AI-Powered File Analysis
How CodeDD analyzes individual source files
AI-Powered File Analysis
CodeDD's file analysis stage reviews each scoped file for quality, security, and maintainability — surfacing issues that pattern-only scanners often miss.
Beyond traditional SAST
Traditional static analysis relies on pattern matching and syntax rules. CodeDD adds semantic understanding: business logic review, intent-based risk detection, and context from file type and role in the system.
Security findings go through a validation step that checks for supporting evidence before they affect your score. Optional SonarQube integration adds language-specific static rules when enabled.
What gets analyzed
Application code — business logic, APIs, database access, auth, validation, error handling.
Infrastructure — Dockerfiles, Kubernetes manifests, CI/CD configs, IaC templates.
Configuration — app settings, environment files, third-party integrations.
File selection
Deep analysis runs on files marked in audit scope. Priority goes to security-critical paths, core business logic, recently modified files, and high-complexity code.
Excluded: auto-generated code, minified files, binaries, and test fixtures.
Per-file assessment
Each analyzed file receives structured scores across dimensions you see in the dashboard:
| Area | What it covers |
|---|---|
| Code quality | Readability, consistency, modularity, maintainability, technical debt |
| Functionality | Completeness, edge cases, error handling |
| Performance | Efficiency, scalability, resource use |
| Security | Input validation, data handling, authentication |
| Standards | Best practices, design patterns, complexity |
Findings include severity (Green / Yellow / Orange / Red), confidence level, and specific remediation guidance.
Security findings
Common categories: injection flaws, XSS vectors, auth bypasses, insecure cryptography, exposed secrets, sensitive data handling.
Each security flag carries a confidence score. High-confidence findings (90%+) are treated as actionable; lower-confidence items are flagged for manual review.
Dependency analysis
CodeDD scans package manifests and imports across major ecosystems (npm, pip, Maven, Go modules, Cargo, Composer, .NET, and others).
For each dependency:
- Version and known CVEs (NVD, GitHub Advisory, OSV)
- Severity and patch availability
- License type and compliance flags
Portfolio views include a Supply Chain Vulnerabilities panel and License Compliance section.
Complexity metrics
Cyclomatic complexity is calculated per function using Radon/Lizard. High-complexity functions (typically 20+) are flagged as refactoring candidates and contribute to technical debt signals.
SonarQube (optional)
When enabled, SonarScanner runs in an isolated container against a temporary workspace. Results are merged with AI findings. The workspace is deleted after analysis.
Data privacy
After analysis:
- Stored: file paths, metrics, findings, dependency lists, complexity scores
- Never stored: source code content, detected secrets (flagged but not persisted), PII from comments

