Reproducible trust evidence for software

The credit scorefor software trust

We convert scanner signals into a calibrated, deterministic AAA–D rating—backed by verifiable evidence packs auditors and buyers can trust.

AAA–D
calibrated trust ratings
Deterministic
reproducible by construction
Evidence-backed
auditable signal packs
TrustScore Evidence Pack
Sealed
Measurement
79.3BBB
Lower Medium
Admissibility
BLOCK
security gate
kev_block
known-exploited
pass_threshold
below 85
domain_collapse
clear
pqc_floor
clear
SHA-256 seal
8fa42c3d9b71e0…a3f1 · engine v0.2.0 · policy 2.4

Built on the open standards security teams already trust

SLSAin-totoCISA KEVEPSSNIST SSDFSBOM / CycloneDXEU AI Act

Calibrated, not asserted

Validated against public security benchmarks

Every TrustScore is measured against held-out, third-party corpora — so a rating means the same thing across vendors, languages and audits.

~85,000
NIST Juliet test cases
< 0.05
Expected calibration error (ECE)
κ ≥ 0.65
Inter-rater reliability
95% CI
Bootstrap confidence intervals
OWASP Benchmark (~2,700 cases)BigVul · CVEFixes · DiverseVul (real-world)50-project stratified holdout
Supply Chain Security Platform

SLSA Attestation & Provenance Tracking

Go beyond vulnerability scanning. Track the complete chain of custody from source commit to production deployment with SLSA provenance, in-toto attestations, and policy-driven gating.

SLSA Level Scoring

Automatically assess SLSA compliance (L0-L4) from build provenance and attestations. Gate deployments based on minimum SLSA levels.

Artifact Timeline

Visual chain-of-custody showing commit → CI build → sign → registry push → deploy with full audit trail for compliance.

Registry Integration

Automatic discovery and scoring of artifacts from ECR, GAR, ACR, Docker Hub, npm, PyPI, and Maven with real-time updates.

What is Spyda TrustScore?

Spyda TrustScore™ is a software and AI-code trust scoring system. It evaluates your repositories, dependencies, pipelines and AI-assisted development activity, and distils the result into a single, interpretable score from 1 to 100.

Instead of scoring the behaviour of language models, Spyda TrustScore focuses on the software artefacts those models help produce and the development environments in which they operate. It gives security and engineering leaders a clear answer to a hard question: "How much can we trust this codebase and the AI tools that touched it?"

How Spyda TrustScore is calculated

Spyda TrustScore combines six weighted dimensions of evidence into a single 1–100 score for each repository, service or package. Every finding maps to exactly one dimension, and every dimension carries a policy weight—so nothing is left unscored:

1. Vulnerabilities

Known CVEs and weaknesses across the codebase and its dependencies, prioritised by real-world exploitability (EPSS probabilities and CISA KEV) plus secrets exposure and configuration risk.

2. Supply Chain

SBOM completeness, dependency provenance, SLSA attestations and maintainer health—how trustworthy the components and the build pipeline that produced them actually are.

3. AI Risk

AI-generated code detection, agent and AI-IDE exposure, and model provenance—surfacing the likelihood of silent, prompt-driven changes and the governance obligations they create.

4. Compliance

Posture against frameworks such as NIST secure-software guidance, EU AI Act obligations, ISO/IEC 42001 and licence compliance—turning TrustScore into a governance and assurance signal.

5. PQC Readiness

Exposure to quantum-vulnerable cryptography—RSA/ECDSA key exchange on long-lived services, certificates without a post-quantum rollover path—and progress toward PQC-safe algorithms.

6. Operations

Operational and runtime posture—telemetry and evidence coverage, logging, monitoring and configuration hygiene—measuring how observable and well-run the service is in production.

TrustScore measures posture. Verdict enforces policy gates.

A project can earn an investment-grade score and still be blocked from release. The score and the deploy decision are two separate axes — so a strong number can never quietly override a failed security gate.

Measurement axis
79.3BBB

The 0–100 TrustScore and its AAA–D band describe trust posture. This is a signal — it does not, on its own, authorize a release.

Admissibility verdict
BLOCK · SECURITY

Gate predicates decide deployability. A non-waivable security gate (e.g. a known-exploited CVE) blocks release regardless of how high the score is.

Trust Ratings

AAA to D: A Credit-Rating-Style Score for Software

Using the familiar AAA–D format of credit ratings, Spyda distils software trustworthiness into a single, standardized grade. Each rating is a calibrated, deterministic heuristic derived from your evidence—not an empirical probability of a security incident.

