ECZ-ID DORA & SBOM Pack
DORA, SBOM, compliance and vendor evidence with the ECZ-ID Hub.
An ECZ-ID Extension Pack: one install adds the specialists below. The pack itself adds no scanner — each specialist runs locally and independently, and you can install components on their own instead.
Useful for
Useful across many legitimate roles. Commonly used by:
- ICT suppliers and regulated software teams
- Compliance, resilience and risk teams
- Auditors and third-party reviewers
Relevant when you are assembling DORA-style and SBOM evidence, you are reviewing third-party and vendor evidence.
Included extensions
- ECZ-ID Hub (
ecocitizenz.eczid) — the ECZ-ID trust cockpit — routes you to the right specialist.
- DORA Readiness (
ecocitizenz.eczid-dora-readiness) — operational-resilience and incident evidence.
- SBOM Readiness (
ecocitizenz.eczid-sbom-readiness) — SBOM, lockfile and VEX evidence.
- Compliance Risk (
ecocitizenz.eczid-compliance-risk) — operational-resilience and audit artefacts.
- Vendor Risk (
ecocitizenz.eczid-vendor-risk) — vendor / supplier counterparty surfaces.
Common workflows
- Assemble DORA-style, SBOM and compliance evidence together.
- Review third-party and vendor evidence in one pass.
Installation outcome
- Installs 5 ECZ-ID extensions (including the Hub) in one step.
- Every check stays free and local-first; nothing is uploaded and there is no telemetry.
- The Hub gives one cockpit; each specialist also works standalone.
Example result
ECZ-ID DORA & SBOM Pack - installs 5 extensions
- ECZ-ID Hub
- DORA Readiness
- SBOM Readiness
- Compliance Risk
- Vendor Risk
Run: ECZ-ID: Show All Specialists
First-use path
- Install the pack and trust your workspace.
- Run ECZ-ID: Show All Specialists from the Hub to see what is installed.
- Run a specialist's Review / Scan Workspace and review the evidence.
Privacy & permissions
Local-first. Filenames and paths only. No source / prompt / secret upload. No telemetry. Respects VS Code Workspace Trust. Each included extension makes no safety, approval, certification or compliance claim.
FAQ
Can I install the components separately? Yes — every extension in this pack is also available on its own.
Does the pack add any new scanning? No. A pack only groups extensions; all checks come from the specialists.
Free vs supported setup
- Free, local-first: local evidence review — no sign-in and no purchase to run a check.
- Supported setup (TrustOps): maintained ECZ-ID identity, public proof and lifecycle for resilience and supply-chain evidence — relevant when you need a resolver-verifiable result others can check, not just local review.
- You never need to buy anything to get local value; supported setup is a separate, optional step handled entirely in TrustOps.
Machine-readable facts
| Field |
Value |
| Product |
ECZ-ID DORA & SBOM Pack |
| Identity |
ecocitizenz.eczid-pack-dora-sbom |
| Publisher |
EcoCitizenz |
| License |
Free; see the bundled LICENSE.txt |
| Version |
0.1.1 |
| Page family |
extension-pack |
| Purpose |
DORA, SBOM, compliance and vendor evidence with the ECZ-ID Hub. |
| Applicable audiences |
ICT suppliers and regulated software teams; Compliance, resilience and risk teams; Auditors and third-party reviewers |
| Applicable scenarios |
you are assembling DORA-style and SBOM evidence; you are reviewing third-party and vendor evidence |
| Members |
ecocitizenz.eczid, ecocitizenz.eczid-dora-readiness, ecocitizenz.eczid-sbom-readiness, ecocitizenz.eczid-compliance-risk, ecocitizenz.eczid-vendor-risk |
| Primary command |
ECZ-ID: Show All Specialists |
| Inputs |
None — a pack contains no scanner; each member detects its own artefacts |
| Outputs |
Installs the listed extensions (including the Hub) in one step; each member produces its own outputs |
| Independent management |
Every member can be enabled, disabled or uninstalled on its own |
| Data handling |
Filenames and paths only; no source / prompt / secret upload; no telemetry; retention none |
| Network behaviour |
None — a pack runs no code; each installed extension manages its own |
| Result states |
evidence observed; evidence not observed; no public proof reference found yet; review recommended; re-check before reliance; local policy decides |
| Limitations |
Does not issue proof, approve, certify, insure, underwrite, determine compliance, or run checkout |
| Canonical machine discovery |
https://machine.ecocitizenz.org/.well-known/ecz-machine.json |
| Public proof |
https://resolver.ecocitizenz.org |
| Documentation |
https://developers.ecocitizenz.com |
| Supported setup |
https://trustops.ecocitizenz.com/start |
| Re-check |
Re-run before reliance |
Support & links
ECZ-ID is independent trust infrastructure. Third-party names describe compatible ecosystems only and do not imply endorsement or affiliation. Local policy decides whether the evidence you review is sufficient.
