Frequently asked questions

Straight answers about what ShipReady Metrics measures and how. Every score traces back to real connected data — the platform never shows sample data or a fabricated number.

Getting started

What the platform measures and how to light it up.

What is the ShipReady Score?

A single 0–100 composite of nine domain scores — AI Readiness, AI ROI, Agent Health, Technical Debt, IT Modernization, Lifecycle Risk, Security Readiness, Delivery Health, and Cloud Health — graded A–F. It's a weighted roll-up of only the dimensions your connected sources actually measure; dimensions without a source are left out rather than given a placeholder grade.

Why do my dashboards say “Connect a source”?

Every score is computed from real connected data — the platform never shows sample data or a placeholder grade. Until a connector for a given dimension has synced, that dimension shows a “Connect a source” state instead of a number. Connect a tool on the Connections page to populate it.

How do I get my first score?

Go to Connections and connect a data source — GitHub is the fastest (it feeds Delivery Health, Technical Debt, IT Modernization, Lifecycle Risk, and Security Readiness). The platform validates your credentials live, encrypts them, and runs the first sync. Small orgs see their Executive Overview populate in about a minute; large estates (hundreds of repositories) can take several minutes to sync fully.

What can each role do?

Admins manage the org, connectors, the risk register, and curate Decisions. Engineers can manage connectors and run audits. Executives (and all members) can view every score, brief, and report. Connector and curation writes are enforced both in the app and by row-level security in the database.

Connecting data sources

What each connector pulls, and the common setup snags.

Which tools can I connect?

GitHub, GitLab, Gitea, Vercel, Azure DevOps, Atlassian (Jira + Bitbucket), AWS, Microsoft Azure, Google Cloud, Supabase, and AI Spend (OpenAI/Anthropic cost). Each has a step-by-step setup guide at /docs/connectors.

How narrow is the access, and where are credentials stored?

We validate every credential live before storing anything. Most providers offer narrowly-scoped tokens and we request exactly those; a few (Vercel, Supabase) have no scoped tier, so their tokens carry broad account access — create those with a short expiration and rotate them. Credentials are encrypted at rest (AES-256-GCM) with the key held outside the database, and scoped to your organization by row-level security; they are never shared across orgs and never returned to a browser or written to a log.

My connection failed — where do I look?

The Connections page shows the specific error inline. Most failures are credential or access-scope issues, not bugs. Open the connector's setup guide at /docs/connectors/<provider> for the exact steps, and see the provider-specific answers below.

Azure: “authenticated, but no read access” / 403

Your app registration is valid (it authenticated) but the service principal hasn't been granted read access to the subscription. Fix: Subscription → Access control (IAM) → Add role assignment → Reader → select your app → Review + assign. Wait 1–2 minutes for it to propagate, then Connect again. (Add Security Reader the same way only if Defender data doesn't appear.)

Azure: which secret do I paste?

The client secret VALUE (the long string shown once when you create the secret), NOT the Secret ID. If you only have the Secret ID, create a new client secret under Certificates & secrets and copy its Value immediately — Azure won't show it again.

Azure: where is the Subscription ID?

Portal → search “Subscriptions” → open your subscription → the Subscription ID (a GUID) is on the Overview with a copy icon. If the list is empty you have no active subscription yet — create one (free account or pay-as-you-go) before connecting, because the Reader role is granted on a subscription.

GitLab / Gitea: “did not return JSON” or a host error

You entered a repository or project URL instead of the instance root. Leave the host blank for the public SaaS (gitlab.com / gitea.com); for self-managed, use the instance ROOT (e.g. https://gitlab.example.com) — not a /username, group, or repo URL, which redirects to a sign-in page and fails.

AWS: connected but no security findings

Security Hub is regional and must be enabled in the primary region you entered — otherwise the connector reports zero findings rather than faking a clean posture. Cost Explorer needs no setup. Make sure the IAM user has the SecurityAudit + ViewOnlyAccess policies.

GitHub: which token scopes do I need?

Use a fine-grained token (recommended — it is the only GitHub token type with a truly narrow repository grant): Read on Contents, Metadata, Pull requests, and Actions, plus Organization → read. Classic tokens also work (repo, read:org, read:user), but note the classic repo scope carries write capability, so prefer fine-grained or set a short expiration. Never grant admin.

How often does my data refresh?

On connect, and then on a scheduled re-sync. To force an immediate refresh, use “Sync now” on the Connections page. Some changes (e.g. a raised findings cap) only take effect on the next sync.

Scores & how they're computed

Every number traces back to real inputs — here's how to read them.

How is each score calculated?

