Evidence Packages
Audit-ready proof bundles with integrity verification.
An evidence package bundles the full remediation trail — finding details, ticket history, verification results, and timestamps — into a single exportable artifact with cryptographic integrity checks.
What’s inside
Each package captures a point-in-time snapshot of the remediation chain: the original finding, every status change, the external ticket timeline, and the scanner-confirmed verification outcome. Once generated, the contents are immutable — later changes to the underlying finding or work item don’t alter the package.
Integrity verification
Evidence packages include SHA-256 integrity hashes. Auditors can independently verify that a package hasn’t been altered since generation. If the hashes don’t match, something changed.
The integrity hashes prove whether a package was altered after export. For stronger guarantees, store packages in a write-once archive (S3 Object Lock, Azure immutable blobs, or equivalent).
Export formats
Packages are available in three formats, each generated from the same underlying data:
| Format | Best for |
|---|---|
| Human-readable report with timeline. Share with auditors. | |
| JSON | Machine-readable data. Ingest into GRC platforms. |
| CSV | Flat tabular export for spreadsheet analysis. |
When packages are created
Basirah generates evidence packages automatically when a work item reaches verified closure. You can also generate packages on demand at any point in the remediation lifecycle — useful for mid-cycle audits or documenting risk acceptance decisions.
Retention
Evidence packages are retained according to your organization’s data retention policy, configured in admin settings. Packages persist independently from their parent work items.