A deterministic pipeline โ from file intake to AI-verified, SPI-scored report.
Collects and filters relevant files โ skips binaries, media, build artifacts and vendor folders. Processes thousands of files without memory exhaustion.
Bandit, Semgrep, Gitleaks, Secret Detector, CICD Analyzer, IaC Scanner, Dependency Scanner, License Scanner, Bridge Detector, SAST Scanner, Slither โ each engine contributes weighted findings.
Context weighting (CORE / TEST / DOCS / INFRA), detector trust balancing, reachability scoring, and cross-detector consensus โ producing a mathematically reproducible SPI from 0 to 100.
Top findings are sent to Gemini 2.5 Flash for verification. If daily quota is exhausted, Groq (Llama 3.3 70B) takes over automatically โ zero manual intervention required.
PDF Executive Summary โ 7-page audit-ready document for SOC 2 readiness and cyber insurance underwriting (Marsh, Aon, At-Bay, Coalition). Includes evidence appendix with source-level code context for every CRITICAL/HIGH finding, remediation roadmap, and attestation block with signature lines.
Interactive HTML Report โ Enterprise posture dashboard with SOC 2 / CIS / ISO 27001 control tags, AI analysis badges (AI VERIFIED / AI FALSE POSITIVE), and reachability breakdown.
Machine-readable JSON โ CI/CD gating with instance_count, instance_lines, compliance_mapping per finding and framework_summary block for direct SIEM integration.
Each detector contributes trust-weighted findings to the unified WSPM v2.2 score.
Python-specific static analysis โ injection, insecure crypto, unsafe deserialization, command execution.
Multi-language pattern matching โ OWASP Top 10, custom rules, cross-file dataflow analysis.
Git history secret scanning โ API keys, tokens, passwords committed at any point in history.
Entropy-based credential detection โ finds secrets that pattern-matching tools miss.
GitHub Actions, GitLab CI, Jenkinsfile โ unpinned actions, secret exposure, privilege escalation.
Kubernetes, Terraform, Docker โ misconfigurations, privilege escalation, exposed ports.
CVE lookup for all dependencies โ vulnerable packages, unpinned versions, supply chain risks.
OSS license compliance โ GPL contamination, copyleft risks, license mismatches.
Proprietary rule engine โ cross-file correlation, contextual risk assessment, custom policies.
Advanced static analysis โ taint tracking, semantic rules, CWE-aligned classification.
Solidity smart contract analysis โ reentrancy, overflow, access control, optional module.
A calibrated score 0โ100 computed by WSPM v2.2 โ context-weighted, detector-trusted, noise-normalized.
Where context (CORE / TEST / DOCS / INFRA), detector trust, reachability, and cross-detector consensus are all factored in. K scales dynamically with project size to prevent noise amplification in large codebases.
Context Intelligence: Findings in test/, docs/, and examples/ directories are classified as NON_RUNTIME and excluded from SPI calculation by default. Detector fixture files are recognised as SETUP context โ eliminating false severity inflation from non-production code.
If CRITICAL findings exist in production code, the effective grade is capped at C โ regardless of the mathematical SPI score. This resolves the cognitive dissonance of a high SPI alongside a FAIL decision for CISO and underwriter audiences.
Every finding is automatically mapped to industry-standard controls. Reports include a framework_summary block ready for direct submission to SOC 2 auditors or cyber insurance underwriters.
This report does not constitute a formal SOC 2 audit opinion. For SOC 2 Type I/II certification, engage a licensed CPA firm. The PDF report format is designed to align with underwriting pre-assessment requirements from Marsh, Aon, At-Bay, and Coalition.
Each license is cryptographically tied to your machine's hardware identifier. Non-transferable by design.
Run this on every machine where Auditor Core will be deployed:
Email your Machine ID to [email protected]. You will receive a License Key unique to that machine.
The provisioning script handles everything interactively: virtual environment, dependencies, Docker PostgreSQL, and environment configuration.
No. The engine operates fully offline. Data is stored only in the local PostgreSQL instance. The only outbound connection is to the Gemini or Groq API if AI advisory is enabled and explicitly configured by you.
Groq (Llama 3.3 70B Versatile) automatically takes over for remaining chunks โ no manual intervention needed. If both are unavailable, all deterministic findings, SPI scoring, and reports are produced without interruption.
Docker is required for the PostgreSQL database used for baseline tracking and audit history. The scanning engine itself runs in the Python virtual environment.
Auditor Core is a deep audit engine โ run on demand to produce comprehensive posture reports. Sentinel Core is a real-time enforcement system that intercepts every commit. Sentinel Core uses Auditor Core internally as its scanning engine.
Yes. The JSON report is machine-readable and designed for downstream integration with SIEM platforms, dashboards, and CI/CD quality gates.
Yes โ as supporting evidence for pre-assessment and gap analysis. The report includes SOC 2 TSC control mappings, an evidence appendix with source-level code context for every CRITICAL/HIGH finding, and a remediation roadmap. It does not constitute a formal audit opinion. For SOC 2 Type I/II certification, engage a licensed CPA firm.
Yes. The report format is designed to align with underwriting pre-assessment requirements from Marsh, Aon, At-Bay, and Coalition. The framework_summary block in JSON aggregates which controls are triggered across all findings โ ready for direct submission.