Code audit & SAST
Source code audit, SAST scan, OWASP Top 10 review, supply chain (SBOM, dependencies), secrets, crypto, API security. CVSS-scored report with patches ready to commit. Semgrep, CodeQL, Snyk, SonarQube.
The context
In 2026, 70% of breaches go through application code: a forgotten SQL injection, an AWS secret committed in a legacy .env, a vulnerable dependency never bumped, a JWT signed in HS256 with an 8-char secret. Code is the largest attack surface — and the least audited in most teams.
The fundamentals are known: OWASP Top 10, ASVS, code review, dependency pinning, SAST/DAST in CI, no clear-text secrets, crypto via battle-tested libs. But between « we follow OWASP » and « we really reviewed every auth endpoint, every file parser, every eval call », there's a gulf. Devs ship features, not hardening.
We do the audit for you. Semgrep + CodeQL + Snyk + manual review on critical endpoints. Gitleaks on full git history. Trivy/Dependency-Track on images & SBOM. Actionable report, CVSS-classified, with patches ready to commit. Hardening PRs available if you want.
200+
SAST rules
Semgrep registry + CodeQL + OmniX AI custom rules covered
< 5d
Report timeline
Monorepo ~200k LOC audited in 5 business days
100%
Findings verified
Every vuln manually replayed before inclusion in the report
0
Silent false positive
We filter SAST noise before delivering anything to you
What we audit
The audit covers the full software surface: application, dependencies, secrets, crypto, auth, API.
The minimum baseline.
Injection (SQL, NoSQL, command, LDAP), Broken Access Control (IDOR, role bypass), Crypto Failures, SSRF, Insecure Design, Security Misconfiguration. Targeted manual review on sensitive endpoints + Semgrep/CodeQL scan.
SBOM, deps, CVEs.
SBOM generation (CycloneDX), direct & transitive dependency scan (Snyk, Trivy, Dependency-Track), typosquatted package detection, signature verification (Sigstore, npm provenance), version pinning.
No clear-text keys.
Full git history scan (gitleaks, TruffleHog), secret detection in config, env vars, Helm charts, Terraform state. Vault/Secrets Manager audit. Rotation recommendations and pre-commit hook setup.
Battle-tested algos, no DIY.
Audit of algorithm choices (signature, hash, KDF, symmetric/asymmetric encryption). Detection of MD5/SHA1, ECB, weak HS256 JWT, insecure RNG. Recommendation of Argon2, AES-GCM, Ed25519, libsodium/OpenSSL.
JWT, OAuth, sessions.
Review of OAuth 2.1, OIDC, SAML flows, refresh token handling, scopes, audience, expiration. Cookie audit (HttpOnly, Secure, SameSite), CSRF, fixation, replay. MFA and password policy validation.
REST, GraphQL, gRPC.
Endpoint review: rate limiting, input validation, mass assignment, IDOR, PII exposure. OWASP API Top 10. GraphQL: depth, complexity, batching attacks. gRPC: auth interceptor, mutual TLS.
Our approach
We scope the perimeter, scan, manually replay, attempt exploits, deliver a CVSS-classified report.
Scoping of repos to audit, languages, perimeter (auth, payment, upload, public API). Set up read-only access to code and git history. Definition of threat model tailored to the product.
Run Semgrep (OWASP rulesets, secrets, security-audit), CodeQL (compiled languages), Snyk (deps + container), Gitleaks (full git history), Trivy (images & IaC). Cross-reference findings. Filter false positives.
Targeted manual review on sensitive zones: auth endpoints, payment, file upload, parsers, system calls, deserialization. Full flow analysis (input → sink). Identification of logic bugs invisible to SAST.
For critical findings: exploitation PoC in isolated environment (sandbox, prod copy). Validation of real impact (RCE, data theft, privilege escalation). Reproduction steps documented.
Final report classified by CVSS + business impact. Each finding with: description, reproduction, impact, proposed patch (diff ready to commit when possible). Executive summary + 1h tech debrief + sequenced remediation plan.
Tools used
Mix of mature open-source SAST, commercial scanners, and manual review.
Multi-language SAST
Semgrep · SonarQube · CodeQL
Semgrep for fast custom rules (yaml). SonarQube for quality + security bugs. CodeQL (GitHub) for compiled languages and advanced data-flow analysis.
Dependencies & SBOM
Snyk · Trivy · Dependency-Track · Syft
Snyk for dep CVEs + licences. Trivy for Docker images and IaC. Dependency-Track to track SBOM over time. Syft generates SBOM in CycloneDX/SPDX.
Secrets scanning
gitleaks · TruffleHog · detect-secrets
gitleaks scans full git history (old commits). TruffleHog same + entropy detection. detect-secrets for CI/CD with baseline to avoid noise.
DAST & API
OWASP ZAP · Burp Suite · Nuclei
ZAP for automated DAST scan. Burp Suite for manual exploration + active scan. Nuclei for fast CVE templates against exposed API.
Container & IaC
Trivy · Checkov · Hadolint · Grype
Trivy scans images + filesystem. Checkov for Terraform/K8s manifests. Hadolint for Dockerfile best-practices. Grype as backup CVE scan.
Crypto & specific
cryptosense · jwt_tool · ssh-audit · sslyze
cryptosense to detect weak crypto usages. jwt_tool to stress-test JWTs. ssh-audit/sslyze for server-side TLS/SSH audit.
Measurable guarantees
100%
Critical files reviewed
Every file identified as sensitive (auth, payment, upload, crypto) is read manually, not just scanned.
< 5d
CVSS-scored report
Medium-size repo (up to 200k LOC) audited and report delivered within 5 business days after scoping.
0
Code exfiltrated
Read-only audit via dedicated access (deploy key, private fork). No code stored outside our hardened infra.
30 d
Re-scan included
30 days after delivery, free re-scan to validate that applied patches actually fix critical findings.
Tarieven
In plaats van abstracte pakketten passen we ons aan jouw context aan: scope, complexiteit, deadlines, beperkingen. Schrijf ons in 3 zinnen wat je wilt doen — we komen terug met een vaste offerte binnen 48 werkdaguren.
Antwoord binnen 48 werkdaguren Offerte aanvragen →Je e-mail staat klaar 🚀
We hebben je mailprogramma geopend met alles ingevuld. Klik op Versturen en het team reageert binnen 24 werkuren.
