Cryptographic file inventory and exfiltration detection — powered by CertiSigma

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for massimocavallin from gravatar.com massimocavallin

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Ten Sigma Sagl
  • Tags attestation , breach-detection , cryptography , file-integrity , forensics
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

CertiSigma Census

Cryptographic file inventory and exfiltration detection — powered by CertiSigma.

Census scans directories, computes SHA-256 hashes, attests them via the CertiSigma API (three-layer cryptographic proof: ECDSA T0, qualified TSA T1, Bitcoin T2), and maintains a local manifest. When suspect files surface, Census compares their hashes against the registry to prove — with cryptographic certainty — whether they match inventoried assets.

Installation

pip install certisigma-census

Requires Python 3.10+.

Quick Start

1. Inventory scan

export CERTISIGMA_API_KEY=cs_...

# Scan a directory and attest all file hashes
census scan /path/to/sensitive-files --source inventory-hr

# Dry run — hash only, no attestation
census scan /path/to/files --dry-run

# Scan only PDFs and Word docs, skip files over 100 MB
census scan /data --include "*.pdf" --include "*.docx" --max-size 100M

# Resume an interrupted scan
census scan /data --source quarterly --manifest inventory.json --resume

This produces a .census-manifest.json mapping each hash to its file path, size, and attestation metadata.

2. Breach comparison

# Compare suspect files against the CertiSigma registry
census compare /path/to/suspect-files --manifest /path/to/.census-manifest.json

# Save report as JSON or CSV
census compare /suspect --output report.json
census compare /suspect --output report.csv

Exit code: 0 if no matches, 1 if matches found.

3. Manifest status and export

# Show summary
census status /path/to/.census-manifest.json

# Export manifest as CSV for compliance reporting
census export manifest.json --format csv --output inventory.csv

# Export as JSON
census export manifest.json --format json --output inventory.json

How It Works

  1. Scan — Census walks the directory, computes SHA-256 for each file (streamed, constant memory), and builds a local manifest.
  2. Attest — Hashes are sent in batches (up to 100 per call) to the CertiSigma API. Each hash receives a three-layer cryptographic proof (T0 ECDSA signature, T1 qualified TSA timestamp, T2 Bitcoin anchor).
  3. Compare — Suspect files are hashed and verified against the registry via POST /verify/batch. Matches prove the file was previously inventoried, regardless of filename or directory structure changes.

The original file content never leaves the client. Only SHA-256 hashes are transmitted.

Features

Feature Description Docs
File filters --include, --exclude globs; --min-size, --max-size scanning.md
Resume scans --resume skips unchanged files, preserves attestation state scanning.md
CSV/JSON export Compare reports and manifest export in both formats comparison.md
Retry with backoff Automatic retry on 429/5xx with exponential backoff retry-and-resilience.md
Structured logging --log-format json for SIEM/ELK integration logging.md
Progress bars Visual feedback for scan, attest, and compare operations scanning.md
Atomic saves Manifest writes via tmp+rename prevent corruption manifest.md

Full documentation: docs/features/

CLI Reference

Global options

Option Description
-v / --verbose Enable debug logging
--log-format text|json Log output format (default: text)
--version Show version

census scan

Option Description
--source LABEL Source label for attestations
--manifest PATH Manifest output path (default: <dir>/.census-manifest.json)
--api-key KEY API key (or set CERTISIGMA_API_KEY)
--base-url URL Override API base URL
--dry-run Hash only, no attestation
--resume Resume interrupted scan
--include GLOB Include files matching pattern (repeatable)
--exclude GLOB Exclude files matching pattern (repeatable)
--min-size SIZE Skip files smaller than SIZE (e.g. 1K, 10M)
--max-size SIZE Skip files larger than SIZE (default: 5G)

census compare

Option Description
--manifest PATH Local manifest for cross-referencing
--output PATH Save report (.json or .csv by extension)
--include/--exclude/--min-size/--max-size Same filters as scan

census export

Option Description
--format csv|json Output format (default: csv)
--output PATH Output file (default: stdout)

census status

Takes a manifest path as argument. No additional options.

Dependencies

No additional runtime dependencies. All features use Python stdlib (fnmatch, csv, json, logging).

License

MIT — Ten Sigma Sagl

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for massimocavallin from gravatar.com massimocavallin

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Ten Sigma Sagl
  • Tags attestation , breach-detection , cryptography , file-integrity , forensics
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.23.1

1.23.0

1.22.0

1.21.1

1.21.0

1.20.0

1.17.0

1.16.1

1.15.2

1.15.1

1.15.0

1.14.4

1.14.3

1.14.2

1.14.1

1.14.0

1.13.2

1.13.1

1.13.0

1.12.1

1.12.0

1.11.1

1.11.0

1.10.1

1.10.0

1.9.2

1.9.1

1.9.0

1.8.1

1.8.0

1.7.1

1.6.1

1.6.0

1.5.1

0.8.0

0.7.0

0.6.1

0.6.0

0.5.0

0.4.0

0.3.1

0.3.0

This version

0.2.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

certisigma_census-0.2.1.tar.gz (39.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

certisigma_census-0.2.1-py3-none-any.whl (14.3 kB view details)

Uploaded Python 3

File details

Details for the file certisigma_census-0.2.1.tar.gz.

File metadata

  • Download URL: certisigma_census-0.2.1.tar.gz
  • Upload date:
  • Size: 39.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for certisigma_census-0.2.1.tar.gz
Algorithm Hash digest
SHA256 f54183058e17f9808d460e2eaed09705da5b9a3be15d3ee538d98d62929cfc0f
MD5 e56f1143f55f7a23f48767fb26cf217b
BLAKE2b-256 8ad7244472b45a7afd6284f8148bdd96bffeb43cbebb5c6a605d9d10ec576155

See more details on using hashes here.

Provenance

The following attestation bundles were made for certisigma_census-0.2.1.tar.gz:

Publisher: publish.yml on massimocavallin/certisigma-census

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file certisigma_census-0.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for certisigma_census-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ac08ad500a98aa20f937b3eb27bf7eeb617f48c931ab8c97a9302eb3a3eee0ab
MD5 821550a0241792d6a2028b44deb55530
BLAKE2b-256 dcfa2917f6bb3a697e7c6fdd77106d7053e14ee86f6d6756150f79361c5b0180

See more details on using hashes here.

Provenance

The following attestation bundles were made for certisigma_census-0.2.1-py3-none-any.whl:

Publisher: publish.yml on massimocavallin/certisigma-census

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page