Dependency Trust Scoring
Every third-party dependency in your SBOM is evaluated for security trustworthiness. The trust score aggregates automated checks across code security practices, development workflows, supply chain hygiene, and project governance — giving your team a single metric to assess how well-maintained and secure a dependency really is.
What it evaluates
For each dependency detected in the SBOM, the service resolves the upstream source repository and runs a battery of security checks against it. The result is a trust score from 0 to 10, accompanied by a letter grade (A through F) and a per-check breakdown so teams can see exactly where a dependency falls short.
Scores are cached and refreshed automatically, so repeated scans across repositories return results instantly without redundant lookups.
Security checks
The trust score is computed across four categories, each covering multiple automated checks:
Code security practices
Static analysis
Whether the project integrates SAST tooling into its development workflow.
Known vulnerabilities
Whether the project has unresolved vulnerabilities in public databases.
Fuzzing
Whether the project uses fuzz testing to find bugs and security issues.
Binary artifacts
Whether the repository contains pre-built binaries that bypass source-level review.
Development workflow
CI tests
Whether the project runs automated tests in continuous integration.
Code review
Whether changes go through a review process before being merged.
Branch protection
Whether the main branch enforces protection rules against direct pushes.
Dangerous workflows
Whether CI/CD configurations contain risky patterns that could be exploited.
Supply chain hygiene
Dependency updates
Whether the project uses automated tooling to keep its own dependencies current.
Pinned dependencies
Whether dependency versions are pinned to avoid unexpected changes.
Signed releases
Whether release artifacts are cryptographically signed for authenticity.
Packaging
Whether the project follows best practices for building and distributing packages.
Project governance
Maintained
Whether the project shows signs of active maintenance and recent commits.
Contributors
Whether the project has a diverse set of contributors reducing bus-factor risk.
Licence
Whether the project declares a recognised open-source licence.
Security policy
Whether the project publishes a vulnerability disclosure and response policy.
Token permissions
Whether CI/CD tokens follow the principle of least privilege.
Scoring scale
Each check produces a score from 0 to 10. The overall trust score is the average across all applicable checks, mapped to a letter grade:
| Grade | Score range | Interpretation |
|---|---|---|
| A | 8.0 – 10.0 | Strong security practices across the board |
| B | 6.0 – 7.9 | Good practices with minor gaps |
| C | 4.0 – 5.9 | Moderate risk — several checks failing |
| D | 2.0 – 3.9 | Significant security concerns |
| F | 0.0 – 1.9 | Minimal or no security practices detected |
In the SBOM dashboard, hovering a dependency's trust score reveals the full per-check breakdown — showing which checks passed, which raised warnings, and which failed — so teams can make informed decisions about whether to keep, replace, or monitor a dependency.