Code audit & SAST

Your code, read. Line by line. No mercy.

Source code audit, SAST scan, OWASP Top 10 review, supply chain (SBOM, dependencies), secrets, crypto, API security. CVSS-scored report with patches ready to commit. Semgrep, CodeQL, Snyk, SonarQube.

Request an audit 🔒 See our method

OWASP Top 10 · ASVS · CWE
Semgrep · CodeQL · Snyk · SonarQube
Supply chain · SBOM · CVE tracking
CVSS-scored report + patches

auth/login.ts main

12131415 16171819 20212223

const user = await db.query( `SELECT * FROM users WHERE id=${id}` );SQLi · CVE-2026-0142 if (user.password === input) // ⚠ timing return signJwt(user, "hs256-secret"); JWT weak · CVE-2026-0287 const file = req.body.path; fs.readFile(file, "utf-8"); // no input validation res.send(fs.readFileSync(file));Path traversal · CVE-2026-0314 const hash = md5(password); return hash;

CVSS 9.8 CVSS 7.5 FIXED ✓ FIXED ✓

The context

An average vuln sits 270 days in your code before being found.

In 2026, 70% of breaches go through application code: a forgotten SQL injection, an AWS secret committed in a legacy .env, a vulnerable dependency never bumped, a JWT signed in HS256 with an 8-char secret. Code is the largest attack surface — and the least audited in most teams.

The fundamentals are known: OWASP Top 10, ASVS, code review, dependency pinning, SAST/DAST in CI, no clear-text secrets, crypto via battle-tested libs. But between « we follow OWASP » and « we really reviewed every auth endpoint, every file parser, every eval call », there's a gulf. Devs ship features, not hardening.

We do the audit for you. Semgrep + CodeQL + Snyk + manual review on critical endpoints. Gitleaks on full git history. Trivy/Dependency-Track on images & SBOM. Actionable report, CVSS-classified, with patches ready to commit. Hardening PRs available if you want.

200+

SAST rules

Semgrep registry + CodeQL + OmniX AI custom rules covered

< 5d

Report timeline

Monorepo ~200k LOC audited in 5 business days

100%

Findings verified

Every vuln manually replayed before inclusion in the report

Silent false positive

We filter SAST noise before delivering anything to you

What we audit

Six code review axes.

The audit covers the full software surface: application, dependencies, secrets, crypto, auth, API.

⛨ OWASP

OWASP Top 10

The minimum baseline.

Injection (SQL, NoSQL, command, LDAP), Broken Access Control (IDOR, role bypass), Crypto Failures, SSRF, Insecure Design, Security Misconfiguration. Targeted manual review on sensitive endpoints + Semgrep/CodeQL scan.

⛨ Supply

Supply chain

SBOM, deps, CVEs.

SBOM generation (CycloneDX), direct & transitive dependency scan (Snyk, Trivy, Dependency-Track), typosquatted package detection, signature verification (Sigstore, npm provenance), version pinning.

⛨ Secrets

Secrets scanning

No clear-text keys.

Full git history scan (gitleaks, TruffleHog), secret detection in config, env vars, Helm charts, Terraform state. Vault/Secrets Manager audit. Rotation recommendations and pre-commit hook setup.

⛨ Crypto

Crypto review

Battle-tested algos, no DIY.

Audit of algorithm choices (signature, hash, KDF, symmetric/asymmetric encryption). Detection of MD5/SHA1, ECB, weak HS256 JWT, insecure RNG. Recommendation of Argon2, AES-GCM, Ed25519, libsodium/OpenSSL.

⛨ Auth

Auth & session

JWT, OAuth, sessions.

Review of OAuth 2.1, OIDC, SAML flows, refresh token handling, scopes, audience, expiration. Cookie audit (HttpOnly, Secure, SameSite), CSRF, fixation, replay. MFA and password policy validation.

⛨ API

API security

REST, GraphQL, gRPC.

