Enterprise Software Supply Chain Manager (ESSCM)
Security Posture
Overall security assessment and scoring for your projects
Security Posture
The Security Posture tab provides a comprehensive view of your project's overall security health, combining vulnerability data, attestation scores, and risk metrics into actionable insights.
Overview
Security posture assessment helps you:
- Understand overall project security health
- Track security improvements over time
- Identify areas requiring attention
- Compare security across projects
- Report security metrics to stakeholders
Security Posture Score
Each project receives a Security Posture Score (0-100):
| Score Range | Rating | Description |
|---|---|---|
| 90-100 | Excellent | Minimal risk, well-maintained |
| 75-89 | Good | Low risk, minor improvements needed |
| 50-74 | Fair | Moderate risk, attention required |
| 25-49 | Poor | High risk, remediation needed |
| 0-24 | Critical | Severe risk, immediate action required |
Score Components
Vulnerability Score (40%)
Based on:
- Number of vulnerabilities by severity
- EPSS exploitation probability
- KEV (Known Exploited Vulnerabilities) presence
- Vulnerability age
Attestation Score (25%)
Based on:
- Component integrity verification
- Supply chain attestation (SLSA)
- Signature verification status
- Malicious package detection
Dependency Health (20%)
Based on:
- Dependency freshness
- Maintenance status
- Community activity
- Security advisory response time
Compliance Score (15%)
Based on:
- EO 14028 compliance
- License compliance
- SBOM completeness
- Policy adherence
Viewing Security Posture
- Open a project from the Projects page
- Navigate to the Security Posture tab
- View the comprehensive security assessment
Dashboard Elements
| Element | Description |
|---|---|
| Overall Score | Combined security posture score |
| Score Trend | Score changes over time |
| Component Breakdown | Score by category |
| Risk Distribution | Vulnerabilities by severity |
| Top Risks | Most critical issues to address |
Score Details
Vulnerability Breakdown
| Category | Weight | Calculation |
|---|---|---|
| Critical CVEs | 40% | Each critical CVE significantly impacts score |
| High CVEs | 30% | High severity CVEs reduce score |
| Medium CVEs | 20% | Medium CVEs have moderate impact |
| Low CVEs | 10% | Low CVEs have minimal impact |
Attestation Breakdown
| Category | Weight | Calculation |
|---|---|---|
| LCAL 4 (Full Attestation) | Excellent | Fully attested components |
| LCAL 3 (High Attestation) | Good | Well-attested components |
| LCAL 2 (Medium Attestation) | Fair | Partially attested |
| LCAL 0-1 (Low/No Attestation) | Poor | Unattested components |
Improving Your Score
Quick Wins
- Update critical dependencies - Fix critical CVEs first
- Enable AI Remediate - Auto-generate fix PRs
- Remove unused dependencies - Reduce attack surface
- Update base images - Fresh container bases
Long-term Improvements
- Establish patching cadence - Regular update schedule
- Implement security gates - Block vulnerable deployments
- Improve SBOM completeness - Better component data
- Adopt attested packages - Use verified components
Trend Analysis
Score History
View how your score changes over time:
- Daily score snapshots
- Weekly trends
- Monthly comparisons
- Year-over-year analysis
Score Events
Track what caused score changes:
| Event | Impact |
|---|---|
| New vulnerability disclosed | Score decreases |
| Vulnerability fixed | Score increases |
| Dependency updated | May increase or decrease |
| New component added | Varies based on component |
Organization Dashboard
View aggregate security posture across all projects:
- Go to Dashboard
- View Security Posture Overview
- See organization-wide metrics
Organization Metrics
| Metric | Description |
|---|---|
| Average Score | Mean score across projects |
| Score Distribution | Projects by score range |
| Trend | Organization-wide improvement |
| Critical Projects | Projects needing attention |
Reporting
Generate Security Report
- Click Export → Security Posture Report
- Select time range
- Choose format (PDF, HTML)
- Download report
Report Contents
- Executive summary
- Score breakdown
- Trend analysis
- Risk inventory
- Remediation recommendations
- Comparison to previous period
API Access
Access security posture data via API:
# Get security posture for a project
curl -X GET https://api.safeguard.sh/v1/projects/{id}/security-posture \
-H "Authorization: Bearer $API_KEY"
# Get score history
curl -X GET https://api.safeguard.sh/v1/projects/{id}/security-posture/history \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{"start_date": "2025-01-01", "end_date": "2025-01-31"}'Benchmarking
Compare your security posture:
Industry Benchmarks
See how you compare to:
- Industry average
- Top performers
- Similar project sizes
- Same technology stack
Internal Benchmarks
Compare across your organization:
- Team comparisons
- Project type comparisons
- Business unit comparisons
Alerts and Notifications
Configure alerts for security posture changes:
| Alert Type | Trigger |
|---|---|
| Score Drop | Score decreases by X points |
| Rating Change | Rating changes (Good → Fair) |
| Critical Threshold | Score falls below threshold |
| Weekly Digest | Weekly summary email |
Best Practices
Monitoring
- Review security posture weekly
- Set up alerts for score drops
- Track trends over time
- Celebrate improvements
Improvement
- Prioritize based on score impact
- Address critical issues first
- Set score targets for projects
- Include security in sprint planning
Reporting
- Share reports with stakeholders
- Include in release documentation
- Track against organizational goals
- Use for compliance evidence