DocumentationSoftware AuditAudit Consolidation & Risk Scoring

Audit Consolidation & Risk Scoring

How CodeDD synthesizes findings into actionable risk scores

Audit Consolidation & Risk Scoring

Consolidation turns file-level findings, dependency data, and architecture insights into portfolio-ready scores and reports.

Code Health Score

The Code Health Score (0–100) is the primary metric for investment decisions. It reflects composite debt across three weighted components:

Composite Debt = (Code Quality Debt      × 50%)
               + (Validated Security Debt × 30%)
               + (Test Coverage Debt      × 20%)

Code Health Score = max(0, 100 − Composite Debt)
ComponentWeightWhat it measures
Code Quality50%Maintainability, readability, modularity, complexity
Validated Security30%Confirmed security exposure from validated findings and CVEs
Test Coverage20%Gap between actual coverage and 100%

Your organization's quality threshold and target coverage (typically 80%) affect remediation cost estimates in the dashboard — not the health score itself.

Component detail

Code quality

Derived from the overall quality score computed during file analysis: readability, modularity, maintainability, redundancy, and technical debt. For older audits without an overall quality score, technical debt score is used as fallback.

Code Quality Debt = 100 − Code Quality Score

Validated security

Based on validated security findings and dependency CVEs, normalized per repository so a large portfolio is not automatically penalized more than a single repo.

Severity penalties use graduated weights — critical issues have outsized impact compared to medium findings. Eliminating one critical vulnerability per repo moves the score more than clearing several medium issues.

Test coverage

Test Coverage Debt = max(0, 100 − average coverage %)

Averaged across repositories with coverage data.

Supplementary metrics

Shown in dashboards but not in the Code Health Score formula:

  • Maintenance indicators — validated Orange/Red flag density per 1,000 LOC
  • Supply chain score — dependency vulnerability exposure
  • Per-repository security breakdown — critical/high/medium counts

Score bands

BandScoreTypical profile
Good67–100Low debt, minimal critical/high vulns, coverage near target
Fair33–66Moderate debt in one or more areas; manageable with a plan
Poor0–32High debt, critical vulns present, low coverage

Portfolio aggregation

For group audits:

  • Code quality — LOC-weighted average across repositories
  • Security — severity counts summed, then averaged per repo before scoring
  • Test coverage — arithmetic average across repos with data
  • Maintenance — portfolio-wide flag density per 1,000 LOC

Compare repositories within a portfolio to identify outliers and leaders.

What you see in the dashboard

  • Code Health Score and KPI strip with component drill-down
  • Executive summary with top findings and strengths
  • Security flags, supply-chain panel, architecture map
  • Issue Compass for prioritized remediation
  • Compare previous audits (single-repo and group)
  • PDF export for IC materials

JIRA / GitHub issue creation from findings is planned.

Re-audit and trends

Re-run audits and use compare-audits to track score changes, resolved issues, and coverage improvements over time.

Next steps