DocumentationSoftware AuditAudit Process Overview

Audit Process Overview

What happens during a CodeDD audit and what you receive

Audit Process Overview

CodeDD analyzes codebases through discovery, scoped deep analysis, architecture mapping, and portfolio consolidation. The process is designed for investors and technical leaders who need comprehensive insights without permanent source-code retention.

At a glance

  • Full discovery, scoped deep analysis — every file is indexed; you choose which files receive LLM review
  • Zero source retention — source code is deleted after the audit; only findings and metadata remain
  • Validated findings — security issues are checked for evidence before they affect scores
  • Actionable output — Code Health Score, dashboards, PDF export, and remediation guidance
  • Encrypted processing — files are encrypted at rest during analysis

End-to-end flow

Repository connection (OAuth / PAT / SSH / CLI)
        ↓
File discovery & indexing
        ↓
Audit scope selection
        ↓
File analysis, dependencies, git statistics
        ↓
Architecture mapping & cross-file contextualization
        ↓
Consolidation, scoring & recommendations
        ↓
Secure deletion of source code
        ↓
Results in dashboard (+ optional PDF export)

For group / portfolio audits, each repository is analyzed independently and results aggregate at the organization level.

What happens at each stage

Repository connection

CodeDD connects via OAuth (preferred), PAT, or SSH. Cloud audits clone to an isolated environment that exists only for the audit duration. The CLI keeps repositories on your machine and syncs structured results only.

Repository Connection & Security

Discovery and scope

Every file is scanned, categorized, and counted. Build artifacts, dependencies, and .git are excluded. After discovery, you review audit scope — which files receive deep LLM analysis.

File Discovery & Indexing

File analysis

Scoped files receive LLM review, complexity metrics, and dependency scanning. Security findings are validated before they count toward risk scores. Optional SonarQube integration adds static rules when enabled.

AI-Powered File Analysis

Architecture and contextualization

CodeDD maps components, technologies, and relationships, then analyzes patterns across the codebase — domains, data flows, auth consistency, and systemic gaps.

Architecture Analysis & Mapping · Cross-File Contextualization

Consolidation and reporting

Findings are deduplicated, prioritized, and synthesized into the Code Health Score, executive summaries, and remediation recommendations.

Audit Consolidation & Risk Scoring · Recommendations Generation

Secure deletion

Source files in the processing cache are securely wiped. Only findings, scores, file paths, and LOC counts are retained.

Secure Data Deletion

Code Health Score

The portfolio Code Health Score (0–100) combines three debt components:

Composite Debt = (Code Quality Debt  × 50%)
               + (Validated Security Debt × 30%)
               + (Test Coverage Debt      × 20%)

Code Health Score = max(0, 100 − Composite Debt)

See Audit Consolidation & Risk Scoring for detail.

Typical duration

Repository sizeTypical duration
Small (<100 scoped files)15–30 minutes
Medium (100–1,000 files)30–90 minutes
Large (1,000–10,000 files)1–4 hours
Portfolio / group audit2–8 hours

Duration depends on scoped file count, language mix, and optional SonarQube.

What you receive

Dashboard: Code Health Score, security flags, supply-chain panel, architecture map, Issue Compass, compare-audits, PDF export.

Exports: JSON/CSV findings, API access. JIRA / GitHub issue creation is planned.

CLI: codedd fix for terminal-guided remediation — CodeDD CLI Guide.

Re-audit and comparison

Re-run audits and compare results over time via compare-audits in the UI. This is not continuous monitoring — you trigger audits on your cadence (pre-IC, post-release, quarterly review).

Security Throughout

  • Encryption at rest (Fernet) and in transit (TLS)
  • Isolated ephemeral processing environments
  • Zero source-code retention after audit
  • Access controls and audit logging
  • Account two-factor authentication available
  • Primary hosting in IONOS data centers (Germany) — see Compliance & Certifications

Key Differentiators

Traditional SASTCodeDD
Pattern matchingLLM semantic understanding + validation pipeline
File-by-file onlyArchitecture + cross-file contextualization
Permanent code storageEphemeral processing, secure deletion
Point-in-time scanRe-audit + compare over time

Next Steps