DocumentationSoftware AuditAI-Powered File Analysis

AI-Powered File Analysis

How CodeDD analyzes individual source files

AI-Powered File Analysis

CodeDD's file analysis stage reviews each scoped file for quality, security, and maintainability — surfacing issues that pattern-only scanners often miss.

Beyond traditional SAST

Traditional static analysis relies on pattern matching and syntax rules. CodeDD adds semantic understanding: business logic review, intent-based risk detection, and context from file type and role in the system.

Security findings go through a validation step that checks for supporting evidence before they affect your score. Optional SonarQube integration adds language-specific static rules when enabled.

What gets analyzed

Application code — business logic, APIs, database access, auth, validation, error handling.

Infrastructure — Dockerfiles, Kubernetes manifests, CI/CD configs, IaC templates.

Configuration — app settings, environment files, third-party integrations.

File selection

Deep analysis runs on files marked in audit scope. Priority goes to security-critical paths, core business logic, recently modified files, and high-complexity code.

Excluded: auto-generated code, minified files, binaries, and test fixtures.

Per-file assessment

Each analyzed file receives structured scores across dimensions you see in the dashboard:

AreaWhat it covers
Code qualityReadability, consistency, modularity, maintainability, technical debt
FunctionalityCompleteness, edge cases, error handling
PerformanceEfficiency, scalability, resource use
SecurityInput validation, data handling, authentication
StandardsBest practices, design patterns, complexity

Findings include severity (Green / Yellow / Orange / Red), confidence level, and specific remediation guidance.

Security findings

Common categories: injection flaws, XSS vectors, auth bypasses, insecure cryptography, exposed secrets, sensitive data handling.

Each security flag carries a confidence score. High-confidence findings (90%+) are treated as actionable; lower-confidence items are flagged for manual review.

Dependency analysis

CodeDD scans package manifests and imports across major ecosystems (npm, pip, Maven, Go modules, Cargo, Composer, .NET, and others).

For each dependency:

  • Version and known CVEs (NVD, GitHub Advisory, OSV)
  • Severity and patch availability
  • License type and compliance flags

Portfolio views include a Supply Chain Vulnerabilities panel and License Compliance section.

Complexity metrics

Cyclomatic complexity is calculated per function using Radon/Lizard. High-complexity functions (typically 20+) are flagged as refactoring candidates and contribute to technical debt signals.

SonarQube (optional)

When enabled, SonarScanner runs in an isolated container against a temporary workspace. Results are merged with AI findings. The workspace is deleted after analysis.

Data privacy

After analysis:

  • Stored: file paths, metrics, findings, dependency lists, complexity scores
  • Never stored: source code content, detected secrets (flagged but not persisted), PII from comments

Next steps