Compliance Score¶
After running an audit, your compliance score is saved to .ges/score.json. View it anytime:
Example Output¶
GDPR ................ 72%
OWASP ............... 65%
CIS ................. 80%
NIST ................ 58%
Overall ............. 69%
Last evaluated: 2026-05-30T14:30:00.000Z
How Scoring Works¶
- Each framework's score = severity-weighted percentage of controls that are passing or not applicable (see Compliance Badge guide for the full algorithm)
- Overall score = control-count-weighted average of all framework scores (frameworks with more controls carry more weight; frameworks with zero controls are excluded from the average)
- Controls default to "not-implemented" until positive evidence is detected or findings map them to "fail"
Control Status Values¶
| Status | Meaning | Effect on Score |
|---|---|---|
pass |
Control requirements are met | Full credit (1.0x weight) |
fail |
Control requirements are violated | No credit (0x weight) |
warning |
Partial compliance | Half credit (0.5x weight) |
not-implemented |
No evidence found | No credit (0x weight) |
not-applicable |
Control does not apply to this project | Full credit (1.0x weight) |
Score Calculation¶
Framework Score = round(Σ(control_weight × status_credit) / Σ(control_weight) × 100)
Overall Score = round(Σ(framework_score × total_controls) / Σ(total_controls))
Frameworks with zero controls are excluded from the overall calculation. See the Compliance Badge guide for severity weights, status credits, critical failure caps, and audit deduction details.
CI Mode¶
Output raw JSON for CI/CD pipelines:
Returns:
{
"overall": 69,
"frameworks": {
"GDPR": {
"framework": "GDPR",
"score": 72,
"total_controls": 22,
"passed_controls": 16,
"failed_controls": 4,
"warning_controls": 2,
"not_applicable": 0,
"evaluated_at": "2026-05-30T14:30:00.000Z"
}
},
"evaluated_at": "2026-05-30T14:30:00.000Z"
}
Viewing Full Compliance Status¶
For a combined view of score + installed packs with per-pack control counts:
Output:
GDPR ................ 72%
OWASP ............... 65%
Overall ............. 69%
Installed Policy Packs:
gdpr 16/22 controls passed
owasp 4/6 controls passed
Generate a Score Badge
You can embed your compliance score as an SVG badge in your README or documentation:
This generates badge.svg and injects a score summary table into your README. See the Compliance Badge guide for full details including embedding options, CI/CD automation, and how the scoring engine computes the grade.
Exercise: Track Score Over Multiple Audits
- Start with a fresh project and run
ges init - Create a deliberately vulnerable file (see Quick Start)
- Run
ges auditandges score— record the score - Fix one issue at a time and re-run
ges audit && ges scoreafter each fix - Record your progress:
- Count how many fixes it takes to reach 80%
Exercise: Compare Project Types
Different project types install different packs, which changes the scoring. Try this:
# SaaS (4 packs: GDPR, OWASP, CIS, NIST = 56 controls)
mkdir /tmp/type-saas && cd /tmp/type-saas && echo '{"name":"t"}' > package.json
ges init -n "SaaS" -t saas -f "GDPR,OWASP,CIS,NIST"
ges audit && ges score
# API Backend (2 packs: GDPR, OWASP = 28 controls)
mkdir /tmp/type-api && cd /tmp/type-api && echo '{"name":"t"}' > package.json
ges init -n "API" -t api-backend -f "GDPR,OWASP"
ges audit && ges score
# AI Application (3 packs: GDPR, OWASP, AI = 34 controls)
mkdir /tmp/type-ai && cd /tmp/type-ai && echo '{"name":"t"}' > package.json
ges init -n "AI" -t ai-application -f "GDPR,OWASP"
ges audit && ges score
Questions
- Which project type has the most controls to satisfy?
- Does the same clean codebase score differently depending on project type?