diff --git a/policy/executor/internal/nodes.go b/policy/executor/internal/nodes.go
index c80d55b6..83680409 100644
--- a/policy/executor/internal/nodes.go
+++ b/policy/executor/internal/nodes.go
@@ -590,7 +590,8 @@ func (nodeData *ReportingJobNodeData) score() (*policy.Score, error) {
 		if s == nil {
 			return nil, nil
 		}
-		policy.AddSpecdScore(calculator, s, rjRes.score != nil, rjRes.impact)
+		i := rjRes.impact
+		policy.AddSpecdScore(calculator, s, rjRes.score != nil, i)
 	}
 
 	policy.AddDataScore(calculator, len(nodeData.datapoints), finishedDatapoints)
diff --git a/policy/score_calculator.go b/policy/score_calculator.go
index 27f3eb03..c9302176 100644
--- a/policy/score_calculator.go
+++ b/policy/score_calculator.go
@@ -501,8 +501,13 @@ func (c *bandedScoreCalculator) Add(score *Score, impact *explorer.Impact) {
 
 		if score.ScoreCompletion != 0 && score.Weight != 0 {
 			category := uint32(0)
-			if impact != nil && impact.Value != nil {
-				category = 100 - uint32(impact.Value.Value)
+			if impact != nil {
+				// Store pointer to avoid panic
+				if impactV := impact.GetValue(); impactV != nil {
+					if value := impactV.GetValue(); value <= 100 && value >= 0 {
+						category = 100 - uint32(value)
+					}
+				}
 			}
 
 			if category <= 10 {
diff --git a/test/providers/scan_flags_test.go b/test/providers/scan_flags_test.go
index 8ce612d7..65611b45 100644
--- a/test/providers/scan_flags_test.go
+++ b/test/providers/scan_flags_test.go
@@ -55,7 +55,7 @@ func TestScanFlags(t *testing.T) {
 		assert.NotNil(t, r.Stderr())
 
 		assert.Contains(t, string(r.Stderr()),
-			"app-private-key is required for GitHub App authentication", // expected! it means we loaded the flags
+			"could not parse private key", // expected! it means we loaded the flags
 		)
 	})
 	t.Run("github scan WITH all required flags for app auth", func(t *testing.T) {