Open any score page and read the “How this score is calculated” section — it shows each subscore, its real inputs, and how they combine. Nothing is a black box and nothing is fabricated; an input with no data is omitted, not defaulted.

Why is a score “not measured”?

No connected source feeds it yet. For example, Security Readiness needs GitHub, GitLab, AWS, Azure, GCP, or Supabase; Cloud Health needs a cloud connector (AWS, Azure, GCP, or Supabase); Delivery Health can also come from Vercel; Agent Health needs agent execution telemetry. Connect the relevant tool and it activates.

Why did Security Readiness suddenly show hundreds of vulnerabilities?

That's your real exposure from a connected source — most often GitHub Dependabot alerts across your repos. The score counts the full set of open findings by severity. It's not a glitch; it's the actual open-alert volume.

The findings list shows fewer items than the score counts. Why?

The score counts every finding; the drill-down list stores a bounded sample per source (currently up to 2,000) for performance. After raising the cap, re-sync the connector to repopulate the list. Use the severity and connector filters to focus.

Can I see vulnerabilities across all connectors, and per connector?

Yes — the Security Findings page shows an aggregate across every connected source plus a per-connector breakdown, and you can filter the list by connector and severity.

Security & your data

How your data is isolated, stored, and used.

Who can see my organization's data?

Only members of your organization. Every row is scoped to your org and enforced by database row-level security, so one organization can never read another's scores, findings, connectors, or decisions.

Does anything leave the platform?

The AI Security Audit runs Claude over your normalized security findings to produce a board-ready summary — that's the one feature that sends finding metadata to an LLM, and only when you click “Run audit”. Otherwise your data stays within the app and its database.

What does “actively exploited (KEV)” mean on a finding?

The finding's CVE is on CISA's Known Exploited Vulnerabilities catalog — confirmed exploited in the wild. These float to the top of the findings list and should be patched first, ahead of CVSS-based prioritization.

Can I export or delete my data?

Yes — reports and findings export to CSV/Markdown, and the org's data can be exported. Account/data erasure is handled on request as a deliberate, confirmed action.

How are my connector tokens and credentials stored?

Encrypted at rest with AES-256-GCM before they reach the database. The ciphertext lives in a table no browser session can read (deny-all row security — only the server can decrypt, and only during a sync), and the encryption key is never sent to a client or written to a log.

Exactly what data can each connector read?

The exact scopes each one requests, what it pulls, and which scores it feeds are published per connector on the public data-access page (/trust/data-access) — rendered from the same connector registry the app runs on, so the page can never understate what is requested.

Decisions, reporting & the board pack

Turning scores into decisions a leader can act on.

What is the Decisions view?

It re-frames your scores' top recommendations as ranked, owned asks — each with an accountable role, what it unlocks, and an estimated cost when a real costed source backs it. Admins can curate them (own, sequence, value, note) and track each to closure for a quarterly review.

What is the Board Pack?

A print-ready executive decision memo in Situation → Complication → Question → the Asks order, with a traceability appendix linking every claim back to a live page. Use it to walk into a board meeting with a sourced, decision-ready document.

How do I get a PDF?

Open the Board Pack or an Executive Brief and use Print / Save as PDF — the app hides its navigation when printing so you get a clean one-pager.

What does the decision “est. cost” mean, and why is some “Not quantified”?

A dollar figure appears ONLY when a real costed source backs the decision — e.g. lifecycle remediation cost (estimated effort × a loaded rate). It is an estimated cost, never a risk “exposure” invented from a score. Security/risk-register risks read “Not quantified” until an approved financial assessment exists — qualitative risk points are never multiplied into dollars. An admin can also enter a real value on the Decisions page.

Trial, plans & billing

How the free trial works and what happens after it.

How does the free trial work?

Signing up starts an instant 14-day free trial — no card required and no approval wait. You get a full workspace: connect a source, run a sync, and see your first ShipReady Score the same day.

What happens when my trial ends?

The workspace locks until a plan is arranged — nothing is deleted. Your connections, score history, and reports are all kept, and everything is exactly where you left it once the plan is active.

How do I buy a paid plan?

There is no self-serve checkout yet. The pricing page (/pricing) shows exactly what each tier includes — rendered from the same entitlement table the product enforces — and paid plans are arranged directly with the team via the enterprise page (/enterprise).

Get your ShipReady Score

Connect a source and your Executive Overview populates as the first sync completes — about a minute for small orgs, several minutes for large estates.

Every signup starts an instant 14-day trial — no card required, no waiting on approval. There’s no self-serve checkout yet; paid plans are arranged with the team. See what each tier includes.