Enterprise Software Supply Chain Manager (ESSCM)
Risk Score (RS)
Understanding component integrity risk scoring in Safeguard.sh
Risk Score (RS)
The Risk Score (RS) provides a comprehensive risk assessment for each component in your SBOM, helping you identify and prioritize supply chain security concerns.
Overview
RS evaluates components based on multiple risk factors to generate an overall integrity score. Unlike vulnerability scores which focus on known CVEs, RS assesses the trustworthiness and supply chain integrity of each component.
RS Score Range
| Score | Risk Level | Description |
|---|---|---|
| 0-2 | Low Risk | High integrity, well-attested |
| 3-4 | Moderate Risk | Some concerns, review recommended |
| 5-6 | Elevated Risk | Multiple concerns, attention needed |
| 7-8 | High Risk | Significant concerns, remediation advised |
| 9-10 | Critical Risk | Severe concerns, immediate action required |
Risk Factors
Supply Chain Attestation (SCAL)
The SCAL (Safeguard Component Attestation Level) is a key factor in RS calculation:
| Level | Name | Description | Risk Impact |
|---|---|---|---|
| SCAL 0 | Fully Attested | Complete build & source attestation with signatures | Lowest |
| SCAL 1 | Attested Build & Source | Build provenance and source verification | Low |
| SCAL 2 | Attested Component | Component has some attestation | Moderate |
| SCAL 3 | Known Component | Component is identified but unattested | High |
| SCAL 4 | Partially Unknown | Component has limited verification | Higher |
| SCAL 5 | Unknown Component | Component cannot be verified | Highest |
Provenance Verification
| Factor | Low Risk | High Risk |
|---|---|---|
| Build Source | Official CI/CD | Unknown origin |
| Signature | Verified signatures | No signatures |
| Transparency Log | In public log | Not logged |
| Build Reproducibility | Reproducible | Not reproducible |
Package Health
| Factor | Low Risk | High Risk |
|---|---|---|
| Maintenance | Active development | Abandoned |
| Community | Large, active | Small, inactive |
| Age | Mature, stable | Very new or very old |
| Typosquatting | No similar names | Potential typosquat |
Behavioral Analysis
| Factor | Low Risk | High Risk |
|---|---|---|
| Install Scripts | None or safe | Suspicious scripts |
| Network Access | None | Unexpected network calls |
| File System | Limited access | Broad file access |
| Code Obfuscation | None | Heavily obfuscated |
Viewing RS
In Explore SBOM
- Open a project from the Projects page
- Navigate to Explore SBOM
- Click the RS tab
- View RS scores for all components
RS Dashboard
The RS tab displays:
| Column | Description |
|---|---|
| Component | Package name and version |
| RS Score | Numeric risk score (0-10) |
| Risk Level | Low/Moderate/Elevated/High/Critical |
| SCAL Level | Attestation level (0-5) |
| Top Risk Factors | Primary contributors to score |
Filtering and Sorting
- Filter by Risk Level - Show only High/Critical components
- Filter by SCAL - Show components above a certain attestation level
- Sort by RS - Highest risk first
- Search - Find specific components
RS Details
Click on any component to view detailed RS breakdown:
Risk Breakdown
| Category | Weight | Score |
|---|---|---|
| Attestation (SCAL) | 30% | Based on SCAL level |
| Provenance | 25% | Build verification |
| Package Health | 20% | Maintenance status |
| Behavioral | 15% | Runtime behavior |
| Historical | 10% | Past security issues |
Evidence
View specific evidence for each risk factor:
- Attestation documents found/missing
- Signature verification results
- Provenance chain details
- Behavioral analysis findings
Improving RS Scores
Quick Improvements
- Update to attested versions - Use versions with SCAL 0-1
- Replace unknown components - Swap SCAL 5 for verified alternatives
- Remove unused dependencies - Reduce attack surface
- Pin specific versions - Avoid version ranges
Long-term Strategy
- Prefer Gold Directory packages - Pre-verified components
- Establish component policies - Require maximum SCAL levels
- Monitor RS trends - Track improvements over time
- Vendor engagement - Request attestations from suppliers
RS Policies
Setting RS Thresholds
Create policies based on RS:
- Go to Policies & Gates
- Create new policy rule
- Set RS threshold (e.g., fail if any component > 6)
- Apply to projects
Policy Examples
| Policy | Rule |
|---|---|
| Production | No components with RS > 5 |
| Development | Warn on RS > 7 |
| Critical Systems | Require SCAL 0-1 for all components |
API Access
# Get RS scores for a project
curl -X GET https://api.safeguard.sh/v1/projects/{id}/rs \
-H "Authorization: Bearer $API_KEY"
# Get RS details for a component
curl -X GET https://api.safeguard.sh/v1/projects/{id}/components/{component}/rs \
-H "Authorization: Bearer $API_KEY"Best Practices
Monitoring
- Review high RS components weekly
- Set up alerts for RS increases
- Track RS trends in dashboards
Remediation
- Prioritize SCAL 5 components first
- Create tickets for high RS components
- Document accepted risks with mitigations
Prevention
- Include RS checks in CI/CD
- Block high RS components in security gates
- Train developers on component selection