Dependency Trust Scoring

Every third-party dependency in your SBOM is evaluated for security trustworthiness. The trust score aggregates automated checks across code security practices, development workflows, supply chain hygiene, and project governance - giving your team a single metric to assess how well-maintained and secure a dependency really is.

What it evaluates

For each dependency detected in the SBOM, the service resolves the upstream source repository and runs a battery of security checks against it. The result is a trust score from 0 to 10, accompanied by a letter grade (A through F) and a per-check breakdown so teams can see exactly where a dependency falls short.

Scores are cached and refreshed automatically, so repeated scans across repositories return results instantly without redundant lookups.

Security checks

The trust score is computed across four categories, each covering multiple automated checks:

Code security practices

Static analysis

Whether the project integrates SAST tooling into its development workflow.

Known vulnerabilities

Whether the project has unresolved vulnerabilities in public databases.

Fuzzing

Whether the project uses fuzz testing to find bugs and security issues.

Binary artifacts

Whether the repository contains pre-built binaries that bypass source-level review.

Development workflow

CI tests

Whether the project runs automated tests in continuous integration.

Code review

Whether changes go through a review process before being merged.

Branch protection

Whether the main branch enforces protection rules against direct pushes.

Dangerous workflows

Whether CI/CD configurations contain risky patterns that could be exploited.

Supply chain hygiene

Dependency updates

Whether the project uses automated tooling to keep its own dependencies current.

Pinned dependencies

Whether dependency versions are pinned to avoid unexpected changes.

Signed releases

Whether release artifacts are cryptographically signed for authenticity.

Packaging

Whether the project follows best practices for building and distributing packages.

Project governance

Maintained

Whether the project shows signs of active maintenance and recent commits.

Contributors

Whether the project has a diverse set of contributors reducing bus-factor risk.

License

Whether the project declares a recognized open-source license.

Security policy

Whether the project publishes a vulnerability disclosure and response policy.

Token permissions

Whether CI/CD tokens follow the principle of least privilege.

Scoring scale

Each check produces a score from 0 to 10. The overall trust score is the average across all applicable checks, mapped to a letter grade:

Grade	Score range	Interpretation
A	8.0 – 10.0	Strong security practices across the board
B	6.0 – 7.9	Good practices with minor gaps
C	4.0 – 5.9	Moderate risk - several checks failing
D	2.0 – 3.9	Significant security concerns
F	0.0 – 1.9	Minimal or no security practices detected

In the SBOM dashboard, hovering a dependency’s trust score reveals the full per-check breakdown - showing which checks passed, which raised warnings, and which failed - so teams can make informed decisions about whether to keep, replace, or monitor a dependency.