Compliance Grades
Every completed scan gets a single-letter grade from A to D. The grade is count-based - it looks only at the number of critical and high findings on the scan. SLA timers and triage state are tracked separately and do not affect the grade.
The formula
That is the entire computation. Medium, low, and unknown severity counts are ignored. Misconfigurations from Dockle do not affect the grade.
Grade table
| Grade | Critical | High |
|---|---|---|
| A | 0 | 0 |
| B | 0 | 1-3 |
| C | 0 | 4 or more |
| D | 1 or more | any |
Worked examples
| Scan profile | Grade |
|---|---|
| 0 critical, 0 high, 12 medium, 80 low | A |
| 0 critical, 2 high, 0 medium | B |
| 0 critical, 3 high, 50 medium | B |
| 0 critical, 4 high, 50 medium | C |
| 0 critical, 200 high, 0 medium | C |
| 1 critical, 0 high, 0 medium | D |
| 5 critical, 100 high | D |
The threshold between B and C is strictly high > 3, so 3 highs is still a B and 4 highs becomes a C.
Grade is not SLA
The A-D grade and SLA tracking answer different questions:
| Question | Where to look |
|---|---|
| Is this image's current security posture acceptable? | Grade |
| Are we meeting our remediation commitments? | SLA dashboard |
Two scans can both be grade B (one to three highs) while one has every finding within SLA and the other has every finding overdue. Conversely, a scan can be grade A while older scans of the same image have unresolved SLA-overdue findings - the grade only describes the snapshot in front of you.
SLA policy lives in Settings -> Compliance Policy and emits its own notifications (sla_warning, sla_breach). See Core Concepts.
Using grades
Common patterns:
- CI gate: fail the pipeline if the new scan's grade is worse than
B. See CI/CD for an example. - Trend line: the dashboard tracks grade-over-time per image to surface drift.
- Executive reporting: percent of images at A/B versus C/D maps cleanly onto a compliance chart.
A grade of A means zero criticals and zero highs. It does not mean zero vulnerabilities. A scan with hundreds of medium-severity findings is still grade A. Use medium and low counts and SLA dashboards for the full picture.