Endpoint review: rate limiting, input validation, mass assignment, IDOR, PII exposure. OWASP API Top 10. GraphQL: depth, complexity, batching attacks. gRPC: auth interceptor, mutual TLS.

Our approach

Five steps, from scoping to prioritised report.

We scope the perimeter, scan, manually replay, attempt exploits, deliver a CVSS-classified report.

Scoping (2 d)

Scoping of repos to audit, languages, perimeter (auth, payment, upload, public API). Set up read-only access to code and git history. Definition of threat model tailored to the product.

✓ Signed perimeter + threat model + audit plan

Static analysis (2-3 d)

Run Semgrep (OWASP rulesets, secrets, security-audit), CodeQL (compiled languages), Snyk (deps + container), Gitleaks (full git history), Trivy (images & IaC). Cross-reference findings. Filter false positives.

✓ Raw findings + CVSS scoring + filtered false positives

Manual review (3-5 d)

Targeted manual review on sensitive zones: auth endpoints, payment, file upload, parsers, system calls, deserialization. Full flow analysis (input → sink). Identification of logic bugs invisible to SAST.

✓ Manual findings + data flow mapping

Exploit attempts (1-2 d)

For critical findings: exploitation PoC in isolated environment (sandbox, prod copy). Validation of real impact (RCE, data theft, privilege escalation). Reproduction steps documented.

✓ Verified PoCs + impact proofs

Prioritised report (1-2 d)

Final report classified by CVSS + business impact. Each finding with: description, reproduction, impact, proposed patch (diff ready to commit when possible). Executive summary + 1h tech debrief + sequenced remediation plan.

✓ CVSS-scored report + patches + debrief

Tools used

The tools we actually use.

Mix of mature open-source SAST, commercial scanners, and manual review.

Multi-language SAST

Semgrep · SonarQube · CodeQL

Semgrep for fast custom rules (yaml). SonarQube for quality + security bugs. CodeQL (GitHub) for compiled languages and advanced data-flow analysis.

Dependencies & SBOM

Snyk · Trivy · Dependency-Track · Syft

Snyk for dep CVEs + licences. Trivy for Docker images and IaC. Dependency-Track to track SBOM over time. Syft generates SBOM in CycloneDX/SPDX.

Secrets scanning

gitleaks · TruffleHog · detect-secrets

gitleaks scans full git history (old commits). TruffleHog same + entropy detection. detect-secrets for CI/CD with baseline to avoid noise.

DAST & API

OWASP ZAP · Burp Suite · Nuclei

ZAP for automated DAST scan. Burp Suite for manual exploration + active scan. Nuclei for fast CVE templates against exposed API.

Container & IaC

Trivy · Checkov · Hadolint · Grype

Trivy scans images + filesystem. Checkov for Terraform/K8s manifests. Hadolint for Dockerfile best-practices. Grype as backup CVE scan.

Crypto & specific

cryptosense · jwt_tool · ssh-audit · sslyze

cryptosense to detect weak crypto usages. jwt_tool to stress-test JWTs. ssh-audit/sslyze for server-side TLS/SSH audit.

Measurable guarantees

Four contractual commitments.

100%

Critical files reviewed

Every file identified as sensitive (auth, payment, upload, crypto) is read manually, not just scanned.

< 5d

CVSS-scored report

Medium-size repo (up to 200k LOC) audited and report delivered within 5 business days after scoping.

Code exfiltrated

Read-only audit via dedicated access (deploy key, private fork). No code stored outside our hardened infra.

30 d

Re-scan included

30 days after delivery, free re-scan to validate that applied patches actually fix critical findings.

Preise

Jedes Projekt ist einzigartig. Das Angebot auch.

Statt abstrakter Pakete passen wir uns deinem Kontext an: Umfang, Komplexität, Fristen, Einschränkungen. Schreib uns in 3 Sätzen, was du tun möchtest — wir kommen mit einem festen Angebot innerhalb von 48 Werkstunden zurück.

Antwort innerhalb von 48 Werkstunden Angebot anfordern →