API Scorecard – Enterprise Readiness¶

The Jentic API Scorecard is designed for teams that need to know exactly what’s running, verify exactly what was shipped, and operate without a runtime dependency on Jentic infrastructure.

Enterprise-ready by default¶

For teams that need to know exactly what's running, verify exactly what was shipped, and run without a runtime dependency on Jentic.

Your OpenAPI document never leaves your environment¶

Scoring runs entirely in a container on your own machine. Local files are piped in over stdin; URLs are fetched on your side — by the container's engine, or host-side by the CLI when you pass --bundle — never by Jentic. Either way, your spec is never uploaded.

The only call to Jentic is a key-check round-trip against api.jentic.com — it carries your key, never any part of your spec, and OAK URLs (jentic-public-apis) skip even that. The one exception is --with-llm, which sends spec context to the LLM provider you choose (point it at a local Ollama to keep that on-machine too).

Auditable end to end¶

Every component in the scoring stack — runner, CLI, release pipeline, and engine — is Apache 2.0 licensed and source-readable. No proprietary blobs, no closed-source shims. Read the code that's about to grade your specs before you adopt it; audit any line, redistribute under the license terms, fork if you ever need to.

Signed for regulated environments¶

Every npm tarball and every GHCR image is signed by Sigstore with SLSA provenance and an SPDX SBOM. Signing happens inside an OIDC-driven GitHub Actions workflow with no long-lived publishing secrets — there is no NPM_TOKEN, no PAT, and no human keyholder in the release chain. One command verifies an artifact end-to-end before you install it:

• npm package supply chain → — npm provenance, SPDX SBOM, trusted publishing, and the gh attestation verify recipes.
• Docker image supply chain → — per-platform SBOMs, dual-store attestations (BuildKit OCI referrers + Sigstore), and verification via either docker buildx imagetools inspect or gh attestation verify.

Runs anywhere¶

The image is a closed system at scoring time: every Python wheel, Node.js binary, and validator tarball it needs is baked in at build time, so scoring pulls no runtime packages from PyPI or npmjs. Multi-arch images (linux/amd64 + linux/arm64) ship from the same release, so the same guarantees hold on Apple Silicon dev machines, ARM CI runners, and x86 servers alike.

Pinned for reproducibility¶

CLI version, image tag, and engine version are locked one-to-one. Pinning @jentic/api-scorecard-cli@<version> resolves to a specific image tag, which in turn pins an exact engine release and exact validator versions. Last month's score is reproducible from last month's pin.

Related links¶

• CLI Reference
• npm package supply chain
• Docker image supply chain
• jentic/jentic-api-scorecard – source and full documentation

Contact Us Next