Evidence Pack PDF Format
The Evidence Pack PDF is a structured audit document. It is generated from the JSON payload and formatted for presentation to auditors, compliance teams, and security reviewers.
PDF sections
Cover page
- Project name and description
- Check timestamp (ISO 8601, UTC)
- Git commit SHA (full, monospaced)
- Git branch and repository URL
- Spec version and SHA-256 hash
- Overall result: PASS or FAIL
- Ed25519 public key fingerprint
Summary table
A single-page summary of the check run:
| Metric | Value |
|---|---|
| Rules evaluated | 31 |
| Files scanned | 7 |
| Lines scanned | 847 |
| Block violations | 0 |
| Warn violations | 0 |
| Info violations | 0 |
| Evidence chain position | #43 |
| Previous pack SHA-256 | c98c24b6... |
Rule results table
A table of every rule evaluated, with status:
| Rule ID | Name | Category | Severity | Status |
|---|---|---|---|---|
| sec-001 | no-eval | security | BLOCK | PASS |
| sec-002 | no-hardcoded-secrets | security | BLOCK | PASS |
| fe-001 | no-direct-dom | frontend | WARN | PASS |
| dat-001 | no-pii-logging | data | BLOCK | PASS |
| ... | ... | ... | ... | ... |
Compliance mapping pages
One page per framework, showing which rules cover which controls:
SOC 2 Trust Services Criteria
| Control | Description | Rule IDs | Status |
|---|---|---|---|
| CC6.1 | Logical access security | sec-001, sec-002 | COVERED |
| CC6.7 | Transmission protection | sec-003 | COVERED |
| CC7.1 | Detection of malicious activity | sec-001 | COVERED |
| CC7.2 | System monitoring | aud-001 | COVERED |
EU AI Act
| Article | Description | Rule IDs | Status |
|---|---|---|---|
| Art. 9.2 | Risk management system | llm-003 | COVERED |
| Art. 9.5 | Testing requirements | sec-001, llm-002 | COVERED |
| Art. 10 | Data quality | dat-001, dat-002 | COVERED |
| Art. 12.1 | Record-keeping | llm-003 | COVERED |
Signature block
The final page contains the cryptographic verification block:
Evidence Pack: 2026-05-18T14-03-22Z.json
SHA-256: a948904f2f0f479b499...
Ed25519 sig: 3d4a5b6c7d8e9f0a1b2c...
Public key: MCowBQYDK2VwAyEA...
Chain position: #43
Previous pack: 2026-05-18T10-22-41Z.json
Previous hash: c98c24b677efa4...
To verify:
vyb evidence --verify \
--pack .vyb/evidence/2026-05-18T14-03-22Z.json
Customizing the PDF
On Pro and Business plans, you can customize:
- Company logo (replaces the vybdocs hex logo)
- Cover page title and subtitle
- Footer text (e.g., "Confidential — for SOC 2 audit use only")
- Page numbering format
Configure in your spec:
.vyb/spec.yaml
settings:
evidence:
pdf:
logo: .vyb/assets/company-logo.png
title: "Engineering Compliance Report"
footer: "Confidential — ACME Corp Internal"
include-frameworks:
- soc2
- eu-ai-act
PDF generation
The PDF is generated using a headless renderer bundled with the vyb CLI. No external services are required. The renderer is deterministic — the same JSON input always produces byte-identical PDF output (excluding timestamps).
Next: Framework Mappings