Self-host PatentChecker (licensed container)
PatentChecker is designed to run inside your environment as a deterministic, verifiable evidence pipeline.
PatentChecker is proprietary software. Running it in your environment requires a license and (typically) registry access credentials.
What you get
- A signed runner container image (immutable digest)
- Deterministic run outputs (manifests, evidence packets, state, digests)
- SBOM + provenance attestations (per release)
- Release receipts for audit trails (per release)
Requirements
- Docker (or compatible runtime)
- cosign (for signature verification)
- A PatentChecker license + registry access
Pull the runner image
We distribute PatentChecker as a container image. For audit-grade runs, pin by digest.
Current public release: v0.1.28 (image digest sha256:dede4006756…)
# Authenticate to GHCR (if required by your license / package visibility) echo "$GH_TOKEN" | docker login ghcr.io -u <github_user> --password-stdin # Pull by tag (convenient) docker pull ghcr.io/omniscoder/patentchecker:<tag> # Prefer pinning by digest for production/audit docker pull ghcr.io/omniscoder/patentchecker@sha256:<digest>
If the package is private, your license provisioning should include read access to the registry.
Verify signatures before running
Images are signed. Verify the exact digest you plan to run.
# Keyless verification (OIDC) # Receipt is the source of truth for digest + signing identity. # (Use the values from runner_receipt.v0.1.json for the release you are running.) export DIGEST="sha256:<64>" export IDENTITY="https://github.com/omniscoder/patentchecker/.github/workflows/release.yml@refs/<ref>" export IMG=ghcr.io/omniscoder/patentchecker@"$DIGEST" DOCKER_CONFIG=/tmp/emptydocker cosign verify \ --certificate-identity "$IDENTITY" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ "$IMG"
For air-gapped verification, we provide per-release bundles (receipt + signature bundle) for offline verification.
Run in your container
The container entrypoint runs the watchlist runner. Provide a watchlist JSON and an output directory.
# Directory layout (paths in watchlist are resolved relative to the watchlist file) mkdir -p out inputs # watchlist.json references inputs/... for adapter file mode docker run --rm \ -v "$PWD/watchlist.json:/work/watchlist.json:ro" \ -v "$PWD/inputs:/work/inputs:ro" \ -v "$PWD/out:/work/out" \ ghcr.io/omniscoder/patentchecker:<tag> \ --watchlist /work/watchlist.json \ --out-dir /work/out
Use --entrypoint to run other built-in commands inside the same image.
# Print contract metadata (version/hash) docker run --rm --entrypoint node ghcr.io/omniscoder/patentchecker:<tag> \ dist/src/cli/patentchecker.js info # Verify a run directory (offline) docker run --rm -v "$PWD/out:/out:ro" --entrypoint node ghcr.io/omniscoder/patentchecker:<tag> \ dist/src/cli/patentchecker.js artifacts verify /out/runs/<watchlist_id>/<run_id>
Outputs are deterministic: evidence packets, manifests, digests, and state are written under your output directory and can be verified offline.
Want a 7-day pilot?
The fastest path is a one-time snapshot drift posture report on a single program: you provide a watchlist and two corpus snapshots, and we return report.md + alerts_summary.json with forced interpretation guardrails.