GETTING STARTED
Entry Surface

FAQ

Common questions about WitnessOps governed execution and evidence.

Recurring operator and reviewer questions, answered with bounded claims.

Execution, Proof, and Presentation

Is WitnessOps a scanner?

No. WitnessOps governs tool execution (scope, policy gates, approvals, evidence capture). It can orchestrate scanners, but it is not a scanner engine itself.
Scope limit: finding quality still depends on the underlying tool and its configuration. See Governed Execution and Runbooks.

What is the difference between execution and proof?

Execution is runtime control (executed, denied, paused, failed). Proof is post-execution verification of signed and linked artifacts (valid, invalid, indeterminate).
Scope limit: successful execution is not automatically a successful proof result, and proof validity is not a claim about business impact. See Governed Execution, Proof Model, and How to Verify a Receipt.

What is the difference between proof and presentation?

Proof artifacts are verification-bearing materials (receipts, manifests, trust material, continuity artifacts). Presentation is operator-facing display (dashboards, summaries, status views).
Scope limit: presentation can summarize proof, but it is not proof-bearing on its own. See Proof Model and Evidence Bundles.

Does a receipt prove a finding is true?

No. A receipt proves a governed claim was emitted and cryptographically bound to referenced artifacts.
Scope limit: receipt validity does not prove exploitability, severity, remediation quality, or organizational risk acceptance. See Receipts, Receipt Spec, and What Evidence Is Required?.

Authority and Runtime Boundaries

Who has authority to let a step run?

Runtime gates evaluate policy-bound principals (operator, approver, system) and permit or deny execution accordingly.
Scope limit: WitnessOps enforces the configured authorization contract; it does not independently guarantee upstream identity sources are truthful. See Authorization Model and Policy Gates.

Can an operator bypass policy gates?

Not inside governed runtime: a failed gate blocks the step. A tool may still be run outside WitnessOps, but that action is outside governance and outside the WitnessOps receipt chain.
Scope limit: lack of a WitnessOps receipt proves lack of governed execution for that action, not that no action happened elsewhere. See Governed Execution and Lab Mode and Scope Bypass.

Where does independent verification happen?

Verification is performed on exported proof artifacts, including on /verify and /api/verify, using deterministic integrity and signature checks.
Scope limit: verification checks declared proof layers; it does not rerun tools against live targets. See How to Verify a Receipt and Evidence Bundles.

Evidence Sufficiency and Decisions

How much evidence is enough?

Enough means sufficient for the current decision (proceed, close, escalate), not maximum artifact volume.
Scope limit: more artifacts do not automatically strengthen a claim; sufficiency depends on claim relevance, quality, and reviewability. See What Evidence Is Required? and Do I Need to Escalate?.

Does WitnessOps replace reviewer judgment?

No. WitnessOps makes execution and proof artifacts reviewable; humans still interpret risk, context, and acceptable action.
Scope limit: governance and proof reduce ambiguity but do not remove external trust assumptions. See Three-Layer Stack and Threat Model and Trust Boundaries.

Need term definitions first?

Use the Glossary for canonical definitions before deep review or dispute handling.