reference
Posture score
Most detectors look for a specific finding. The posture score grades how the repository is set up— the governance and hardening that prevents whole classes of finding. It is 17 signals across four groups, rolled into a single A–F grade. This page lists every signal, its real weight, and exactly how the grade is computed.
How the score is computed
Each signal is worth a fixed number of points. Your score is the percentage of assessable points you earned— earned points divided by the points of every signal that could actually be evaluated, times 100. That keeps the result on a clean 0–100 scale regardless of how the underlying weights sum.
Unknown signals are excluded, not failed
When a signal can't be inspected — an admin-only setting on a public scan, org MFA without read:org, a repo with no workflows to check for provenance — it is marked unknown and dropped from bothsides of that fraction. It neither earns points nor counts against you. A missing admin scope therefore cannot tank an otherwise-strong repo's grade.
The breakdown also surfaces up to five quick wins— the highest-value signals you have not yet satisfied (and can act on). Unknown signals are never offered as quick wins, since we can't recommend fixing something we couldn't evaluate.
Grade scale
The 17 signals
Branch protection
4 signals · 30 pts- 15 pts
Branch protection enabled on the default branch
- 5 pts
Pull request review required
unknown if details need admin and no ruleset resolves it
- 5 pts
Status checks required before merge
unknown if details need admin and no ruleset resolves it
- 5 pts
Branch protection applied to admins
unknown if details need admin and no ruleset resolves it
Documentation
5 signals · 30 pts- 10 pts
SECURITY.md present
- 8 pts
LICENSE file present
- 5 pts
CODEOWNERS file present
- 4 pts
README is substantial (>= 500 chars)
- 3 pts
README mentions security or SECURITY.md
Dependency hygiene
3 signals · 25 pts- 12 pts
Dependabot or Renovate configured
- 8 pts
Lockfile committed
- 5 pts
.gitignore covers node_modules and .env
Governance
5 signals · 30 pts- 10 pts
Recent commits are signed (verified)
full at >= 80% verified, half at >= 50%; unknown if the ratio can't be read
- 5 pts
Two-factor enforcement on the organization
unknown for user-owned repos or when read:org is not granted
- 6 pts
Secret scanning + push protection enabled
unknown when the admin-only status isn't visible
- 5 pts
Default GITHUB_TOKEN permissions are read-only
unknown when the admin-only setting isn't visible
- 4 pts
Releases are signed / publish build provenance
unknown when there are no workflows to inspect
That is 17 signals. The raw weights sum to 115, but because the score is a percentage of assessablepoints, the absolute total never pushes a result above 100 — a repo that earns every assessable signal scores 100 and grades A.
A note on signed commits
The signed-commits signal is graded on a ratio of the recent sampled commits: full points at 80% or more verified, half points at 50% or more, zero below that. If a branch ruleset enforces signing, the signal is satisfied outright. If the verification ratio can't be determined at all, the signal is unknown rather than zero.
See the posture score on a real repo by running a scan, or read how each underlying detector works in Detectors.