Risk Scoring
Ariftly's risk scoring system converts raw scan findings into a single, comparable number — making it easy to track progress and set automated thresholds.
Score range
All risk scores are on a 0–100 scale:
| Score | Level | Indicator |
|---|---|---|
| 0–25 | Low | 🟢 Healthy posture |
| 26–50 | Medium | 🟡 Attention needed |
| 51–75 | High | 🟠 Significant risk |
| 76–100 | Critical | 🔴 Immediate action required |
Lower is better. A score of 0 means no issues were found.
How scores are calculated
Per-finding severity weights
Each finding contributes to the score based on its severity:
| Severity | Base weight |
|---|---|
| Critical | 25 |
| High | 10 |
| Medium | 3 |
| Low | 1 |
| Info | 0 |
Detector score
The detector score is computed from its findings:
raw_score = Σ (finding.weight for finding in findings)
detector_score = min(100, normalize(raw_score, target_size))
Normalization accounts for the target size — a large application with 200 pages is held to a different baseline than a single-page app.
Overall risk score
The overall score is a weighted average of all detector scores:
overall_score = Σ (detector_score × detector_weight) / Σ detector_weights
Default detector weights:
| Detector | Default weight |
|---|---|
| Security Scan | 1.5 |
| Accessibility Scan | 1.0 |
| AI Readiness Scan | 1.0 |
Security findings carry more weight by default because they tend to have immediate, direct impact. These weights can be customized in your project settings.
Score trends
Every completed scan is stored, so you can track your risk score over time. The dashboard shows:
- Score trend chart — daily/weekly/monthly views
- Delta vs previous scan — how much the score changed
- New vs resolved issues — what was introduced or fixed
Using scores in CI/CD
You can configure scan thresholds to fail a build if the risk score exceeds a limit:
# Example: fail if overall score > 70, or security score > 50
ariftly:
thresholds:
overall: 70
security: 50
See CI/CD Integration for full configuration details.
Score vs. compliance status
Risk scores reflect relative risk, not strict compliance. A score of 0 does not guarantee full WCAG 2.1 AA compliance or zero CVEs — it means Ariftly found no issues with its current ruleset. Use scores alongside your compliance review process, not as a replacement for it.