I built a security auditing engine that combines 10 detection engines
(Bandit, Semgrep, Gitleaks, IaC, CICD, dependency scanning and more)
and produces a calibrated Security Posture Index instead of a raw
findings dump.
The scoring uses WSPM v2.2:
SPI = 100 × e^-(Σ WeightedExposure / K)
Scanned 7 real-world AI infrastructure codebases. Raw output: ~7,600 findings. After context filtering and reachability analysis: 1 actionable finding. Sent a responsible disclosure letter.
Free demo on GitHub (3 runs, no signup, no telemetry): https://github.com/auditor-core-systems/auditor-core-demo