reference

Posture score

Most detectors look for a specific finding. The posture score grades how the repository is set up— the governance and hardening that prevents whole classes of finding. It is 17 signals across four groups, rolled into a single A–F grade. This page lists every signal, its real weight, and exactly how the grade is computed.

How the score is computed

Each signal is worth a fixed number of points. Your score is the percentage of assessable points you earned— earned points divided by the points of every signal that could actually be evaluated, times 100. That keeps the result on a clean 0–100 scale regardless of how the underlying weights sum.

Unknown signals are excluded, not failed

When a signal can't be inspected — an admin-only setting on a public scan, org MFA without read:org, a repo with no workflows to check for provenance — it is marked unknown and dropped from bothsides of that fraction. It neither earns points nor counts against you. A missing admin scope therefore cannot tank an otherwise-strong repo's grade.

The breakdown also surfaces up to five quick wins— the highest-value signals you have not yet satisfied (and can act on). Unknown signals are never offered as quick wins, since we can't recommend fixing something we couldn't evaluate.

Grade scale

A>= 90
B75 – 89
C60 – 74
D40 – 59
F< 40

The 17 signals

Branch protection

4 signals · 30 pts
  • Branch protection enabled on the default branch

    15 pts
  • Pull request review required

    unknown if details need admin and no ruleset resolves it

    5 pts
  • Status checks required before merge

    unknown if details need admin and no ruleset resolves it

    5 pts
  • Branch protection applied to admins

    unknown if details need admin and no ruleset resolves it

    5 pts

Documentation

5 signals · 30 pts
  • SECURITY.md present

    10 pts
  • LICENSE file present

    8 pts
  • CODEOWNERS file present

    5 pts
  • README is substantial (>= 500 chars)

    4 pts
  • README mentions security or SECURITY.md

    3 pts

Dependency hygiene

3 signals · 25 pts
  • Dependabot or Renovate configured

    12 pts
  • Lockfile committed

    8 pts
  • .gitignore covers node_modules and .env

    5 pts

Governance

5 signals · 30 pts
  • Recent commits are signed (verified)

    full at >= 80% verified, half at >= 50%; unknown if the ratio can't be read

    10 pts
  • Two-factor enforcement on the organization

    unknown for user-owned repos or when read:org is not granted

    5 pts
  • Secret scanning + push protection enabled

    unknown when the admin-only status isn't visible

    6 pts
  • Default GITHUB_TOKEN permissions are read-only

    unknown when the admin-only setting isn't visible

    5 pts
  • Releases are signed / publish build provenance

    unknown when there are no workflows to inspect

    4 pts

That is 17 signals. The raw weights sum to 115, but because the score is a percentage of assessablepoints, the absolute total never pushes a result above 100 — a repo that earns every assessable signal scores 100 and grades A.

A note on signed commits

The signed-commits signal is graded on a ratio of the recent sampled commits: full points at 80% or more verified, half points at 50% or more, zero below that. If a branch ruleset enforces signing, the signal is satisfied outright. If the verification ratio can't be determined at all, the signal is unknown rather than zero.

See the posture score on a real repo by running a scan, or read how each underlying detector works in Detectors.