A security scanner produces a report that says “here is what I found.” Almost always, that report is self-asserted. You are asked to trust that the tool ran, that it ran against what it claims, and that nobody altered the result between the scan and your screen. In work that carries legal or financial weight, “trust me” is not a standard. It is the absence of one.
There is a better way to produce a finding, and it does not require inventing new cryptography. It requires using the cryptography we already have, correctly.
Sign the Finding
Every attestation a tool produces should be signed by a long-lived identity that represents the entity standing behind it. Not a log line the vendor controls and can quietly edit. A cryptographic signature that binds a specific finding to a specific signer at a specific time. If the finding is altered by a single byte, the signature breaks. That is the property you want.
Publish the Key
A signature is only useful if anyone can check it. So the verification key is published openly. This is where people new to the model get nervous, and they should not. A signing identity has two halves: a private key that creates signatures and a public key that only verifies them. Publishing the public key gives away nothing. It is the whole point. It lets a stranger confirm a finding is genuinely ours and genuinely unaltered, without ever touching the secret half.
Publishing your verification key costs you nothing and proves everything. A tool that will not publish one is asking you to take its word.
Anchor It Where It Cannot Be Rewritten
A signature you store yourself can be deleted or backdated by you. So the signature is also anchored to a public, append-only transparency log, the same class of infrastructure the software-supply-chain world adopted to prove what was built and when. Once an attestation is logged there, it is timestamped in a record you do not control and cannot quietly change. Anyone can look it up. The finding stops being a claim and becomes a checkable fact.
Why This Is the Standard
Provenance, verification, and a tamper-evident audit trail are the three properties any output needs before it can be relied on in regulated work. A signed, key-published, transparency-anchored finding has all three by construction. A PDF from a scanner has none of them.
The same discipline applies to capability itself. Defensive functions should be open; higher-risk functions should sit behind a deliberate, logged authorization step rather than a checkbox. A tool that gates its own sharpest edges and makes its own output verifiable is a tool you can put in front of an auditor, a regulator, or a court.
That is the standard we build to.
Shawn Paul Cosner
Sparked Technology Solutions, Inc.