codokey / audit /governance-scorecard.sh32 CHECKS
+0 resolved−32 pending
Reference self-assessment only. This scorecard is a static governance reference model aligned with the Codokey Protocol v1.0. It is not a formal certification, audit, or security assessment. Grades indicate alignment with the reference model — not compliance with any regulatory standard.
Governance completion
0 / 32 0% Click any line to check · Score updates automatically
C
Ungoverned AI Code Access
Complete more checks to improve your governance score.
0%
Primary gap:Key Exposure — 6 critical checks unresolved
Next action:Exclude .env and production credentials from agent read scope
Reference:Codokey Protocol v1.0 · Layer 02: Key Exposure
01 — code-origin.shProvenance & authorship controls0/4
1
+
AI-generated code is labeled or tagged in commits and PRs
High
2
+
Human review is explicitly required for all AI-generated merges
Critical
3
+
AI authorship is documented in your SDLC governance policy
Medium
4
+
Mixed human/AI code is distinguishable in the diff history
High
02 — key-exposure.shSecrets & credential boundary0/6
5
+
Secret scanning is enabled on all active repositories
Critical
6
+
Pre-commit hooks block secrets from entering the codebase
Critical
7
+
Environment files (.env) are excluded from AI agent read scope
Critical
8
+
Hardcoded credentials audit performed in the last 90 days
High
9
+
API key rotation policy is documented and enforced
High
10
+
Production .env files are in a separate, agent-inaccessible vault
Critical
03 — agent-authority.shAgent scope & permission controls0/6
11
+
Each agent has a documented scope: repository, branch, action type
Critical
12
+
Agents operate with minimum-privilege repository access
Critical
13
+
MCP server connections are inventoried and reviewed
High
14
+
Agent token scopes are reviewed and restricted quarterly
High
15
+
Organization-wide agent access is disabled by default
Critical
16
+
Forbidden access zones are defined in writing and enforced technically
Critical
04 — review-boundary.shHuman gate & merge controls0/5
17
+
Branch protection rules require review before merge for AI PRs
Critical
18
+
Code touching secrets paths triggers mandatory security review
Critical
19
+
Reviewers are trained to identify AI-generated code patterns
High
20
+
Review bypass is technically prevented — not just policy-prohibited
Critical
21
+
Human review gates are documented in your SDLC governance policy
Medium
05 — deployment-control.shProduction authority & pipeline gates0/5
22
+
No agent has direct production deployment authority without human gate
Critical
23
+
Production credentials are separated from development environments
Critical
24
+
CI/CD pipeline includes secret scanning as a blocking step
Critical
25
+
Deployment rollback procedures are tested and documented
High
26
+
Infrastructure-as-code changes require separate review from application code
High
06 — audit-memory.shLogging, traceability & accountability0/6
27
+
AI agent actions are logged with identity, timestamp, and scope
Critical
28
+
Audit logs are immutable and protected from agent modification
Critical
29
+
Log retention policy meets your compliance requirements
High
30
+
Secret exposure events trigger a documented incident response workflow
Critical
31
+
Audit reviews are scheduled — not only performed after incidents
Medium
32
+
Governance debt is tracked and reviewed quarterly by engineering leadership
High
Grade Reference
C — Ungoverned AI Code Access (0–39%) B — Partially Governed (40–69%) A — Controlled With Gaps (70–84%) A+ — Codokey Ready (85–100%)