NUCLEUS VERIFY

Signed proof that your code was reviewed. Independently verifiable. Forever.

Signed certificates. Cryptographic proof packs. Honest scope disclosure. Built for the AI code era — and every line written before it. From indie projects to enterprise, fintech to healthcare, defence to SaaS — if your code ships, Nucleus proves it was reviewed.

Verify a Repository View Benchmark
Verification Corpus
Frozen Benchmark
0
Repos scanned
0
Consistency errors
Live Corpus
0
Repos verified
0
Certificates
0
Lines of code
0
Findings
0
Proof packs
Artifact Integrity Determinism Contract Adherence Build Validation Structural Integrity

Verify a Repository

Public GitHub, GitLab, and Bitbucket repositories. Results in 15 seconds to 5 minutes depending on repository size. Large repos processed asynchronously.

Try an example:

expressjs/express pallets/flask jashkenas/underscore

Real scan of expressjs/express. All values deterministic and independently verifiable.

What you receive after a scan

📄

Verification Report

Full analysis report with gate results, security findings, code metrics, and improvement suggestions.

View Example →
🔒

Signed Certificate

Ed25519 signed PDF certificate with cryptographic proof hashes, independently verifiable by anyone.

View Example →
🔗

Proof Pack

Downloadable proof pack containing all artifacts needed to independently replay and verify the result.

View Example →
📁
Drop a ZIP file here or click to browse
Extension determines language detection

Paste the full AI response including code blocks. Nucleus will extract the code and verify the implementation against your claims.

Optional: list what the AI claims to have implemented
🔒
Deterministic Replay
Same inputs, same hash, every time
📜
Signed Certificates
Ed25519 offline verification
Honest Disclosure
Every cert says what was NOT checked
Large repositories supported. Very large scans are processed asynchronously.

How it works

1

Submit your code

Provide a public repository URL, upload a ZIP archive, or paste source code directly. Nucleus Verify clones the repository, indexes every file, and builds a complete artifact map before analysis begins.

2

Five verification gates

Every submission passes through 5 deterministic gates: Artifact Integrity (file tree hashing), Determinism (triple-ordering reproducibility), Contract Adherence (dependency and licence checks), Build Validation (config and manifest analysis), and Structural Integrity (architecture and complexity scoring). Each gate produces a pass/fail result with detailed evidence.

3

432 standard + 249 enhanced operators (681 total) across 8 packs

After gates pass, Nucleus runs its full operator suite across 19 source languages — scanning for security vulnerabilities, supply chain risks, compliance violations, code quality issues, and AI/LLM-specific risks. Business plans unlock 8 enhanced packs adding Semgrep (3,800+ rules across 65+ languages), a local 250,000+ CVE database, and AI-powered analysis. Each operator is a focused detection rule that produces structured findings with severity, location, and remediation guidance. Enterprise customers can request custom operators tailored to their specific compliance frameworks, internal policies, or industry regulations.

4

Signed certificate and proof pack

You receive a cryptographically signed verification certificate and a downloadable proof pack containing all gate results, operator findings, deterministic hashes, and scope disclosures. Anyone can independently replay the verification to confirm the result — no trust required.

5

GitHub Actions — verify on every push

Add Nucleus to your CI/CD pipeline in 3 lines. Verify every push and pull request automatically. Certificate posted to every PR. Works with GitHub Actions, GitLab CI, CircleCI, Jenkins — any pipeline that can call an API. View on GitHub →

Five gates. Every verification.

Every repository passes through the same deterministic verification pipeline.

gate_v2 — Artifact Integrity
Repository structure, file tree hash, artifact completeness
gate_d — Determinism
Same inputs always produce identical output. Verified with 3 orderings.
contract — Contract Adherence
Code matches what the README claims. Majority adherence required.
build — Build Validation
Build succeeds. Syntax valid. No blocking errors.
gate_s — Structural Integrity
Internal consistency. Auth without authorisation. Missing pagination. Dead routes.

What Nucleus Verify does not check: runtime correctness, security vulnerabilities, business logic, performance, accessibility.

System Specification

Version 1.1.1 Verification gates 5 Standard operators 432 across 31 families Enhanced operators 249 across 8 packs Total operators 681 Languages 19 source languages natively (65+ via Semgrep on Business) CVE database 250,000+ vulnerabilities (local OSV mirror) Certificate signing Ed25519 Hash algorithm SHA-256 Deterministic seed 42 Benchmark corpus 915 repos, 0 errors Test coverage 2623+ tests Framework mapping 11 frameworks: OWASP LLM, NIST AI RMF, ISO 27001, DORA, FCA, PSD2, SWIFT, GDPR, HIPAA, PCI-DSS, SOC2

Example Verification Result

VERIFIED
gate_v2 passed gate_d passed contract passed build passed gate_s passed
Artifacts scanned 12
Stack detected node
Trust score 100/100 (A)
Scan grade A
Operators matched 55/432

Real result from a public repository verification. All values are deterministic and reproducible.

