External Evidence
Compliance audits often need proof that isn't in your source code — pentest reports, security concepts, HSM certificates, or architecture diagrams. nori lets you attach these documents and feed them into analysis, so requirements that code alone can't demonstrate can still be verified. This applies to both project modes (Discovery & Analysis and Analysis-Only).
Attach and index evidence
Use the Evidence tab to reference external files or folders on disk. To make this evidence available to control evaluations, index it:
- Click Run New Docs Indexing inside the Wiki (Files) or Evidence tab.
- Select which files to index (by default, changed or not-yet-indexed files are pre-selected).
- Select the AI model to use for indexing.
- Run the indexer to compile the files into structured, AI-readable summaries.
Indexing progress and metrics (tokens and cost) are logged, and run history is tracked under Indexing File History alongside your analysis history.
How evidence is used
- Global evidence applies to the whole project and contributes a short synopsis to every control's context.
- Per-control evidence is pinned to a specific control and contributes its full summary when that control is evaluated.
nori feeds the curated summaries (not the raw files) into evaluations, keeping evidence focused and costs predictable.
For the concepts behind this — evidence types, the visual vs. text extraction routes, folder ref-expansion, and control linkage — see External Evidence & Proof.
Continue to Review Results.