PatchProof

PatchProof is a web app (with optional GitHub/GitLab integrations) that verifies whether application security fixes actually shipped to production. Instead of yet another SAST/DAST scanner, it focuses on the painful gap between “finding” and “fixing”: it ingests vulnerability findings (Snyk, Dependabot, Semgrep, etc.), maps them to specific commits/PRs, and then validates deployment evidence (container image digests, SBOMs, release tags, and runtime version checks). It produces an auditable “fix attestation” per vulnerability: what changed, where it’s deployed, and when it became effective. It also flags false closure (e.g., PR merged but not deployed, patch reverted, vulnerable transitive dependency still present). This is a traditional app with AI assistance for mapping findings to code changes and summarizing evidence, but the core value is deterministic verification and audit trails.