TrustScore for Software and AI-Generated Code
Spyda TrustScore™ measures how much you can trust the code that runs your business – from open-source libraries to AI-assisted changes – using SBOM, supply-chain telemetry, and IDE/agent risk to produce a single, explainable 1–100 score.
Built for CISOs, AppSec and platform teams who need a defensible, auditable signal of software trust in an AI-assisted world.
Free, open, and built for developers.
What is Spyda TrustScore?
Spyda TrustScore™ is a software and AI-code trust scoring system. It evaluates your repositories, dependencies, pipelines and AI-assisted development activity, and distils the result into a single, interpretable score from 1 to 100.
Instead of scoring the behaviour of language models, Spyda TrustScore focuses on the software artefacts those models help produce and the development environments in which they operate. It gives security and engineering leaders a clear answer to a hard question: "How much can we trust this codebase and the AI tools that touched it?"
How Spyda TrustScore is calculated
Spyda TrustScore combines four layers of evidence into a single 1–100 score for each repository, service or package:
1. Software Supply-Chain & Vulnerability Posture
Ingests SBOMs, dependency graphs and vulnerability intelligence (CVEs, OSV, VEX) and correlates them with exploitability, secrets exposure and configuration risk to show how exposed a component is to known threats.
2. Code Integrity & Provenance
Analyses commit history, maintainer health, contributor reputation and AI-generated code detection to understand how the code came to be. Distinguishes human-authored vs AI-assisted changes and flags anomalous or high-risk provenance patterns.
3. AI-IDE & Agent Exposure
Measures the risk introduced by AI coding tools and agents in IDEs. Evaluates workspace behaviour, agent permissions, auto-approval policies and integration with AI-augmented IDEs to surface the likelihood of silent, prompt-driven code or config changes.
4. Compliance, Governance & Post-Quantum Readiness
Maps software posture against emerging frameworks such as NIST secure software guidance, software supply-chain requirements, EU AI Act obligations for high-risk systems and early post-quantum considerations, turning TrustScore into a governance and assurance signal – not just a technical metric.
What the 1–100 TrustScore means
Each Spyda TrustScore is a single number from 1 to 100 that summarises the trustworthiness of a codebase or component.
90–100 – Elite
Strong supply-chain posture, clean code, low AI-IDE exposure and solid governance alignment. Suitable for high-criticality and regulated environments.
75–89 – Trusted
Good security and provenance with manageable issues. Safe for most production workloads with standard AppSec processes.
60–74 – Needs Review
Meaningful risks present. Recommended for targeted remediation and closer review before use in critical systems.
40–59 – High Risk
Significant vulnerability, provenance or AI-IDE exposure concerns. Should trigger remediation projects and stricter controls.
1–39 – Critical Risk
Severe issues across one or more layers. Not recommended for production use; appropriate for blocking in CI/CD and third-party risk workflows.
Why Spyda TrustScore matters
Traditional AppSec tools find vulnerabilities, but they do not tell you how much you can trust the overall codebase – especially when AI tools and agents are writing more of the code.
Spyda TrustScore turns fragmented security, provenance and AI-IDE telemetry into a single 1–100 signal that can:
- →Gate CI/CD and deployments based on software trust
- →Inform third-party and open-source risk decisions
- →Enforce safer policies around AI-assisted development
- →Provide a clear, defensible metric to boards, customers and regulators
Spyda 2.0 Scoring Engine
NEWEvidence-based probabilistic classifier with dynamic weight adjustment, scanner reliability calibration, and exploitability boost layer.
Multi-Tool Consolidation
Aggregate findings from Snyk, Semgrep, Trivy, SonarQube, and 20+ tools into one unified view.
Advanced Confidence Analysis
5-factor probabilistic model: corroboration, clarity, source credibility, exploitability, and contradiction penalty 2.0.
Policy-Driven Scoring
Customize domain weights, thresholds, and gating rules to match your organization's risk appetite.
Post-Quantum Crypto
Assess quantum-resistant cryptography readiness and identify vulnerable algorithms before threats emerge.
AI Provenance Tracking
Track AI-generated code, model dependencies, and ensure transparency in AI-assisted development.
CI/CD Integration
Block deployments based on TrustScore thresholds with GitHub Actions, GitLab CI, or Jenkins.
Role-Based Access
Admin, auditor, developer, and viewer roles with granular permissions and audit logging.
Enterprise Ready
SSO, API tokens, audit logs, and compliance reporting for SOC 2 and ISO 27001.
Supply Chain Security
SBOM analysis, dependency tracking, and vulnerability correlation across your software supply chain.
How It Works
Three simple steps to security clarity.
Connect Your Tools
Import findings from your existing SAST, SCA, DAST, container, and cryptographic analysis scanners.
Configure Your Policy
Set domain weights, risk thresholds, and enforcement rules that match your organization's needs.
Generate Your TrustScore
Receive a single 0–100 score with explainable evidence, remediation insights, and compliance reports.
Scanners → Correlation & Scoring Engine → Unified TrustScore → Dashboards & CI/CD Gates
INDUSTRY LEADERS TRUST SPYDA
Ready to unify your security scoring?
Join development and security teams who trust Spyda to unify their risk posture. Deploy in minutes. Integrates with your existing scanners instantly.