We convert scanner signals into a calibrated, deterministic AAA–D rating—backed by verifiable evidence packs auditors and buyers can trust.
Built on the open standards security teams already trust
Calibrated, not asserted
Every TrustScore is measured against held-out, third-party corpora — so a rating means the same thing across vendors, languages and audits.
Go beyond vulnerability scanning. Track the complete chain of custody from source commit to production deployment with SLSA provenance, in-toto attestations, and policy-driven gating.
Automatically assess SLSA compliance (L0-L4) from build provenance and attestations. Gate deployments based on minimum SLSA levels.
Visual chain-of-custody showing commit → CI build → sign → registry push → deploy with full audit trail for compliance.
Automatic discovery and scoring of artifacts from ECR, GAR, ACR, Docker Hub, npm, PyPI, and Maven with real-time updates.
Spyda TrustScore™ is a software and AI-code trust scoring system. It evaluates your repositories, dependencies, pipelines and AI-assisted development activity, and distils the result into a single, interpretable score from 1 to 100.
Instead of scoring the behaviour of language models, Spyda TrustScore focuses on the software artefacts those models help produce and the development environments in which they operate. It gives security and engineering leaders a clear answer to a hard question: "How much can we trust this codebase and the AI tools that touched it?"
Spyda TrustScore combines six weighted dimensions of evidence into a single 1–100 score for each repository, service or package. Every finding maps to exactly one dimension, and every dimension carries a policy weight—so nothing is left unscored:
Known CVEs and weaknesses across the codebase and its dependencies, prioritised by real-world exploitability (EPSS probabilities and CISA KEV) plus secrets exposure and configuration risk.
SBOM completeness, dependency provenance, SLSA attestations and maintainer health—how trustworthy the components and the build pipeline that produced them actually are.
AI-generated code detection, agent and AI-IDE exposure, and model provenance—surfacing the likelihood of silent, prompt-driven changes and the governance obligations they create.
Posture against frameworks such as NIST secure-software guidance, EU AI Act obligations, ISO/IEC 42001 and licence compliance—turning TrustScore into a governance and assurance signal.
Exposure to quantum-vulnerable cryptography—RSA/ECDSA key exchange on long-lived services, certificates without a post-quantum rollover path—and progress toward PQC-safe algorithms.
Operational and runtime posture—telemetry and evidence coverage, logging, monitoring and configuration hygiene—measuring how observable and well-run the service is in production.
A project can earn an investment-grade score and still be blocked from release. The score and the deploy decision are two separate axes — so a strong number can never quietly override a failed security gate.
The 0–100 TrustScore and its AAA–D band describe trust posture. This is a signal — it does not, on its own, authorize a release.
Gate predicates decide deployability. A non-waivable security gate (e.g. a known-exploited CVE) blocks release regardless of how high the score is.
Using the familiar AAA–D format of credit ratings, Spyda distils software trustworthiness into a single, standardized grade. Each rating is a calibrated, deterministic heuristic derived from your evidence—not an empirical probability of a security incident.
Exceptional trust. Enterprise-ready for mission-critical and regulated systems. Full supply-chain provenance, clean code, and governance alignment.
Strong trust with manageable issues. Suitable for most production workloads with standard AppSec processes. Good security and provenance.
Elevated risk. Meaningful vulnerabilities or AI-IDE exposure present. Requires additional controls and targeted remediation before production use.
Significant vulnerabilities across multiple domains. Upper range (CCC/CC) triggers mandatory remediation; the lowest scores (C/D) are blocked from deployment.
Every Trust Certificate includes a clear DEPLOY / REVIEW / BLOCK decision and Enterprise Readiness Level.
The underlying TrustScore (1-100) maps to letter ratings and provides granular detail.
Strong supply-chain posture, clean code, low AI-IDE exposure and solid governance alignment. Suitable for high-criticality and regulated environments.
Good security and provenance with manageable issues. Safe for most production workloads with standard AppSec processes.
Meaningful risks present. Recommended for targeted remediation and closer review before use in critical systems.
Significant vulnerability, provenance or AI-IDE exposure concerns. Should trigger remediation projects and stricter controls.
Severe issues across one or more layers. Not recommended for production use; appropriate for blocking in CI/CD and third-party risk workflows.
Traditional AppSec tools find vulnerabilities, but they do not tell you how much you can trust the overall codebase – especially when AI tools and agents are writing more of the code.
Spyda TrustScore turns fragmented security, provenance and AI-IDE telemetry into a single 1–100 signal that can:
Probabilistic scoring, deterministically reproduced—identical evidence always yields an identical score. Dynamic weight adjustment, scanner reliability calibration, and an exploitability boost layer.
Aggregate findings from Snyk, Semgrep, Trivy, SonarQube, and 20+ tools into one unified view.
5-factor probabilistic model: corroboration, clarity, source credibility, exploitability, and contradiction penalty 2.0.
Customize domain weights, thresholds, and gating rules to match your organization's risk appetite.
Assess quantum-resistant cryptography readiness and identify vulnerable algorithms before threats emerge.
Track AI-generated code, model dependencies, and ensure transparency in AI-assisted development.
Block deployments based on TrustScore thresholds with GitHub Actions, GitLab CI, or Jenkins.
Admin, auditor, developer, and viewer roles with granular permissions and audit logging.
SSO, API tokens, audit logs, and compliance reporting for SOC 2 and ISO 27001.
SBOM analysis, dependency tracking, and vulnerability correlation across your software supply chain.
Three simple steps to security clarity.
Import findings from your existing SAST, SCA, DAST, container, and cryptographic analysis scanners.
Set domain weights, risk thresholds, and enforcement rules that match your organization's needs.
Receive a single 0–100 score with explainable evidence, remediation insights, and compliance reports.
Scanners → Correlation & Scoring Engine → Unified TrustScore → Dashboards & CI/CD Gates
INTEGRATES WITH YOUR EXISTING SCANNERS
Unify your risk posture across scanners, policies and CI/CD. Deploy in minutes and integrate with your existing tools instantly.