Verification Pipeline
When you submit a repository — via the web form or the CLI (rr pkg publish) — the registry runs an automated pipeline that discovers your IP, checks it, and assigns trust badges.
Pipeline stages
1. Clone
The registry performs a shallow clone (--depth 1) of your repository at the specified branch or tag. Only public GitHub repositories are supported for web submissions. The clone timeout is 120 seconds.
2. Entity discovery
The dependency resolver scans all .vhd, .vhdl, .v, and .sv files to discover:
- VHDL entities (including architecture bodies, package declarations, and component instantiations)
- Verilog/SystemVerilog modules (including
importstatements,`includedirectives, andbindstatements)
For each entity, the resolver builds a full dependency chain — every file needed to compile that entity, in the correct order. This is the same resolver used by rr lint and rr sim locally.
3. Test infrastructure detection
The pipeline scans for test frameworks and testbenches using these rules:
| What we look for | How we detect it |
|---|---|
| cocotb | Python files containing import cocotb or from cocotb, or Makefiles in test/ or sim/ directories referencing cocotb |
| VUnit | Python files containing import vunit or from vunit |
| OSVVM | Presence of .pro files (OSVVM project files) |
| Makefile-based simulation | Makefiles in test/sim directories referencing iverilog or TOPLEVEL |
| HDL testbenches | Files matching *_tb.vhd, *_testbench.vhd, tb_*.vhd (and .v / .sv equivalents) |
The scan counts both the number of detected testbenches and the total test-related files (Python + HDL).
4. Verification (lint)
Each discovered entity is verified by attempting compilation with GHDL (for VHDL) or Verilator (for Verilog/SystemVerilog). The full dependency chain is compiled — not just the top-level file.
An entity passes verification if the entire chain compiles without errors.
5. Badge assignment
Every entity receives badges based on what the pipeline can verify:
| Badge | Meaning | Criteria |
|---|---|---|
| linted | Compiles cleanly | GHDL or Verilator lint passes on the full dependency chain |
| tested | Ships with tests | Repository contains testbenches, cocotb tests, VUnit tests, or OSVVM projects |
Badges are cumulative — an entity can have both linted and tested.
Note: The
testedbadge means test infrastructure is detected, not that tests were executed. We verify that tests exist and identify the framework, but we do not run them. Running tests against a simulation engine is planned for a futuresimulatedbadge.
6. Role classification
Entities are classified by their position in the dependency graph:
| Role | Meaning |
|---|---|
| top | Nothing else in the repo depends on it — this is a user-facing IP core |
| component | Used by at least one top-level entity |
| primitive | Leaf node with no dependencies of its own |
Scan response
The pipeline returns:
- Per-entity results: name, language (e.g.
vhdl-2008), library, file list, dependency count, verification status, and badges - Test info: detected frameworks, testbench count, total test file count
- Overall status:
scanned(entities found) orempty(no HDL entities discovered)
Web vs CLI
Web (/submit-ip) | CLI (rr pkg publish) | |
|---|---|---|
| Endpoint | POST /v1/scan | POST /v1/submit |
| Authentication | None required | JWT token (rr pkg login) |
| Publishes to registry | No — scan only | Yes — writes to database |
| Use case | Preview before publishing | Publish your IP |
The web form is designed as a "try before you commit" experience. Scan your repo, review the results, then publish via the CLI when you're ready.
Badge roadmap
Badges are incremental — each tier builds on the previous one:
| Tier | Badge | What it proves | Status |
|---|---|---|---|
| 1 | linted | GHDL or Verilator lint passes on the full dependency chain | Live |
| 2 | tested | Repository contains test infrastructure (cocotb, VUnit, OSVVM) | Live |
| 3 | verified | Tests pass inside the submitter's own Docker environment | Planned |
| 4 | provenance | Signed build attestation with cryptographic proof of origin | Planned |
Verified badge (planned)
The verified badge does not require proprietary vendor toolchains. Instead, it works like this:
- You provide a Dockerfile in your repository that sets up your test environment (cocotb + GHDL, VUnit + NVC, etc.)
- The registry builds your container and runs your tests inside it
- If tests pass, your IP gets the
verifiedbadge
To prevent gaming, the registry enforces quality thresholds:
- Minimum test count — a single trivial test is not enough
- Minimum simulation time — tests must actually simulate, not just instantiate
- Test diversity — tests should exercise different scenarios, not repeat the same assertion
The philosophy: you prove your IP works, in your own environment. We just validate the results.
Provenance badge (planned)
Signed build attestation via Sigstore: bitstream hash, source inputs, dependency chain, build environment, and timestamps. Cryptographic proof that a specific bitstream came from a specific source.
Supported languages
| Language | Extensions | Lint tool | Standard |
|---|---|---|---|
| VHDL | .vhd, .vhdl | GHDL | VHDL-2008 |
| Verilog | .v | Verilator | IEEE 1364-2005 |
| SystemVerilog | .sv | Verilator | IEEE 1800-2017 |