Deterministic Verification

Every verification run produces the same cryptographic hashes for the same input. You can independently replay any proof pack to confirm the result.

det_hash bfbe36be061fe607bc500ef270ef24f7309dcefce707952b9f6a9d708352b513
spec_hash 29c5e4a36eaa753a155fd1d4e931187c296746ee6309cf68ccd8b419021afccc
artifact_tree_hash 20b196389c6629eb204143556855b3095dc99462cc23a25ea9d18464e147d401
proof_pack_hash 33c0749da9aff525d4dd62bcf764e2cbf343609d21e78ca37465fec53a9e389b

Same repository, same seed, same hashes. Always.

AI-Generated Code Verification

When AI claims it built something, Nucleus Verify checks if the structural evidence actually exists in the code.

PARTIAL
contract — feature_presence
Prompt claims ‘file_upload’ but no structural evidence found in artifacts
CV-B077F5

Real finding from a verification run. The AI claimed it implemented file upload, but the code contained no upload handling, multipart parsing, or file storage logic.

Frozen benchmark (March 2026)

915 public repositories. Python and JavaScript ecosystems. Zero consistency errors.

41%
Verified
38%
Partial
20%
None

A system that verifies 41% of real-world repositories is honest. A system that verifies 90% is lying.

What we don't verify

  • Semantic correctness of business logic — we verify structure exists, not that the logic is right
  • Runtime behavior under production load — no execution, stress testing, or load profiling
  • Security vulnerability scanning — operator-level pattern detection only; no DAST, fuzzing, or pen testing
  • Accessibility compliance — structural checks, not WCAG conformance auditing
  • Performance benchmarks — no runtime profiling or time-complexity analysis
  • Data integrity under concurrent writes — no concurrency testing or race-condition reproduction

Every certificate explicitly lists what was not verified. Honest disclosure is a core design principle.

Who it's for

Developers

Verify AI-generated code before it ships. Certificate in every PR. Know exactly what was built vs what was claimed.

Engineering Managers

Structural gaps caught before production. Audit trail for every decision. Trust scores you can track over time.

Enterprise & Compliance

SOC 2 ready. PostgreSQL audit log. Ed25519 signed. Independently replayable. Full chain of custody.

How Nucleus Verify differs from existing tools

Feature CodeQL SonarQube Snyk Nucleus Verify
Finds vulnerabilities
Cryptographic signing
Independent replay
Tamper-evident chain
Honest scope disclosure
DORA / FCA evidence
Works alongside existing tools

Nucleus Verify finds vulnerabilities and produces cryptographically signed proof that the review happened — independently verifiable by anyone. It works alongside your existing tools or as a complete verification solution on its own.

Pricing

Start free. Scale when you're ready.

Free
$0
forever
  • 5 verifications / day
  • Standard scan (5 gates, 432 operators)
  • Repos up to 50MB
  • ZIP uploads up to 5MB
  • Paste code up to 50KB
  • 7-day history retention
  • Public verification URL
  • 1 free enhanced scan trial (all 8 packs)
  • Async large repo scans
  • Full result download
  • Report PDF
  • PDF certificate
  • Enhanced packs ongoing
Get Started
Plus
$20
/month
  • 50 verifications / day
  • Standard scan
  • Repos up to 500MB
  • ZIP uploads up to 100MB
  • Paste code up to 500KB
  • Async large repo scans
  • Full result download
  • Report PDF
  • 12-month history retention
  • PDF certificate download
  • 1 free enhanced scan trial
  • Email support
  • Enhanced packs ongoing
  • AI Analysis Report
Business
$50
/seat/month
  • Unlimited verifications
  • Repos up to 2GB
  • ZIP uploads up to 500MB
  • Paste code up to 5MB
  • Standard scan + ALL 8 enhanced packs
  • Select which packs to run per scan
  • Parallel pack execution
  • 681 operators + Semgrep 3,800+ rules
  • 19 source languages + 65+ via Semgrep
  • 250,000+ CVE database (local, always fresh)
  • AI Analysis Report on every enhanced scan
  • Enhanced PDF certificate
  • Full result & report download
  • Full history retention
  • Team seats & API access (X-API-Key)
  • GitHub Actions integration
  • Priority support
Enterprise
Custom
annual contract
  • Everything in Business
  • Unlimited repo size
  • ZIP uploads up to 2GB
  • Paste code up to 50MB
  • CodeQL Deep Analysis (coming soon)
  • Custom operator support
  • Private repository verification
  • SSO / SAML integration
  • SLA & dedicated support
  • Custom compliance frameworks
  • CI/CD integration (GitHub, GitLab, Jenkins)
  • On-premise deployment option

Need just one certificate? $4.99 one-time per verification. Available on the result page.

For enterprise enquiries, custom plans, or volume pricing contact contact@altermenta.com