Claude-Code-Workflow/.claude/skills/security-audit/specs/scoring-gates.md

Scoring Gates

Defines the 10-point scoring system, severity weights, quality gates, and trend tracking format for security audits.

When to Use

Phase	Usage	Section
Phase 1	Quick-scan scoring (daily gate)	Severity Weights, Daily Gate
Phase 4	Full audit scoring and reporting	All sections

---

10-Point Scale

All security audit scores are on a 0-10 scale where 10 = no findings and 0 = critical exposure.

Score	Rating	Description
9.0 - 10.0	Excellent	Minimal risk. Production-ready without reservations.
7.0 - 8.9	Good	Low risk. Acceptable for production with minor improvements.
5.0 - 6.9	Fair	Moderate risk. Remediation recommended before production.
3.0 - 4.9	Poor	High risk. Remediation required. Not production-ready.
0.0 - 2.9	Critical	Severe exposure. Immediate action required.

Severity Weights

Each finding is weighted by severity for score calculation.

Severity	Weight	Criteria	Examples
Critical	10	Exploitable with high impact, no user interaction needed	RCE, SQL injection with data access, leaked production credentials, auth bypass
High	7	Exploitable with significant impact, may need user interaction	Broken authentication, SSRF, privilege escalation, XSS with session theft
Medium	4	Limited exploitability or moderate impact	Reflected XSS, CSRF, verbose error messages, missing security headers
Low	1	Informational or minimal impact	Missing best-practice headers, minor info disclosure, deprecated dependencies without known exploit

Score Calculation

Input:
  findings[]     -- array of all findings with severity
  files_scanned  -- total source files analyzed

Algorithm:
  base_score = 10.0
  normalization = max(10, files_scanned)

  weighted_sum = 0
  for each finding:
    weighted_sum += severity_weight(finding.severity)

  penalty = weighted_sum / normalization
  final_score = max(0, base_score - penalty)
  final_score = round(final_score, 1)

  return final_score

Example:

Findings	Files Scanned	Weighted Sum	Penalty	Score
1 critical	50	10	0.2	9.8
2 critical, 3 high	50	41	0.82	9.2
5 critical, 10 high	50	120	2.4	7.6
10 critical, 20 high, 15 medium	100	300	3.0	7.0
20 critical	20	200	10.0	0.0

Quality Gates

Daily Quick-Scan Gate

Applies to Phase 1 (Supply Chain Scan) only.

Result	Condition	Action
PASS	score >= 8.0	Continue. No blocking issues.
WARN	6.0 <= score < 8.0	Log warning. Review findings before deploy.
FAIL	score < 6.0	Block deployment. Remediate critical/high findings.

Comprehensive Audit Gate

Applies to full audit (all 4 phases).

Initial/Baseline audit (no previous audit exists):

Result	Condition	Action
PASS	score >= 2.0	Baseline established. Plan remediation.
FAIL	score < 2.0	Critical exposure. Immediate triage required.

Subsequent audits (previous audit exists):

Result	Condition	Action
PASS	score >= previous_score	No regression. Continue improvement.
WARN	score within 0.5 of previous	Marginal change. Review new findings.
FAIL	score < previous_score - 0.5	Regression detected. Investigate new findings.

Production readiness target: score >= 7.0

Trend Tracking Format

Each audit report stores trend data for comparison.

{
  "trend": {
    "current_date": "2026-03-29",
    "current_score": 7.5,
    "previous_date": "2026-03-22",
    "previous_score": 6.8,
    "score_delta": 0.7,
    "new_findings": 2,
    "resolved_findings": 5,
    "direction": "improving",
    "history": [
      { "date": "2026-03-15", "score": 5.2, "total_findings": 45 },
      { "date": "2026-03-22", "score": 6.8, "total_findings": 32 },
      { "date": "2026-03-29", "score": 7.5, "total_findings": 29 }
    ]
  }
}

Direction values:

Direction	Condition
improving	score_delta > 0.5
stable	-0.5 <= score_delta <= 0.5
regressing	score_delta < -0.5
baseline	No previous audit exists

Finding Deduplication

When the same vulnerability appears in multiple phases:

1. Keep the highest-severity classification
2. Merge evidence from all phases
3. Count as a single finding for scoring
4. Note all phases that detected it