Scoring Methodology

How OpenDocket calculates risk scores and what they mean.

What the OpenDocket Score Is

The OpenDocket Score is a relative risk pattern index from 0 to 100. A lower score means more high-severity risk patterns were found in the codebase.

The score is not:

A compliance certification
A legal determination
A guarantee of security or insecurity
A substitute for professional audit

It is a blind spot indicator for engineering teams.

Risk Classification

OpenDocket uses a categorical risk classification based on the number of high-severity patterns found:

LOW RISK	0 high-severity findings	No immediate regulatory concern detected in code
MODERATE RISK	1-5 high-severity findings	Targeted remediation recommended
ELEVATED RISK	6-15 high-severity findings	Prioritize remediation before production
CRITICAL RISK	16+ high-severity findings	Immediate attention required

When the Gemini Verification Layer has run, classification is based on confirmed high-severity findings (not raw totals). This prevents documentation-only pattern matches from inflating the risk level.

Why Two Models?

OpenDocket uses a dual-model architecture — and this is the product differentiator.

Claude Sonnet (Anthropic) — Primary Scan

Scans broadly — finds every pattern that could indicate a compliance risk. This produces a comprehensive set of findings but includes noise from documentation files, config references, and test data.

Gemini 2.5 Flash (Google) — Verification Layer

Challenges each finding independently. It asks: is this evidence from actual application code? Would a regulator actually find this concerning? Is the severity appropriate?

The result is a tiered output:

CONFIRMED — Gemini agrees this is a real risk
CONTEXT DEPENDENT — Risk depends on deployment/infrastructure
POSSIBLE FALSE POSITIVE — Likely noise, review before acting

The confirmed count is the number you should act on. The total count shows the full scope of what was examined.

Evidence Tiers

Evidence is classified into three tiers based on file type:

[SOURCE] — Application source code (.ts, .py, .go, .rs, .java, .php, .rb, etc.) — strongest evidence. Only source code evidence supports High Risk findings.

[CONFIG] — Configuration files (.yml, .json, .toml, Dockerfile) — moderate evidence. Config-only evidence caps findings at Medium Risk.

[DOCS] — Documentation (.md, .txt, .html, .css) — context only. Documentation-only evidence caps findings at Pattern of Concern.

A finding is only classified as High Risk if supported by at least two source code files with matching evidence. This prevents monorepos with extensive documentation from generating inflated risk assessments.

What This Does Not Cover

OpenDocket scans source code only. Many compliance requirements are met through mechanisms not visible in code.

Infrastructure and deployment configuration
Operational policies and procedures
Business Associate Agreements
Vendor contracts and DPAs
Human processes and training