Audit Process Overview
What happens during a CodeDD audit and what you receive
Audit Process Overview
CodeDD analyzes codebases through discovery, scoped deep analysis, architecture mapping, and portfolio consolidation. The process is designed for investors and technical leaders who need comprehensive insights without permanent source-code retention.
At a glance
- Full discovery, scoped deep analysis — every file is indexed; you choose which files receive LLM review
- Zero source retention — source code is deleted after the audit; only findings and metadata remain
- Validated findings — security issues are checked for evidence before they affect scores
- Actionable output — Code Health Score, dashboards, PDF export, and remediation guidance
- Encrypted processing — files are encrypted at rest during analysis
End-to-end flow
Repository connection (OAuth / PAT / SSH / CLI)
↓
File discovery & indexing
↓
Audit scope selection
↓
File analysis, dependencies, git statistics
↓
Architecture mapping & cross-file contextualization
↓
Consolidation, scoring & recommendations
↓
Secure deletion of source code
↓
Results in dashboard (+ optional PDF export)
For group / portfolio audits, each repository is analyzed independently and results aggregate at the organization level.
What happens at each stage
Repository connection
CodeDD connects via OAuth (preferred), PAT, or SSH. Cloud audits clone to an isolated environment that exists only for the audit duration. The CLI keeps repositories on your machine and syncs structured results only.
→ Repository Connection & Security
Discovery and scope
Every file is scanned, categorized, and counted. Build artifacts, dependencies, and .git are excluded. After discovery, you review audit scope — which files receive deep LLM analysis.
File analysis
Scoped files receive LLM review, complexity metrics, and dependency scanning. Security findings are validated before they count toward risk scores. Optional SonarQube integration adds static rules when enabled.
Architecture and contextualization
CodeDD maps components, technologies, and relationships, then analyzes patterns across the codebase — domains, data flows, auth consistency, and systemic gaps.
→ Architecture Analysis & Mapping · Cross-File Contextualization
Consolidation and reporting
Findings are deduplicated, prioritized, and synthesized into the Code Health Score, executive summaries, and remediation recommendations.
→ Audit Consolidation & Risk Scoring · Recommendations Generation
Secure deletion
Source files in the processing cache are securely wiped. Only findings, scores, file paths, and LOC counts are retained.
Code Health Score
The portfolio Code Health Score (0–100) combines three debt components:
Composite Debt = (Code Quality Debt × 50%)
+ (Validated Security Debt × 30%)
+ (Test Coverage Debt × 20%)
Code Health Score = max(0, 100 − Composite Debt)
See Audit Consolidation & Risk Scoring for detail.
Typical duration
| Repository size | Typical duration |
|---|---|
| Small (<100 scoped files) | 15–30 minutes |
| Medium (100–1,000 files) | 30–90 minutes |
| Large (1,000–10,000 files) | 1–4 hours |
| Portfolio / group audit | 2–8 hours |
Duration depends on scoped file count, language mix, and optional SonarQube.
What you receive
Dashboard: Code Health Score, security flags, supply-chain panel, architecture map, Issue Compass, compare-audits, PDF export.
Exports: JSON/CSV findings, API access. JIRA / GitHub issue creation is planned.
CLI: codedd fix for terminal-guided remediation — CodeDD CLI Guide.
Re-audit and comparison
Re-run audits and compare results over time via compare-audits in the UI. This is not continuous monitoring — you trigger audits on your cadence (pre-IC, post-release, quarterly review).
Security Throughout
- Encryption at rest (Fernet) and in transit (TLS)
- Isolated ephemeral processing environments
- Zero source-code retention after audit
- Access controls and audit logging
- Account two-factor authentication available
- Primary hosting in IONOS data centers (Germany) — see Compliance & Certifications
Key Differentiators
| Traditional SAST | CodeDD |
|---|---|
| Pattern matching | LLM semantic understanding + validation pipeline |
| File-by-file only | Architecture + cross-file contextualization |
| Permanent code storage | Ephemeral processing, secure deletion |
| Point-in-time scan | Re-audit + compare over time |

