Metrics

Every metric carries its own definition in the report — formula and cutoffs, verbatim — so you never have to come here to find out what a number means. This page is the same information, gathered.

Every metric also carries its evidence: the things that produced it. A count of 23 has 23 evidence records; a median has the whole population it was computed over. Click a number in the console and it opens into the list.


Activity

MetricDefinition
activity.commits.totalCommits reachable from HEAD in the window.
activity.commits.humanCommits whose author is not a bot or an AI agent.
activity.commits.botCommits by CI, dependency or service bots.
activity.commits.ai_agentCommits by an AI coding agent — counted separately from both humans and CI bots, because an agent’s commit is neither, and folding it into either distorts contributor counts in a different direction.
activity.contributors.totalDistinct human contributors after identity merging. Co-authors count.
activity.contributors.activeCommitted within the last 90 days.
activity.contributors.newFirst commit within the last 90 days.
activity.contributors.departedSilent for more than 90 days but active within the last 365. Somebody gone two years is history, not churn.
activity.bus_factor.commitsThe smallest number of contributors whose cumulative share of commits, ranked descending, first exceeds 50%. Bots excluded. The evidence is the whole ranked list — a bus factor of 2 means nothing without the distribution behind it.
activity.ownership.top_contributor_shareThe single most prolific contributor’s share of all human commits.

From the forge

MetricDefinition
activity.pull_requests.merged / .rejected / .openA pull request closed without merging is a rejection, counted separately. It is not a merge and it has no merge time.
activity.time_to_first_response.{median,p90,mean}Seconds from a pull request becoming ready for review — not from when it was opened — to the first comment or review by somebody other than the author, excluding bots. Draft time is not charged to the reviewer.
activity.time_to_first_review.*To the first submitted review. A comment is not a review.
activity.time_to_merge.*Ready-for-review → merge. Computed only for pull requests that were merged.
activity.issues.unansweredIssues with no comment from anybody but the author. Excluded from the response-time statistics — an issue nobody answered has no response time, and averaging it in as a zero would say the opposite of the truth.

Security

MetricDefinition
security.commits.unreviewedCommits on the default branch whose pull request has no approving review from anybody other than the author. Merge commits excluded. The best compliance metric there is: a repository can have perfect review coverage on its pull requests and still have half its commits pushed straight to main.
security.commits.review_unknownCommits with no resolvable pull request at all. Deliberately not counted as unreviewed — we could not tell, and “we could not tell” is a different claim from “nobody reviewed it”. Collapsing them turns an absence of evidence into an accusation.
security.pull_requests.unreviewedMerged with no approving review from anybody else.
security.pull_requests.self_mergedThe author merged their own work with nobody else approving.
security.secrets.commit_messagesA credential written into a commit message. No content scanner looks here, because the message is not a file. It is in the object database permanently.
security.secrets.committed_filesFiles whose names mark them as credentials (id_rsa, .env, *.pem, service-account JSON, keystores) that appear anywhere in history, whether or not they still exist at HEAD. Deleting a file does not unpublish it.
security.commits.signedCommits carrying a PGP signature. Presence only — verifying it needs the signer’s public key, which the CLI does not have, so a signed commit is reported as present-but-unverified rather than valid.

The secrets metrics answer a different question from a normal secret scan. Not “is there a secret in the code” but “does a credential need rotating” — and a secret removed in the next commit is still a secret that was published.


Quality

MetricDefinition
quality.complexity.median / .p90Cyclomatic complexity — decision points plus one — per language, via tree-sitter. Files in languages with no grammar are excluded, not scored zero.
quality.complexity.highFiles at or above the threshold (default 15).
quality.complexity.risingFiles whose complexity is trending upward: a least-squares slope of more than 0.01 per day, with R² ≥ 0.5 so the line actually fits. Regressed against calendar time, not against the commit index — a file with ten commits in one afternoon and one a year later has a per-commit slope that means nothing.
quality.coupling.pairsFiles that change together in ≥ 3 commits. Strength is coChanges / min(commits to either file) × 100 — the minimum, so a pair is not judged by how often the busier of the two is touched.
quality.coupling.strongPairs that change together ≥ 70% of the time. The hidden architectural dependencies: two files that must move together, with nothing in the code to say so.
quality.hotspotsBoth frequently changed (≥ 5 commits) and complex. Churn alone is normal activity; churn crossed with complexity is where the cost is.
quality.commits.fix / .revertCorrective and firefighting commits, by message prefix.

Commits touching more than 60 files are excluded from coupling: a bulk rename couples nothing, and including it would make every file appear coupled to every other. The count says so.


Maintainability

MetricDefinition
maintainability.repo.statusActive ≤ 90d, Aging ≤ 180d, Stale ≤ 365d, else Unmaintained — from the most recent commit. One ladder, applied to everything, so you learn it once.
maintainability.ownership.single_maintainerFiles with ≥ 3 commits where one author holds ≥ 70%. The knowledge-concentration risk.
maintainability.ownership.fragmentedFiles with ≥ 10 commits touched by ≥ 5 authors. The opposite failure: nobody owns it.

Trustworthiness

trust.policy.breaches — compliance checks with no satisfying file. Each breach records the globs that were searched, because “no license” is an accusation and “we looked for LICENSE*, LICENCE*, COPYING* and found none” is a finding.

Checked: license, README, contributing guide, code of conduct, security policy, changelog, support policy, code owners, issue and pull-request templates, CI configuration, dependency automation, tests.


Business

MetricDefinition
business.dependencies.staleMore than 2 releases behind the version the ecosystem recommends. versionsBehind counts releases published between the resolved version and the recommended onenot the total number of releases, so a package pinned to the newest version is zero behind however long its history is.
business.dependencies.very_staleMore than 6 behind. At this distance an upgrade is a project, not a bump.
business.dependencies.eolPast end-of-life. No further security fixes, regardless of what is found.
business.dependencies.agedResolved version published over a year ago. Not automatically a problem — some libraries are finished — but combined with an advisory it means nobody is coming to fix it.
business.language.*Source files per language.

Staleness needs registry metadata, which needs Vulnetix authentication. Without it these are null with a reason — not zero. “Nothing is stale” is a claim an unauthenticated run has not earned.


Graph

MetricDefinition
graph.symbols.totalFunctions, methods, classes and interfaces.
graph.imports.resolvedImports that resolve to a file in this repository. An import that resolves to nothing produces no edge at all, rather than a guess with a confidence attached to it.
graph.cross_repo.totalEvery join key published for the org graph.
graph.cross_repo.{kind}.{role}Per kind and role — package/consumes, http_route/provides, and so on.

The three ways a metric can relate to its evidence

instancesThe value counts the evidence. 23 means 23 evidence records.
populationThe value is a statistic — a median, a slope. The evidence is the whole population it was computed over, because a statistic without its distribution is a number you cannot check.
assertionA judgement (a boolean, a category) whose evidence has no countable relationship to it.

And two ways it can be complete:

exhaustiveEvery evidence item is present.
truncatedA cap was hit. omittedCount and truncationReason are required.

There is no third option. A report that quietly carries fewer evidence items than its metric claims is rejected — by the CLI when it writes it, and by the server when it receives it.