A deterministic pipeline β from file intake to AI-verified, SPI-scored report, with Chain Analysis in between.
Collects and filters relevant files β skips binaries, media, build artifacts and vendor folders. Processes thousands of files without memory exhaustion.
Bandit, Semgrep, Gitleaks, Secret Detector, CICD Analyzer, IaC Scanner, Dependency Scanner, License Scanner, Bridge Detector, SAST Scanner, Slither β each engine contributes weighted findings.
Correlates findings across detectors. When a hardcoded secret (LOW) and a command injection (MEDIUM) exist in the same scope, they form a CRITICAL chain. Severity escalation ensures correlated risks are never underreported.
Context weighting (CORE / TEST / DOCS / INFRA), detector trust balancing, reachability scoring, and cross-detector consensus β producing a mathematically reproducible SPI from 0 to 100. Chain-escalated findings contribute with their escalated severity.
Top findings (including chain context) are sent to Gemini 2.5 Flash for verification. If daily quota is exhausted, Groq (Llama 3.3 70B) takes over automatically. Optional local LLM mode for airβgapped environments.
PDF Executive Summary β 7-page audit-ready document for SOC 2 readiness and cyber insurance underwriting. Includes Attack Path Analysis section (chain visualization), evidence appendix with source-level code context for every CRITICAL/HIGH finding, remediation roadmap, and attestation block.
Interactive HTML Report β Enterprise posture dashboard with SOC 2 / CIS / ISO 27001 control tags, AI analysis badges, collapsible chain cards, and reachability breakdown.
Machine-readable JSON β CI/CD gating with instance_count, chain block per finding (chain_id, chain_risk, original_severity, partner_finding_id), and attack_paths root object aggregating all chains.
Each detector contributes trust-weighted findings to the unified WSPM v2.2 score. Chain Analysis correlates findings across detectors.
Python-specific static analysis β injection, insecure crypto, unsafe deserialization, command execution.
Multi-language pattern matching β OWASP Top 10, custom rules, cross-file dataflow analysis.
Git history secret scanning β API keys, tokens, passwords committed at any point in history.
Entropy-based credential detection β finds secrets that pattern-matching tools miss.
GitHub Actions, GitLab CI, Jenkinsfile β unpinned actions, secret exposure, privilege escalation.
Kubernetes, Terraform, Docker β misconfigurations, privilege escalation, exposed ports.
CVE lookup for all dependencies β vulnerable packages, unpinned versions, supply chain risks.
OSS license compliance β GPL contamination, copyleft risks, license mismatches.
Proprietary rule engine β cross-file correlation, contextual risk assessment, custom policies.
Advanced static analysis β taint tracking, semantic rules, CWE-aligned classification.
Solidity smart contract analysis β reentrancy, overflow, access control, optional module.
A calibrated score 0β100 computed by WSPM v2.2 β context-weighted, detector-trusted, noise-normalized.
Chainβescalated findings contribute with their escalated severity, providing a more accurate risk picture.
Where context (CORE / TEST / DOCS / INFRA), detector trust, reachability, and cross-detector consensus are all factored in. Chain escalation updates the severity of participating findings before SPI calculation. K scales dynamically with project size to prevent noise amplification in large codebases.
Context Intelligence: Findings in test/, docs/, and examples/ directories are classified as NON_RUNTIME and excluded from SPI calculation by default. Detector fixture files are recognised as SETUP context β eliminating false severity inflation from non-production code.
If CRITICAL findings exist in production code (including chainβescalated CRITICAL), the effective grade is capped at C β regardless of the mathematical SPI score. This resolves the cognitive dissonance of a high SPI alongside a FAIL decision for CISO and underwriter audiences.
Every finding is automatically mapped to industry-standard controls. Reports include a framework_summary block ready for direct submission to SOC 2 auditors or cyber insurance underwriters.
This report does not constitute a formal SOC 2 audit opinion. For SOC 2 Type I/II certification, engage a licensed CPA firm. The PDF report format is designed to align with underwriting pre-assessment requirements from Marsh, Aon, At-Bay, and Coalition.
Each license is cryptographically tied to your machine's hardware identifier. Non-transferable by design.
Run this on every machine where Auditor Core will be deployed:
Email your Machine ID to [email protected]. You will receive a License Key unique to that machine.
The provisioning script handles everything interactively: virtual environment, dependencies, Docker PostgreSQL, and environment configuration.
No. The engine operates fully offline. Data is stored only in the local PostgreSQL instance. The only outbound connection is to the Gemini or Groq API if AI advisory is enabled and explicitly configured by you. Local LLM mode requires no outbound calls.
Chain Analysis correlates findings that together form a complete attack path (e.g., hardcoded secret + command injection). When a chain is detected, all participating findings are escalated to the chain's resulting risk level (typically CRITICAL). This prevents underreporting of correlated risks. Chains are visualized in all report formats and included in the JSON output.
Groq (Llama 3.3 70B Versatile) automatically takes over for remaining chunks β no manual intervention needed. If both are unavailable, all deterministic findings, chain analysis, SPI scoring, and reports are produced without interruption.
Docker is required for the PostgreSQL database used for baseline tracking and audit history. The scanning engine itself runs in the Python virtual environment.
Auditor Core is a deep audit engine β run on demand to produce comprehensive posture reports. Sentinel Core is a real-time enforcement system that intercepts every commit. Sentinel Core uses Auditor Core internally as its scanning engine.
Yes. The JSON report is machine-readable and designed for downstream integration with SIEM platforms, dashboards, and CI/CD quality gates. Each finding includes a chain block where applicable, and the root contains an attack_paths array aggregating all chains.
Yes β as supporting evidence for pre-assessment and gap analysis. The report includes SOC 2 TSC control mappings, an evidence appendix with source-level code context for every CRITICAL/HIGH finding, an attack path analysis section (chains), and a remediation roadmap. It does not constitute a formal audit opinion. For SOC 2 Type I/II certification, engage a licensed CPA firm.
Yes. The report format is designed to align with underwriting pre-assessment requirements from Marsh, Aon, At-Bay, and Coalition. The framework_summary block in JSON aggregates which controls are triggered across all findings β ready for direct submission.
Set ai.mode: "local" in audit-config.yml and provide a model path (e.g., /models/your-model.gguf). Auditor Core will run AI validation entirely on your machine β no outbound calls, no data leaving your environment. Ideal for airβgapped or highβsensitivity deployments.