Understanding Risk Scores and Grades
This section explains how RepoRisk calculates risk scores and grades, and how to interpret them alongside the Executive Summary for a complete security assessment.
Risk Score Calculation
The Risk Score is an objective, point-based metric (0-100) derived from the number and severity of findings relative to the size of the project.
Point Values
Each finding contributes points based on its severity:
| Severity | Points per Finding |
|---|---|
| Critical | 10 points |
| High | 5 points |
| Medium | 2 points |
| Low | 0.5 points |
If any critical blockers (such as license restrictions that prevent commercial use) are detected, an additional 20 points are added to the score.
Normalization
The raw point total is normalized against the number of files analyzed, so that larger repositories are not penalized simply for having more code. The formula produces a score on a 0-100 scale where:
- Lower scores indicate fewer or less severe findings relative to project size
- Higher scores indicate more numerous or more severe findings relative to project size
Risk Grade
The Risk Grade is a letter grade (A-F) derived from the risk score, with additional adjustments based on the presence and count of critical and high-severity findings.
Grade Criteria
| Grade | Label | Criteria |
|---|---|---|
| A | Minimal Risk | Score below 15, no critical findings, fewer than 5 high findings |
| B | Low Risk | Score below 30, 2 or fewer critical findings |
| C | Moderate Risk | Score below 50 |
| D | High Risk | Score below 70, or any critical blockers present (see adjustments below) |
| F | Critical Risk | Score 70 or above, 10+ critical findings, or blockers with 5+ critical findings |
Automatic Grade Adjustments
Certain conditions override the score-based grade:
- Any critical blockers (e.g., restrictive licenses) automatically set the grade to at least D. If there are also 5 or more critical findings or the score is 70+, the grade is set to F instead
- 10 or more critical findings automatically result in an F grade
- 5-9 critical findings automatically result in a D grade
- Any critical findings combined with a score of 50+ result in a D grade
Executive Summary
The Executive Summary is an AI-generated narrative assessment that provides context the risk score alone cannot capture. It includes:
- Assessment: An overall rating (Excellent, Acceptable, Concerning, High Risk, Critical, or Blocked)
- Description: A plain-language summary of the security posture
- Impact: What could happen if the code is deployed as-is
- Recommendation: Actionable guidance for IT and security teams
- Compensating Controls: Specific mitigations to reduce risk if deployment proceeds
- Top Concerns: The most frequently occurring critical/high finding categories
Combining the Risk Score and Executive Summary
The risk score and grade provide an objective, formulaic measurement of security findings. However, they do not account for all factors that matter in a real-world deployment decision. The Executive Summary adds critical context that the numerical score cannot reflect on its own.
Why Both Are Needed
- The risk score is purely mechanical -- it counts findings by severity and normalizes against project size. It treats all findings of a given severity equally regardless of the application's purpose, deployment context, or whether compensating controls exist.
- The Executive Summary considers intent and context. For example, a repository with several "high" findings related to cryptographic practices may be perfectly acceptable if it is an internal tool that never handles sensitive data. Conversely, a low risk score might still warrant caution if the few findings present are in authentication logic for a public-facing application.
When They May Diverge
There are cases where the objective risk score may not fully reflect the true risk:
- False positives or context-dependent findings: The score counts all findings equally within a severity tier. The Executive Summary can note when findings are unlikely to be exploitable in practice.
- Intent and use case: A development tool used internally carries different risk than a customer-facing production service, even with identical findings.
- Compensating controls: External controls (firewalls, access restrictions, monitoring) can reduce the real-world impact of findings the score cannot account for.
- License and legal context: A license blocker forces a high score and low grade, but the Executive Summary provides additional context. Note that the information provided is general in nature and does not constitute legal advice. If you have concerns about licensing, consult with an attorney.
Recommended Approach
When making a determination about the safety of an application:
- Start with the Risk Grade to get a quick sense of overall security posture
- Review the Risk Score to understand the magnitude of findings
- Read the Executive Summary for context, impact analysis, and actionable recommendations
- Consider both together -- the grade tells you what was found; the Executive Summary tells you what it means for your specific situation
- Review compensating controls if deploying despite identified risks
The risk score and Executive Summary are designed to complement each other. Neither should be used in isolation when making security or deployment decisions.