHub / GitLab / Jenkins CI step
Generic CI step — run after any SBOM or signature is produced. Zero build-cost, zero critical-path impact, failure-safe.
# Works in any CI system — single outbound HTTPS call per build
HASH=$(sha256sum artifact.ext | awk '{print $1}')
curl -fsS -X POST https://bonissystems.com/api/knox/public-anchor \
-H 'Content-Type: application/json' \
-d "{\"hash\":\"$HASH\",\"filename\":\"$(basename artifact.ext)\",\"sizeBytes\":$(wc -c < artifact.ext),\"mimeType\":\"application/octet-stream\"}" \
|| echo 'Knox anchor deferred (non-fatal)'Self-verify any anchored record
Any anchored SBOM or attestation can be verified by any third party without contacting Bonis Systems:
- Re-compute the SHA-256 locally with sha256sum or openssl dgst -sha256.
- Query the Knox public verify endpoint: GET /api/knox/verify?hash=<hex>.
- Open the OpenTimestamps .ots proof returned and verify the Bitcoin transaction on any public explorer.
- Or run the zero-dependency Node verify script from /bonis/legal-kit.
Honest scope
Knox is not an SBOM generator, signer, or vulnerability scanner. It does not replace Anchore, Syft, cosign, Sigstore, or Iron Bank hardening pipelines. It adds an external witness layer that activates on events those tools already emit. The value is that the witness lives outside every administrative boundary involved — outside the producer, outside the registry, outside the DoD signing-key infrastructure, outside any cloud vendor. Tamper with any one of those systems after the fact and the Bitcoin-anchored record still catches it.
Measured characteristics
Contact: Bonis Systems LLC · jonisfields@gmail.com · +1 (210) 452-3767 · UEI R2BPJDC5CBA3 · CAGE 1TSP2. USPTO priority date 2026-04-13, application 64/038,359.