Skip to main content
Security report: grade A, score 98/100
The security report brings together all findings from the analysis into a prioritized view. This page explains each section and the available actions.

Grade and score

The report header displays:
  • Grade letter — from A (best) to E (critical):
GradeLabel
AExcellent
BGood
CAcceptable
DAttention
ECritical
  • Numeric score — from 0 to 100.
  • Summary — a sentence reflecting the overall state:
    • “X authored items need attention”
    • “Inherited dependencies only — no urgent actions”
    • “No issues detected”
Click the methodology link next to the summary to see exactly how the score is calculated.

Finding categories

Each finding belongs to one of the three categories below. Understanding the difference is the most important step to prioritizing correctly.
Vulnerabilities introduced directly by the code your team wrote. Prioritize these. They carry maximum weight in the score. If the Authored counter is greater than zero, the score will be significantly affected.
Flaws in third-party packages your project imports. Worth reviewing — especially critical and high ones — but fixing them requires updating the package version, not changing your own code directly.
Findings from packages used only in development that never reach production. Do not affect your score. Hidden by default.To view them, click “Show X noise items (dev-only)” at the bottom of the list.

Severity levels

Within each category, findings are ordered by severity:
SeverityMeaning
CriticalImmediate risk of compromise. Fix before anything else.
HighSerious risk that should be resolved in the next sprint.
MediumModerate risk. Plan the fix.
LowLimited impact. Fix when convenient.
MinimalInformational. Very low practical impact.

EPSS badges

Some findings display an additional real exploitation risk badge:

🔴 Active exploitation

≥ 90th percentile EPSS. This finding is among the most likely to be exploited in the next 30 days, according to FIRST.org data. Prioritize the fix immediately.

🟠 Elevated risk

Between the 50th and 90th percentile. Above the industry median. Worth scheduling the fix.
EPSS measures the real probability of exploitation, not just technical severity. A Medium severity finding with an Active exploitation badge may be more urgent than a High finding without one.

Finding details

Click any finding to see:
  • Title and severity badge (e.g., CRITICAL RISK, HIGH RISK)
  • Problem description
  • Affected location — file path or module name
  • Code snippet — when available
  • Fix suggestion
  • Classification — Authored / Inherited / Noise

Available actions

Mark as resolved

Click the checkbox next to a finding to mark it as resolved after applying the fix.

Create a Kanban task

Click Create Task to send the finding directly to your Kanban board. Priority is mapped automatically:
SeverityKanban priority
CriticalP1
HighP2
MediumP3
After creating the task, a status badge appears on the finding: To Do / In Progress / In Review / Done.

Use the AI fix prompt

Click AI Agent Fix Prompt to copy a ready-made remediation prompt to paste into your preferred code assistant — Copilot, Cursor, Bolt, or similar. The prompt already includes the finding’s context and fix instructions.

Unlocking Re-Check

The Re-Check button stays locked until all Critical and High findings are marked as resolved or dismissed.
Re-Check will not be enabled while there are pending Critical or High findings — regardless of category. Resolve or dismiss each one to unlock the option.