Integration

To onboard the application to Lineaje, start by generating a project. Lineaje constructs a complete dependency graph — including all direct and transitive components — from one of the following ingestion sources:

• Source code repository: Connect Lineaje to GitHub, GitLab, Bitbucket, or any SCM via the CLI or webhook integration.

• Container image: Provide an image reference; Lineaje unpacks and analyzes the full layer dependency tree.

• Existing SBOM: Import a CycloneDX or SPDX SBOM to bootstrap the project without re-scanning.

Once a project is generated, Lineaje maintains a continuously-updated view of the application's supply chain — surfacing new vulnerabilities as they are disclosed against any component in the dependency tree.

For licensed customers, this step is fully automated. Lineaje's AI agents analyze the project's dependency graph and produce a structured remediation plan that classifies every vulnerable component into one of three fix buckets:

The GOS plan output is a machine-readable artifact (manifest file) that specifies the exact package versions and patch identifiers required to eliminate all resolvable ECH vulnerabilities from the project.

After the GOS plan is generated, Lineaje's build infrastructure prepares the required fix artifacts. For Curated and Rebuild fixes, this process typically completes within minutes. Premium fixes — which require targeted source-level modifications — may take additional time depending on component complexity.

During this phase, the recommended polling strategy is to query the fix plan API until overall_status transitions to "available". Once available, all fix artifacts are accessible via the Lineaje FortKnox Artifactory.

Once fix artifacts are available, they are applied to the project repository using the GOS fix manifest. Two application paths are available depending on the customer's license tier:

• GOS (Standard): Development teams apply the fix manifest manually by creating a new branch, updating the dependency manifest (e.g., pom.xml, requirements.txt, go.mod), committing the change, and raising a pull request for review and merge.

• SCA 360 (Auto Fix): Lineaje's AI agents automate the entire developer workflow — branching, manifest update, commit, and PR creation — reducing the time from plan to remediation to minutes.

FortKnox is Lineaje's GOS-enforcing artifact registry. When configured as the upstream for your build tool (Maven, Gradle, pip, npm, Go module proxy, etc.), FortKnox acts as a policy gateway:

• Allows: Package requests that resolve to Gold-rated versions are served immediately.

• Blocks: Requests for non-Gold packages are rejected with a structured error response indicating the specific policy violation.

• Audits: Every resolved package is logged with a timestamp, enabling on-demand SBOM generation and compliance attestation.

FortKnox supports both cloud-hosted and on-premises deployment to meet data residency requirements. It is compatible with all major build ecosystems and can be configured as a virtual repository that proxies existing registries with Gold enforcement layered on top.

After fixes are applied and merged, trigger a new project generation in Lineaje to validate the remediation. The resulting project scan should confirm:

• ECH vulnerability count = 0 across all direct and transitive dependencies.

• All components resolve through FortKnox and carry valid Gold timestamps.

• No new policy violations introduced by the fix packages.

The new project SBOM serves as a compliance artifact and can be exported in CycloneDX or SPDX format for submission to regulators, customers, or internal audit processes.