How it works
How SIGMA audits submissions
SIGMA combines deterministic checks, sandbox signals, and multi-validator assemblies before issuing a certificate. The Submission and audit lifecycle page walks the full path from draft to certificate. Assembly and reputation explains how councils merge verdicts.
For submissions that include executable code, an additional pipeline runs before the council sees anything — see Code review pipeline below. Code review describes the three layers in depth; Package Trust Registry covers dependency certification.
Code review pipeline
For submissions that include executable code, SIGMA runs an extended pipeline before the council receives anything.
The pipeline has three stages that run in sequence. First, a deterministic static analysis engine — the pre-processor — examines every source file without executing it and produces a structured threat report. This stage has no AI cost and takes only seconds. If it detects a hard failure (oversized submission, missing entry point, unpinned dependencies), it rejects the submission before any fee is incurred.
Second, an AI analyst generates a minimal test harness for the code and executes it inside a fully isolated container. The container has no internet access, no filesystem write access (except a small temporary area), no privilege escalation, and a hard 30-second execution limit. The analyst captures everything the code does during execution: network connections attempted, files written, processes spawned, and standard output. It produces a structured execution report.
Third, the SIGMA council receives the threat report and execution report — not the raw code — and produces a verdict using the same multi-agent consensus process used for all submissions.
For CODE+PACKAGES submissions, an additional stage runs before the three above: the Package Trust Registry lookup and package audit pipeline, which certifies every declared dependency before the code review begins.
Before you open the dev portal, see Preparing your submission for repository layout, required manifests, entry-point rules, and how studio fields map to the audit.