Recommendations Generation
How CodeDD creates actionable remediation guidance
Recommendations Generation
Recommendations are produced during audit consolidation — turning validated findings into prioritized, actionable guidance tied to your codebase.
What recommendations cover
Security remediation — specific vulnerabilities with severity, affected location, and fix guidance (e.g. parameterized queries instead of string concatenation, adding auth checks to exposed endpoints).
Dependency updates — outdated packages with known CVEs, target versions, and breaking-change notes where relevant.
Technical debt — high-complexity functions to refactor, duplication to consolidate, missing error handling.
Architecture — coupling issues, missing abstraction layers, modularity improvements.
Testing — coverage gaps on critical paths, suggested test types (unit, integration, security).
Each recommendation includes priority tier, estimated effort, and rationale.
Prioritization
Recommendations are ranked by severity, confidence, and business impact:
- P0 — Critical: active security vulnerabilities, data breach risks, production-breaking issues
- P1 — High: high-severity vulns, important dependency updates, major architecture issues
- P2 — Medium: code quality improvements, moderate refactoring
- P3 — Low: style consistency, documentation, minor optimizations
Related fixes are grouped where dependencies exist (e.g. framework upgrade before API migration).
Where to use them
Web dashboard — prioritized list with drill-down to findings and affected files.
Issue Compass — focused remediation slices you can save and work through systematically.
PDF export — executive summary with top recommendations.
CLI — codedd fix for terminal-guided resolution after audit completion.
Exports — JSON/CSV for offline planning; API access for programmatic retrieval.
Tracking progress
Re-run audits and use compare-audits to measure:
- Issues resolved vs. new findings
- Code Health Score change
- Test coverage delta
- Dependency updates completed
Audits are on your cadence — not automated continuous monitoring.
Planned
- JIRA / GitHub issue auto-creation (UI currently shows "coming soon")
- CI/CD webhook triggers for re-audit

