Audit Consolidation & Risk Scoring
How CodeDD synthesizes findings into actionable risk scores
Audit Consolidation & Risk Scoring
Consolidation turns file-level findings, dependency data, and architecture insights into portfolio-ready scores and reports.
Code Health Score
The Code Health Score (0–100) is the primary metric for investment decisions. It reflects composite debt across three weighted components:
Composite Debt = (Code Quality Debt × 50%)
+ (Validated Security Debt × 30%)
+ (Test Coverage Debt × 20%)
Code Health Score = max(0, 100 − Composite Debt)
| Component | Weight | What it measures |
|---|---|---|
| Code Quality | 50% | Maintainability, readability, modularity, complexity |
| Validated Security | 30% | Confirmed security exposure from validated findings and CVEs |
| Test Coverage | 20% | Gap between actual coverage and 100% |
Your organization's quality threshold and target coverage (typically 80%) affect remediation cost estimates in the dashboard — not the health score itself.
Component detail
Code quality
Derived from the overall quality score computed during file analysis: readability, modularity, maintainability, redundancy, and technical debt. For older audits without an overall quality score, technical debt score is used as fallback.
Code Quality Debt = 100 − Code Quality Score
Validated security
Based on validated security findings and dependency CVEs, normalized per repository so a large portfolio is not automatically penalized more than a single repo.
Severity penalties use graduated weights — critical issues have outsized impact compared to medium findings. Eliminating one critical vulnerability per repo moves the score more than clearing several medium issues.
Test coverage
Test Coverage Debt = max(0, 100 − average coverage %)
Averaged across repositories with coverage data.
Supplementary metrics
Shown in dashboards but not in the Code Health Score formula:
- Maintenance indicators — validated Orange/Red flag density per 1,000 LOC
- Supply chain score — dependency vulnerability exposure
- Per-repository security breakdown — critical/high/medium counts
Score bands
| Band | Score | Typical profile |
|---|---|---|
| Good | 67–100 | Low debt, minimal critical/high vulns, coverage near target |
| Fair | 33–66 | Moderate debt in one or more areas; manageable with a plan |
| Poor | 0–32 | High debt, critical vulns present, low coverage |
Portfolio aggregation
For group audits:
- Code quality — LOC-weighted average across repositories
- Security — severity counts summed, then averaged per repo before scoring
- Test coverage — arithmetic average across repos with data
- Maintenance — portfolio-wide flag density per 1,000 LOC
Compare repositories within a portfolio to identify outliers and leaders.
What you see in the dashboard
- Code Health Score and KPI strip with component drill-down
- Executive summary with top findings and strengths
- Security flags, supply-chain panel, architecture map
- Issue Compass for prioritized remediation
- Compare previous audits (single-repo and group)
- PDF export for IC materials
JIRA / GitHub issue creation from findings is planned.
Re-audit and trends
Re-run audits and use compare-audits to track score changes, resolved issues, and coverage improvements over time.

