ECZ-ID CI/CD Trust

Surface pipeline, release and provenance artefacts before deployment review.

Free, local-first. No source upload. No sign-in to run a check.

• Surfaces CI/CD pipeline, release and provenance artefacts.
• Plain-English posture per artefact.
• Routes to Resolver lookup and supported setup.

What you can do in under a minute

1. Open or scan the workspace — run ECZ-ID CI/CD Trust: Scan Workspace.
2. Review findings in plain English — grouped, with neutral posture.
3. Open Resolver guidance or continue supported setup where relevant.

What it looks for

• Pipeline definitions (GitHub Actions, GitLab CI, and similar).
• Dockerfiles and container build/release config.
• Release / provenance artefacts and references.
• Whether a resolver reference is present for a detected pipeline.

What results mean

Results describe public-proof posture, never a safety, approval, certification or compliance verdict:

resolvable · partial public proof · no public proof reference found yet · review recommended · re-check before reliance · your local policy decides.

There is no “pass/fail”. Local policy decides what is sufficient, and you should re-check before reliance.

Recommended next steps

• Inspect the finding — plain-English detail, no verdict.
• Copy verification guidance — a claim-free snippet you can share.
• Open Resolver — read-only public proof lookup.
• Continue supported setup — hand off to TrustOps (metadata only).
• Open documentation — Developer Gateway.
• Re-check later — re-run before you rely on a result.

Privacy & permissions

See the bundled PRIVACY.md for the full notice.

Frequently asked questions

Is this extension free?

Yes. Every local check is free — you never need to sign in or pay to run one.

Does it upload my source code?

No. No source, prompts, secrets or tool payloads ever leave your device, and there is no telemetry.

Does it read my file contents?

It reads filenames and paths during a scan. It only reads the contents of a file you explicitly ask it to inspect (for example an ecz-*.json you choose to validate).

Does a missing proof reference mean something is unsafe?

No. “No public proof reference found yet” is neutral — it is not a verdict of “unsafe”. It only means resolver-verifiable public proof was not detected.

What does Resolver do?

Resolver is a read-only public proof lookup. The extension can open it so you can check public proof yourself; the extension never writes, activates or decides anything.

Do I need an ECZ-ID before using the extension?

No. You can run every local check without one. An ECZ-ID is only relevant if you later choose supported setup in TrustOps.

What happens when I continue supported setup?

The extension hands off to TrustOps with metadata only. It runs no checkout itself; TrustOps handles acquisition, setup and lifecycle.

Can this extension make a compliance or approval decision?

No. It surfaces posture and routes you to proof. Local policy decides sufficiency; it never certifies, approves or guarantees.

Does it approve deployments?

No. It never approves or blocks a deployment. It surfaces pipeline, release and provenance artefacts for your review.

Which pipeline artefacts does it detect?

CI workflows (for example GitHub Actions, GitLab CI), Dockerfiles, and release / provenance references.

What it does not do

• No source / prompt / secret upload, and no telemetry.
• Writes no canonical truth, decides no BOUND state, creates no entitlement.
• Makes no safety, approval, certification or compliance claim. Does not approve a deployment or gate a release. It surfaces pipeline and provenance evidence for your review.
• Runs no checkout or payment — commercial actions happen only in TrustOps.

Install & first use

1. Install ECZ-ID CI/CD Trust from the Visual Studio Marketplace (publisher EcoCitizenz).
2. Open a project and trust the workspace.
3. Run ECZ-ID CI/CD Trust: Scan Workspace and review the grouped findings.

Links & support

• Resolver (read-only proof): https://resolver.ecocitizenz.org
• TrustOps (supported setup): https://trustops.ecocitizenz.com/start
• Developer Gateway (docs & support): https://developers.ecocitizenz.com
• Privacy: see the bundled PRIVACY.md file

ECZ-ID is an independent project and is not affiliated with or sponsored by Microsoft, GitHub, VS Code, OpenAI, Anthropic, Google, or AWS. ECZ-ID helps make identity, authority, and resolver posture easier to review. Local policy decides whether this is sufficient.