CAI Get a survey →

The catalog

Every dimension the CAI measures.

The standard is composed of 124 dimensions across 10 lenses. Each is a definition — what it measures and how it's evaluated — pinned to a rubric version. This catalog is the standard's vocabulary; the spec documents how each folds into the score.

4 published versions · this catalog as JSON

Showing only the Security lens. Show all 124 dimensions →

124 dimensions

Security · 18 dimensions

IDDimensionWhat it measuresWhy it mattersEvaluator
D28 Secrets (history) Whether any secrets were ever committed — scanned across the full git history, not just now. When this is weak, secrets were committed somewhere in the project's history, so even if removed today they remain readable to anyone who can clone the repository. tool
D29 Static Analysis (SAST) Real static-analysis (SAST) findings — likely security bugs in the code, any language. When this is weak, automated static analysis finds likely security bugs in the code, meaning real, exploitable weaknesses are present in the delivery. tool
D30 Dependency Vulnerabilities Whether any dependencies have known published vulnerabilities (CVEs), direct or transitive. When this is weak, dependencies carry known published vulnerabilities (CVEs), so the delivery ships with publicly documented weaknesses an attacker can look up and exploit. tool
D31 IaC & Container Security Whether Dockerfiles / Terraform / Kubernetes config follow security best practices. When this is weak, the Docker, Terraform or Kubernetes configuration does not follow security best practices, so the infrastructure itself is misconfigured and exposed. tool
D32 Data Compliance (PII/GDPR) Likely personal-data (PII / GDPR) handling concerns — logging or storing data without safeguards. When this is weak, the code likely handles personal data without proper safeguards — logging or storing it unprotected — exposing you to GDPR and privacy risk. tool
D33 JS/npm Dependency Vulnerabilities Whether JavaScript/npm dependencies have known published vulnerabilities (CVEs) — the npm ecosystem's biggest risk. When this is weak, JavaScript/npm dependencies carry known published vulnerabilities (CVEs) — the npm ecosystem's biggest risk — so the frontend ships with documented, exploitable weaknesses. tool
D36 Supply-chain Provenance & Signing Whether the build pipeline provides supply-chain integrity — generated provenance/attestation, signed artifacts (cosign/sigstore), an SBOM, and pinned build actions. Presence of the configuration, not a runtime guarantee. When this is weak, the build pipeline lacks supply-chain integrity — no provenance, signing or SBOM, or unpinned actions — so a consumer can't verify how the artifact was built or whether it was tampered with. tool
D37 Vulnerability-disclosure Policy Whether the repository publishes a coordinated-vulnerability-disclosure policy (SECURITY.md or security.txt) with a reporting contact, so finders know how to report a vulnerability. Presence of a policy file with a contact, not whether the policy is adequate or honoured. When this is weak, there is no published vulnerability-disclosure policy (no SECURITY.md or security.txt with a reporting contact), so a researcher who finds a flaw has no documented way to report it to you. tool
D38 OSV Dependency Vulnerabilities Whether dependencies have known published vulnerabilities (CVEs) per the OSV database — npm and other lockfile ecosystems, parsed natively. Complements D33 (npm via trivy) and D30 (.NET via dotnet). tool
C1 Data Protectionmeta Whether sensitive data is encrypted at rest and in transit and keys are vaulted. When this is weak, sensitive data is not consistently encrypted at rest and in transit with keys properly vaulted, so that data is more exposed if the system is breached. tool
C2 Access Controlsmeta Whether access is authorized by default — [Authorize]/policies or imperative guard methods (throw-on-violation) called from handlers. When this is weak, access is not authorised by default — endpoints lack proper role and policy enforcement — so data or actions may be reachable by people who should not have them. tool
C3 Audit Trailmeta Whether changes to sensitive data are recorded (who, what, when) for compliance + incident response. When this is weak, changes to sensitive data are not recorded, so you cannot tell who changed what and when — undermining compliance and incident response. tool
C4 Data Retentionmeta Whether data has a defined lifetime — retention periods, TTLs, cleanup jobs (storage limitation). When this is weak, data has no defined lifetime — no retention periods or cleanup — so personal and other data accumulates indefinitely, contrary to storage-limitation requirements. tool
C5 Data-Subject Rightsmeta Whether GDPR data-subject requests are supported in code — erasure, export/portability, consent. When this is weak, GDPR data-subject requests are not supported in code — no erasure, export or consent handling — so meeting a lawful request becomes a manual, risky scramble. tool
LA1 Personal-Data Handling (GDPR)meta LLM-confirmed personal-data handling surface — fields that are genuine personal data about a real person (not fiction/test/config), surfaced for the GDPR Art. 25/32 self-assessment. Advisory. When this is weak, the code handles personal data the team hasn't yet confirmed is minimised, retention-limited and protected — a GDPR Art. 25/32 exposure flagged by AI for a human to review. LLM · advisory
LA3 Vulnerability-Disclosure Policymeta LLM-judged whether a SECURITY.md / security.txt is a real coordinated vulnerability-disclosure policy (contact + how to report + handling), not just a stub. Advisory. When this is weak, there is no real coordinated vulnerability-disclosure policy (a security contact and a reporting process), so a researcher who finds a flaw has no safe way to report it (CRA/ISO), as judged by AI. LLM · advisory
LA4 Dev/Test/Prod Separationmeta LLM-judged whether configuration separates development/test/production (distinct per-environment settings) rather than commingling them. Advisory. When this is weak, development, test and production may share configuration and secrets rather than being separated, raising the risk that a test setting or credential reaches production (ISO A.8.31), as judged by AI. LLM · advisory
S1 Web-Security Posturemeta Transport security, security headers, secure cookies, input validation, middleware order and crypto hygiene (presence, not runtime). When this is weak, the web application lacks basic protections — transport security, security headers, secure cookies, input validation — leaving it open to common web attacks. tool