Mega Report Scoring Rubric
The Mega Report assigns your website an overall health grade from A (excellent) to F (critical) based on the combined findings across all test sections. Here is exactly how grades are calculated.
Overall Health Grade
The grade is calculated from the total count of findings across all enabled test sections. Findings are categorized by severity and the thresholds below are evaluated in order:
| Grade | Label | Condition |
|---|---|---|
| A | Excellent | No critical, high, or medium findings; low ≤ 20 |
| B | Good | Any medium findings OR more than 20 low findings |
| C | Needs Improvement | Any high findings OR more than 10 medium findings |
| D | Poor | More than 5 high severity findings |
| F | Critical | Any critical findings (1 or more) |
Severity Levels
Every finding is assigned one of five severity levels:
- Critical — Immediate action required: security vulnerabilities or breaking issues
- High — Important issues that should be addressed soon
- Medium — Issues to address in the normal development cycle
- Low — Minor issues or suggestions for improvement
- Info — Informational findings with no immediate action required
Per-Test Scoring Criteria
Each test section contributes findings to the overall grade. Here is how each test maps findings to severity levels:
Accessibility (WCAG)
WCAG compliance testing (AA or AAA level) using axe-core automated scanning.
- Severity mapping: All severity levels counted directly from axe-core violation impact ratings
- Grade contribution: All severity levels included in the overall grade
Security Scan
OWASP-based security validation including security headers, SSL/TLS, and vulnerability detection.
- Severity mapping: All severity levels (critical, high, medium, low, info) counted directly
- Section failure: Marked as failed if any critical or high severity findings are detected
Meta Tags
Validates Open Graph, Twitter Card, and standard meta tags.
- Severity mapping: Only Medium severity counted — each missing recommended tag counts as one medium finding
- Image issues: Image dimension problems are also counted as medium
- Section failure: Fails if any recommended tags are missing
HTML Validation
HTML validation against W3C standards using the Nu Html Checker.
- High = validation errors
- Medium = warnings
- Info = informational notices
- Not used: Critical and low are not applicable for HTML validation
- Section failure: Fails if any validation errors (high severity) are found
SEO Test
Comprehensive SEO analysis covering page structure, content quality, and technical SEO factors.
- Severity mapping: All severity levels counted directly from SEO rule evaluations
- Section failure: Marked as failed if any critical or high severity findings are detected
Page Size & Performance
Resource inventory and page performance analysis with specific size thresholds.
- Total page weight:
| Page Size | Severity |
|---|---|
| > 10 MB | Critical |
| > 5 MB | High |
| > 3 MB | Medium |
| > 1.5 MB | Low |
- Per-resource thresholds:
| Resource | Severity |
|---|---|
| Any file > 5 MB | Critical |
| Image > 1 MB | High |
| Image > 500 KB | Medium |
| Image > 200 KB | Low |
| PNG > 100 KB (no WebP) | Info |
Secrets Detection (Gitleaks)
Detects hardcoded secrets, API keys, and credentials in git history.
- Severity mapping: All severity levels counted directly from Gitleaks rules
- Typical findings: Usually critical or high severity
Supply Chain Vulnerabilities (OSV)
Dependency vulnerability scanning using the Open Source Vulnerabilities database.
- CVSS score mapping:
| CVSS Score | Severity |
|---|---|
| ≥ 9.0 | Critical |
| ≥ 7.0 | High |
| ≥ 4.0 | Medium |
| > 0 | Low |
Static Analysis (Semgrep / OpenGrep)
Code quality and security analysis using Semgrep and OpenGrep engines.
- Severity mapping: Only non-zero severity counts are included in the grade calculation
- Typical findings: Often info-level, but can include higher severity security patterns
Link & Content Analysis
These tests analyze link integrity, redirect behavior, metadata consistency, structured data, image optimization, site structure, and content uniqueness across your pages.
Broken Links
Checks all internal and external links for broken URLs (404, 5xx, timeouts).
- Critical = server errors (5xx)
- High = not found (404)
- Medium = timeouts
- Low = redirects
- Info = other status codes
- Grade contribution: All severity levels included in the overall grade
Redirect Analysis
Analyzes redirect chains for loops, excessive hops, and mixed protocols.
- Critical = redirect loops
- High = chains > 3 hops
- Medium = mixed protocol or redirect types
- Low = chains > 1 hop
- Info = single redirects
- Section failure: Fails if redirect loops or long chains (> 3 hops) are detected
Canonical URL Validation
Validates canonical URL tags for correctness and consistency.
- Severity mapping: All severity levels counted directly from validation findings
- Grade contribution: All severity levels included in the overall grade
Hreflang Validation
Validates hreflang alternate language tags and cross-references between pages.
- Severity mapping: All severity levels counted directly from validation findings
- Grade contribution: All severity levels included in the overall grade
Structured Data Validation
Validates JSON-LD structured data against Schema.org types and Google rich result requirements.
- Severity mapping: All severity levels counted directly from validation findings
- Grade contribution: All severity levels included in the overall grade
Image Optimization
Checks images for alt text, dimensions, lazy loading, file size, and format optimization.
- Severity mapping: All severity levels counted directly from optimization findings
- Grade contribution: All severity levels included in the overall grade
Internal Link Structure
Analyzes internal link graph for orphan pages, click depth, and discoverability.
- High = orphan pages (no inbound links)
- Medium = pages at depth > 3
- Low = pages at depth 3 or with only 1 inbound link
- Not used: Critical and info are not applicable for internal link structure
- Section failure: Fails if orphan pages (no inbound links) are detected
Duplicate Content Detection
Detects duplicate titles, descriptions, thin content, and near-duplicate page content.
- Critical = ≥95% content similarity between pages
- High = ≥80% content similarity or duplicate titles
- Medium = thin content (< 200 words) or duplicate descriptions
- Grade contribution: All severity levels included in the overall grade
Console Errors (Browser-based)
Loads the page in a headless WebView and captures JavaScript console errors, uncaught exceptions, network failures, CORS errors, CSP violations, mixed content warnings, and deprecated API usage. Available on all platforms.
- High = JS errors, uncaught exceptions, network/resource failures
- Medium = JS warnings, CORS errors, CSP violations, mixed content
- Low = deprecated API usage
- Info = console.log/info messages (tracked for reference only)
- Grade contribution: High, Medium, and Low severity levels affect the A–F grade. Info-level logs are tracked but excluded from the grade calculation.
Improving Your Grade
- Fix critical issues first — any critical finding results in an F grade
- Address high issues — more than 5 high issues drops you to D; any high issue drops you to C
- Reduce medium issues — more than 10 medium issues drops you to C
- Manage low issues — more than 20 low issues drops you to B
- Address OSV findings — they are treated as real security issues; findings without CVSS scores are promoted to high
- Re-run the report — after fixing issues, generate a new Mega Report to see your improved grade
Related Resources
- Mega Report Documentation — Full guide to running and interpreting Mega Reports
- What We Check — Detailed list of security checks performed
- OWASP Coverage — How CodeFrog maps to OWASP Top 10
- Features — Overview of all CodeFrog capabilities