Skip to main content

How Your Security Scan Score is Calculated

Your AuditAgent score sits on a scale of 0 to 100, where 100 is the best possible score. The precise algorithm involves multiple factors and weightings, but this page covers the components that drive the final number.

Security Score

The score reflects the density and severity of issues found in your codebase, adjusted by the confidence we have in the detectors that surfaced them, and slightly adjusted for overall code quality.

warning

LLMs can hallucinate. The score can be moved by false positives. Review every finding before acting on it.

How the score is built

The final score is derived through three stages.

1. Base security score

The primary component. Calculated as 100 - Security Penalty, where the penalty is built from these inputs.

  • Weighted issues. Each finding is weighted by severity (High, Medium, Low). Informational findings and best practices do not directly affect this weight.
  • Detector confidence. The weight of a finding is adjusted by the confidence level of the detector that found it. Deterministic static analysers carry more weight than probabilistic LLM-based detectors. This normalises the impact of different finding types.
  • Issue density. The total weighted issues are considered against the size of your codebase, measured in actual code lines (comments excluded). A project with many issues in a small codebase generally scores lower than the same number of issues in a much larger codebase.
  • Security penalty. A logarithmic scaling is applied to issue density so that scores stay granular at low to moderate densities, rather than collapsing with a few findings.

2. Quality penalty

A small penalty applied based on overall code quality and on the ratio of comments to actual code lines.

If the comment ratio falls below a target, a small (capped) penalty is applied. There is no bonus for exceeding the target, so the system does not incentivise excessive or unhelpful comments.

tip

Use the Summary and Diagram generated from your codebase to improve your documentation, which in turn improves this part of the score.

3. Final score

Final Score = Base Security Score - Quality Penalty

The result is rounded up to the nearest integer and clamped between 0 and 100.

Things worth knowing

  • Lines of code. The score normalises for project size, so a larger codebase is not unfairly penalised for having more code. Density is what matters.
  • Severity weighting. High-severity issues move the score significantly more than low-severity ones.
  • Still experimental. The LLM-based portions of the scoring system are being refined. False positives can move the score.
  • Score is a benchmark, not the goal. AuditAgent exists to surface actionable issues. Treat the score as a fast signal, not the deliverable.