TrustScore Explained

What TrustScore measures

TrustScore is a composite confidence score (0-100) that measures how trustworthy your AI-generated code is for production. It combines multiple analysis engines into a single, actionable metric.

A higher TrustScore means your code is more likely to be secure, maintainable, and compliant with your organization's standards.

Components

Security (0-100)

Detects vulnerabilities, injection risks, insecure configurations, and security anti-patterns using static analysis rules.

Quality (0-100)

Measures code quality, maintainability, best practices, and potential bugs using linting and static analysis.

LLM Reasoning (0-100)

AI-powered analysis that understands code context, intent, and potential edge cases that static analysis might miss.

Supply Chain (0-100)

Scans dependencies for known vulnerabilities, license compliance, and supply chain risks.

Thresholds

80+

Pass (80-100)

Code is safe to merge. Meets security and quality standards.

60-79

Warning (60-79)

Code has issues that should be reviewed before merging.

0-59

Fail (0-59)

Code has critical issues. Should not be merged without fixes.

What happens on PR gate fail?

When a PR fails the TrustScore threshold (configured in your policy.yaml):

The PR status check shows as "failed"
A detailed SARIF report is attached to the PR
Merge is blocked (if configured in your policy)
You receive a summary of critical findings and fix suggestions

You can review the findings, apply suggested fixes, and re-run the analysis. Once TrustScore passes the threshold, the PR gate will allow merging.