PolicyChecks is a GitHub App-backed badge service and validation endpoint for repository settings that ordinary public badge services cannot verify. It exposes badge SVG, Shields-compatible JSON, and proof JSON endpoints for repository administration and security settings that map to clear admin UI controls and direct GitHub REST API responses. This gives maintainers a convenient way to show that a project not only follows best practices, but that these practices are backed by administrative policies at the repository settings level. This fills a modest gap in the badge ecosystem between excellent services like shields.io (which does not have the permissions to report on these facts) and OSSF Scorecard (which does take into account many of these same conditions, but does not expose individual setting-level endpoints).
The current product surface is intentionally narrow, and is constrained by the goals of minimizing requested permissions, and leveraging clear signals provided by the GitHub API: it checks effective repository settings, selected repository configuration, and active ruleset-derived default branch settings. A setting may be configured directly at the repository level, or inherited from an organization policy, security configuration, or ruleset when the repository-scoped GitHub API reports the effective value.
| Check | Claim ID | Passing result | Other results |
|---|---|---|---|
| Immutable releases | immutable-releases |
enabled |
disabled or unknown |
| SHA pinning | sha-pinning-required |
enabled |
disabled or unknown |
| Web signoff | web-commit-signoff-required |
enabled |
disabled or unknown |
| Community health | community-health |
GitHub score, for example 87/100 |
unknown |
| Secret scanning | secret-scanning-enabled |
enabled |
disabled or unknown |
| Secret push protection | secret-push-protection-enabled |
enabled |
disabled or unknown |
| Force pushes blocked | default-branch-force-pushes-blocked |
enabled |
disabled or unknown |
| Signed commits | default-branch-signed-commits-required |
enabled |
disabled or unknown |
| Linear history | default-branch-linear-history-required |
enabled |
disabled or unknown |
| Deletion blocked | default-branch-deletion-blocked |
enabled |
disabled or unknown |
| Pull request required | default-branch-pull-request-required |
enabled |
disabled or unknown |
| Status checks | default-branch-status-checks-required |
enabled |
disabled or unknown |
Unlike OSSF Scorecard, PolicyChecks does not intend to provide any in-depth proof or evaluation regarding a repository's overall stance regarding security or best practices - it simply reports on the current state of an admin setting. It does not claim historical continuity, or prove that a privileged administrator could never change a setting. In that sense, it does not attempt to serve as a security audit - rather, it's more like: shields.io with minimally elevated (read-only) permissions.
Each claim supports the same endpoint shape:
GET /github/{owner}/{repo}/{claim}.svg
GET /github/{owner}/{repo}/{claim}.json
GET /github/{owner}/{repo}/{claim}/proof.json
GET /github/{owner}/{repo}/info.json
Use the SVG endpoint for badges, the Shields-compatible JSON endpoint for badge tooling, and the proof endpoint for the underlying PolicyChecks result. README badges can link directly to their proof JSON:
[](https://policychecks.reponomics.org/github/OWNER/REPO/immutable-releases/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/sha-pinning-required/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/web-commit-signoff-required/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/community-health/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/secret-scanning-enabled/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/secret-push-protection-enabled/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/default-branch-force-pushes-blocked/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/default-branch-signed-commits-required/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/default-branch-linear-history-required/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/default-branch-deletion-blocked/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/default-branch-pull-request-required/proof.json)
[](https://policychecks.reponomics.org/github/OWNER/REPO/default-branch-status-checks-required/proof.json)The aggregate endpoint returns all currently supported claims for a repository:
https://policychecks.reponomics.org/github/OWNER/REPO/info.json
Proof responses and badges use the same result vocabulary. Setting and ruleset checks report enabled, disabled, or unknown. The community health check reports GitHub's score, such as 87/100, or unknown when the score cannot be reported.
unknown is returned when PolicyChecks cannot safely interpret GitHub access, rate limits, availability, response shape, or endpoint semantics as either enabled or disabled evidence.
Detailed per-claim response mappings are documented in docs/claim-semantics.md.
Note
PolicyChecks badges are public signals backed by proof JSON. Like any README badge, the image can be copied or misrepresented; the useful check is following the proof link and reviewing the current GitHub API evidence.
The app requires repository Administration: Read permissions for each repository that wants to host a badge. It supports personal or organization-owned repositories, public or private, when the GitHub App is installed on the repository. PolicyChecks does not call organization APIs or fetch repository file contents; the community health badge uses GitHub's community profile metric. If GitHub withholds a repository metadata field, active branch-rules response, or community profile response for the installed app, PolicyChecks reports unknown.
Contributor setup and local development commands are documented in CONTRIBUTING.md.
See LICENSE
MIT @ 2026 Reponomics Contributors