ECZ-ID API & Software Pack
API, CI/CD, dependency and SBOM checks for software teams, with the ECZ-ID Hub.
An ECZ-ID Extension Pack: one install adds the specialists below. The pack itself adds no scanner — each specialist runs locally and independently, and you can install components on their own instead.
Useful for
Useful across many legitimate roles. Commonly used by:
- Software teams shipping APIs and services
- DevSecOps and platform teams
- Auditors reviewing supply-chain and pipeline evidence
Relevant when you are preparing a release, you want API, CI/CD, dependency and SBOM evidence together.
Included extensions
- ECZ-ID Hub (
ecocitizenz.eczid) — the ECZ-ID trust cockpit — routes you to the right specialist.
- API Security (
ecocitizenz.eczid-api-security) — API surfaces and their proof posture.
- CI/CD Trust (
ecocitizenz.eczid-cicd-trust) — pipeline and provenance artefacts.
- Dependency Security (
ecocitizenz.eczid-dependency-security) — lockfile and SBOM evidence gaps.
- SBOM Readiness (
ecocitizenz.eczid-sbom-readiness) — SBOM, lockfile and VEX evidence.
Common workflows
- Review API, CI/CD, dependency and SBOM evidence together.
- Prepare a release with supply-chain evidence assembled.
Installation outcome
- Installs 5 ECZ-ID extensions (including the Hub) in one step.
- Every check stays free and local-first; nothing is uploaded and there is no telemetry.
- The Hub gives one cockpit; each specialist also works standalone.
Example result
ECZ-ID API & Software Pack - installs 5 extensions
- ECZ-ID Hub
- API Security
- CI/CD Trust
- Dependency Security
- SBOM Readiness
Run: ECZ-ID: Show All Specialists
First-use path
- Install the pack and trust your workspace.
- Run ECZ-ID: Show All Specialists from the Hub to see what is installed.
- Run a specialist's Review / Scan Workspace and review the evidence.
Privacy & permissions
Local-first. Filenames and paths only. No source / prompt / secret upload. No telemetry. Respects VS Code Workspace Trust. Each included extension makes no safety, approval, certification or compliance claim.
FAQ
Can I install the components separately? Yes — every extension in this pack is also available on its own.
Does the pack add any new scanning? No. A pack only groups extensions; all checks come from the specialists.
Free vs supported setup
- Free, local-first: local evidence review — no sign-in and no purchase to run a check.
- Supported setup (TrustOps): maintained ECZ-ID identity, public proof and lifecycle for software-delivery trust — relevant when you need a resolver-verifiable result others can check, not just local review.
- You never need to buy anything to get local value; supported setup is a separate, optional step handled entirely in TrustOps.
Machine-readable facts
| Field |
Value |
| Product |
ECZ-ID API & Software Pack |
| Identity |
ecocitizenz.eczid-pack-api-software |
| Publisher |
EcoCitizenz |
| License |
Free; see the bundled LICENSE.txt |
| Version |
0.1.1 |
| Page family |
extension-pack |
| Purpose |
API, CI/CD, dependency and SBOM checks for software teams, with the ECZ-ID Hub. |
| Applicable audiences |
Software teams shipping APIs and services; DevSecOps and platform teams; Auditors reviewing supply-chain and pipeline evidence |
| Applicable scenarios |
you are preparing a release; you want API, CI/CD, dependency and SBOM evidence together |
| Members |
ecocitizenz.eczid, ecocitizenz.eczid-api-security, ecocitizenz.eczid-cicd-trust, ecocitizenz.eczid-dependency-security, ecocitizenz.eczid-sbom-readiness |
| Primary command |
ECZ-ID: Show All Specialists |
| Inputs |
None — a pack contains no scanner; each member detects its own artefacts |
| Outputs |
Installs the listed extensions (including the Hub) in one step; each member produces its own outputs |
| Independent management |
Every member can be enabled, disabled or uninstalled on its own |
| Data handling |
Filenames and paths only; no source / prompt / secret upload; no telemetry; retention none |
| Network behaviour |
None — a pack runs no code; each installed extension manages its own |
| Result states |
evidence observed; evidence not observed; no public proof reference found yet; review recommended; re-check before reliance; local policy decides |
| Limitations |
Does not issue proof, approve, certify, insure, underwrite, determine compliance, or run checkout |
| Canonical machine discovery |
https://machine.ecocitizenz.org/.well-known/ecz-machine.json |
| Public proof |
https://resolver.ecocitizenz.org |
| Documentation |
https://developers.ecocitizenz.com |
| Supported setup |
https://trustops.ecocitizenz.com/start |
| Re-check |
Re-run before reliance |
Support & links
ECZ-ID is independent trust infrastructure. Third-party names describe compatible ecosystems only and do not imply endorsement or affiliation. Local policy decides whether the evidence you review is sufficient.
