Security Scoring
When you run a full_audit, Veilguard scores your codebase with a strict penalty-based model. Every project starts at 100 and loses points per issue. The full audit is Pro-only and unlimited; on free, calling it returns an upgrade prompt — run the individual scanners for free vulnerability alerts.
Calculation Model
Every project begins with a perfect score of 100. Each issue subtracts points based on what it is and how much damage it causes — the most dangerous patterns cost the most:
| Penalty | Issue type |
|---|---|
| −25 | Service-role / admin key exposed in frontend code — instant database takeover |
| −20 | Hardcoded secret · unverified webhook · SQL/NoSQL/command injection · missing Supabase RLS · open Firebase rules · IDOR |
| −15 | Mass assignment · missing rate limiting on auth or payment routes |
| −10 | Wildcard CORS · sensitive data written to logs |
| −8 | Error stack traces exposed to users |
| −5 | Missing security headers (CSP, HSTS, X-Frame-Options) |
| −1 | Informational findings |
Anything uncategorised falls back to −15 for a critical finding and −5 for a warning. The final score is floored at 0.
Grades Overview
| Score | Grade | Meaning |
|---|---|---|
| 95 - 100 | A+ | Production-ready. Excellent security hygiene. |
| 90 - 94 | A | Production-ready. Excellent security hygiene. |
| 85 - 89 | B+ | Good security. A few improvements before scaling. |
| 80 - 84 | B | Good security. A few improvements before scaling. |
| 75 - 79 | C+ | Moderate risk. Fix warnings before you get real users. |
| 70 - 74 | C | Moderate risk. Fix warnings before you get real users. |
| 60 - 69 | D | High risk. Critical issues present. Fix before deploying. |
| 0 - 59 | F | Do NOT deploy. Critical vulnerabilities attackers actively exploit. |