PatchProof

PatchProof is a web app + CI plugin that enforces “secure-by-default” update practices for software teams. It focuses on the boring but costly gap: dependency upgrades and patch releases that quietly introduce risk. PatchProof watches pull requests that bump dependencies, containers, or build tooling and runs policy checks: signed commit/tag verification, SBOM diffing, known-vuln regression checks, license changes, and risky transitive dependency jumps. It produces a single, developer-friendly “upgrade risk score” with concrete fixes (pin versions, verify provenance, block untrusted registries, require SLSA attestations). Unlike full SAST/DAST suites, it’s narrow and fast, designed to run on every upgrade PR without slowing teams down. It integrates with GitHub/GitLab and posts actionable comments, plus an audit trail for compliance. The realistic value is fewer surprise CVEs and fewer broken builds from unsafe upgrades.