The risk assessment engine combines results from all pipeline stages into a single score (0-100), then maps it to a tier that determines review requirements.
| Category | Points per finding | Cap |
|---|---|---|
| Policy violations | +30 per violation | 40 |
| Secret findings | +50 per finding | 50 |
| Dependency vulnerabilities (low) | +5 each | 50 (combined) |
| Dependency vulnerabilities (moderate) | +15 each | 50 (combined) |
| Dependency vulnerabilities (high) | +25 each | 50 (combined) |
| Dependency vulnerabilities (critical) | +40 each | 50 (combined) |
| SAST warnings | +10 each | 40 (combined) |
| SAST errors | +20 each | 40 (combined) |
| Test failures | +30 | 30 |
| Scope exceeded | +20 | 20 |
The total score is capped at 100.
| Tier | Score range | Default approvals | Auto-merge | Security team |
|---|---|---|---|---|
| LOW | 0–30 | 0 | Yes | No |
| MEDIUM | 31–70 | 1 | No | No |
| HIGH | 71–100 | 2 | No | Yes |
Override thresholds and requirements in your .ai-code-gate.yml:
review:
risk_tiers:
low:
threshold: 20
approvals: 1
auto_merge: false
medium:
threshold: 60
approvals: 2
high:
threshold: 100
approvals: 3
require_security_team: true