Spyda 2.0 extends TrustScore with comprehensive supply chain security: SLSA provenance tracking, in-toto attestation verification, and policy-based governance.
Traditional AppSec tools focus on what vulnerabilities exist. Spyda TrustScore now answers: "How did this software get here, and can we trust the journey?"
Ingests SLSA provenance, in-toto Links, SPDX/CycloneDX SBOMs, VEX, and SARIF into a unified model.
Format-agnosticVerifies cosign, Sigstore, and custom signatures. Correlates attestations with GitHub dependency graphs.
Cryptographic trustYAML-based policies with CEL expressions. Block deployments on SLSA L0, unsigned artifacts, or blocked materials.
Org-wide controlHermetic, reproducible builds with complete provenance and two-person review
Hardened build platform with non-falsifiable provenance
Build service generated provenance with documented completeness
Provenance exists and is verifiable
No provenance available
Findings are automatically linked to provenance attestations. Vulnerabilities in unsigned artifacts receive higher confidence scores, while SLSA L4 packages with critical issues are flagged for immediate review.
Final TrustScore = (Base Vulnerability Score × 0.7) + (Supply Chain Score × 0.3)
Org-wide policies can block deployments based on SLSA level, unsigned artifacts, untrusted builders, or blocked materials.
The SolarWinds, Codecov, and 3CX supply chain attacks all shared a common weakness: attackers injected malicious code into trusted build pipelines, and traditional security tools missed it because they only scanned the final artifact.
Spyda's Supply Chain Security Platform closes this gap by tracking how software was built, not just what it contains. By combining vulnerability scanning with provenance verification, you get a complete picture of software trustworthiness.