Every BattleHarden scan produces a letter grade from A to F. This grade provides a quick snapshot of your codebase's security posture, but understanding what goes into it helps you prioritize remediation.
The Grading Scale
Grades are calculated based on the total number of findings weighted by severity:
| Grade | What It Means |
|---|---|
| A | Excellent security posture. Few findings, mostly low severity. |
| B | Good. Some findings present but no critical architectural issues. |
| C | Moderate. Notable security concerns that should be addressed. |
| D | Poor. Significant vulnerabilities requiring immediate attention. |
| F | Critical. Severe security issues across multiple categories. |
What Gets Measured
BattleHarden analyzes your codebase across multiple dimensions:
Security vulnerabilities. Traditional categories like injection, authentication flaws, and cryptographic weaknesses — plus deeper patterns like cross-module data flow issues and supply chain risks.
Code correctness. Logic errors, silent exception handling, race conditions, and other bugs that could lead to security-relevant failures.
Performance risks. Algorithmic complexity issues, resource exhaustion vectors, and denial-of-service attack surfaces.
Architecture quality. Dependency concentration, module coupling, and structural patterns that amplify the impact of individual vulnerabilities.
Improving Your Grade
The fastest path to grade improvement:
-
Fix critical and high severity findings first. These have the largest impact on your grade and represent the highest real-world risk.
-
Address architectural findings. Bottleneck modules and tight coupling amplify the impact of every other vulnerability. Fixing architecture often improves multiple categories at once.
-
Run weekly re-scans. Security posture is not a snapshot — it changes with every commit. Weekly re-scans catch regressions before they accumulate.
-
Compare with traditional tools. BattleHarden shows which findings overlap with tools like Bandit and Semgrep and which are unique. The unique findings are where you're getting the most value from deeper analysis.
What Grades Don't Tell You
A grade is a summary. It doesn't replace reading individual findings and understanding the specific risks in your codebase. An A-graded project can still have business logic vulnerabilities that no automated tool can detect. And an F-graded project might have findings that are low-risk in its specific deployment context.
Use grades as a triage tool — a way to quickly assess whether a codebase needs immediate attention — and then dive into the specific findings for actionable remediation.