AAA
90-100

Prime / High Grade (AAA–AA)

Exceptional trust. Enterprise-ready for mission-critical and regulated systems. Full supply-chain provenance, clean code, and governance alignment.

Production Ready
A
75-89

Investment Grade (A–BBB)

Strong trust with manageable issues. Suitable for most production workloads with standard AppSec processes. Good security and provenance.

Deploy with Monitoring
BB
55-74

Speculative Grade (BB–B)

Elevated risk. Meaningful vulnerabilities or AI-IDE exposure present. Requires additional controls and targeted remediation before production use.

Review Required
D
0-54

High Risk to Default (CCC–D)

Significant vulnerabilities across multiple domains. Upper range (CCC/CC) triggers mandatory remediation; the lowest scores (C/D) are blocked from deployment.

Remediate / Block

Would you deploy this to production?

Every Trust Certificate includes a clear DEPLOY / REVIEW / BLOCK decision and Enterprise Readiness Level.

DEPLOY
REVIEW
BLOCK

Score Breakdown: 1-100 Scale

The underlying TrustScore (1-100) maps to letter ratings and provides granular detail.

90+

90-100 = AAA/AA (Elite)

Strong supply-chain posture, clean code, low AI-IDE exposure and solid governance alignment. Suitable for high-criticality and regulated environments.

75+

75-89 = A/BBB (Trusted)

Good security and provenance with manageable issues. Safe for most production workloads with standard AppSec processes.

55+

55-74 = BB/B (Needs Review)

Meaningful risks present. Recommended for targeted remediation and closer review before use in critical systems.

35+

35-54 = CCC/CC (High Risk)

Significant vulnerability, provenance or AI-IDE exposure concerns. Should trigger remediation projects and stricter controls.

0-34

0-34 = C/D (Critical Risk)

Severe issues across one or more layers. Not recommended for production use; appropriate for blocking in CI/CD and third-party risk workflows.

Why Spyda TrustScore matters

Traditional AppSec tools find vulnerabilities, but they do not tell you how much you can trust the overall codebase – especially when AI tools and agents are writing more of the code.

Spyda TrustScore turns fragmented security, provenance and AI-IDE telemetry into a single 1–100 signal that can:

  • Gate CI/CD and deployments based on software trust
  • Inform third-party and open-source risk decisions
  • Enforce safer policies around AI-assisted development
  • Provide a clear, defensible metric to boards, customers and regulators

Spyda 2.0 Scoring Engine

NEW

Probabilistic scoring, deterministically reproduced—identical evidence always yields an identical score. Dynamic weight adjustment, scanner reliability calibration, and an exploitability boost layer.

Multi-Tool Consolidation

Aggregate findings from Snyk, Semgrep, Trivy, SonarQube, and 20+ tools into one unified view.

Advanced Confidence Analysis

5-factor probabilistic model: corroboration, clarity, source credibility, exploitability, and contradiction penalty 2.0.

Policy-Driven Scoring

Customize domain weights, thresholds, and gating rules to match your organization's risk appetite.

Post-Quantum Crypto

Assess quantum-resistant cryptography readiness and identify vulnerable algorithms before threats emerge.

AI Provenance Tracking

Track AI-generated code, model dependencies, and ensure transparency in AI-assisted development.

CI/CD Integration

Block deployments based on TrustScore thresholds with GitHub Actions, GitLab CI, or Jenkins.

Role-Based Access

Admin, auditor, developer, and viewer roles with granular permissions and audit logging.

Enterprise Ready

SSO, API tokens, audit logs, and compliance reporting for SOC 2 and ISO 27001.

Supply Chain Security

SBOM analysis, dependency tracking, and vulnerability correlation across your software supply chain.

How It Works

Three simple steps to security clarity.

1

Connect Your Tools

Import findings from your existing SAST, SCA, DAST, container, and cryptographic analysis scanners.

2

Configure Your Policy

Set domain weights, risk thresholds, and enforcement rules that match your organization's needs.

3

Generate Your TrustScore

Receive a single 0–100 score with explainable evidence, remediation insights, and compliance reports.

Scanners → Correlation & Scoring Engine → Unified TrustScore → Dashboards & CI/CD Gates

INTEGRATES WITH YOUR EXISTING SCANNERS

SnykSemgrepTrivySonarQubeGrype

Ready to unify your security scoring?

Unify your risk posture across scanners, policies and CI/CD. Deploy in minutes and integrate with your existing tools instantly.