{
  "name": "Software Supply Chain Trust Scorecard Methodology",
  "version": "1.0.0",
  "license": "MIT",
  "copyright": "Copyright (c) 2026 Intellect7",
  "description": "Community scoring rubric for software supply chain trust posture.",
  "scoring_scale": {
    "0": "Not started",
    "1": "Initial",
    "2": "Partial",
    "3": "Managed",
    "4": "Optimized"
  },
  "dimensions": {
    "integrity": [
      "artifact_signing",
      "provenance_attestation",
      "trusted_builds",
      "release_approvals"
    ],
    "dependencies": [
      "sbom_coverage",
      "dependency_pinning",
      "dependency_update_sla",
      "third_party_risk",
      "maintainer_verification"
    ],
    "pipeline": [
      "ci_isolation",
      "secret_rotation",
      "patch_response",
      "runtime_detection"
    ],
    "operations": [
      "vuln_intake",
      "incident_drills",
      "exec_reporting"
    ]
  },
  "questions": [
    {"id": "artifact_signing", "prompt": "Release artifacts are cryptographically signed."},
    {"id": "provenance_attestation", "prompt": "Build provenance attestations are generated and stored."},
    {"id": "sbom_coverage", "prompt": "SBOMs are generated for all production releases."},
    {"id": "dependency_pinning", "prompt": "Critical dependencies are version pinned and reviewed."},
    {"id": "dependency_update_sla", "prompt": "Dependency updates for high-risk packages follow an SLA."},
    {"id": "ci_isolation", "prompt": "CI runners are isolated and hardened for untrusted code."},
    {"id": "secret_rotation", "prompt": "CI/CD secrets are rotated and scoped with least privilege."},
    {"id": "trusted_builds", "prompt": "Builds run from trusted, protected branches only."},
    {"id": "release_approvals", "prompt": "Security review is part of release approval gates."},
    {"id": "vuln_intake", "prompt": "Vulnerability disclosures have documented intake and triage."},
    {"id": "patch_response", "prompt": "Critical supply-chain findings are patched quickly."},
    {"id": "third_party_risk", "prompt": "Third-party package/repo risk is tracked continuously."},
    {"id": "maintainer_verification", "prompt": "Package maintainers and publishers are verified."},
    {"id": "runtime_detection", "prompt": "Runtime controls detect suspicious package behavior."},
    {"id": "incident_drills", "prompt": "Supply-chain incident drills are exercised periodically."},
    {"id": "exec_reporting", "prompt": "Leadership receives supply-chain security KPI reporting."}
  ]
}