Auditor Core v2.2.1 β€” Engine Methodology

Security Audit Methodology

Applied strictly to authorized scopes, public repositories, and environments explicitly permitted by the client. All research follows Coordinated Disclosure principles β€” no exploitation, no disruption, no access to production systems.

11 Detectors WSPM v2.2 Scoring Chain Analysis AI (Gemini+Groq+Local) 0 Telemetry

Six-Phase Audit Process

Every scan follows the same reproducible pipeline β€” deterministic by design. Chain Analysis is now integrated after multi‑engine scanning.

PHASE 01

Reconnaissance

Before running any scanner, we map the digital territory β€” trust boundaries, hidden entry points, third-party integrations.

  • Repository structure analysis β€” files, folders, CI/CD configs
  • GitHub Actions, GitLab CI, Jenkinsfile workflow mapping
  • Third-party integrations and webhook exposure
  • Exclusion of media, build artifacts, and vendor directories
PHASE 02

Multi-Engine Scanning

Auditor Core v2.2.1 deploys all 11 detectors in parallel. Each engine covers a distinct threat class.

  • Bandit β€” Python SAST: injection, crypto, subprocess risks
  • Semgrep β€” multi-language SAST: XSS, SQLi, command injection
  • Gitleaks β€” secrets in full git history
  • Secret Detector β€” 30+ patterns across all file types
  • CICD Analyzer β€” unpinned actions, privileged runners
  • IaC Scanner β€” Terraform, Docker, K8s, Helm
  • Dependency + License Scanner β€” CVEs, copyleft exposure
  • Bridge + SAST Scanner β€” cross-repo exposure, logic flaws
PHASE 03

Chain Analysis (Attack Paths)

Correlates findings across detectors. A hardcoded secret (LOW) feeding a command injection (MEDIUM) becomes a CRITICAL chain. Severity escalation prevents underreporting.

  • Multi-step attack path detection
  • Severity escalation (LOW β†’ CRITICAL) applied before SPI
  • Chain‑aware AI β€” receives full context for verdict
  • JSON output includes chain block + attack_paths root
  • PDF Attack Path Appendix with visual chain diagram
πŸ”— Chain detected: SECRET_HIGH_ENTROPY (LOW) + SAST_COMMAND_INJECTION (MEDIUM)
β†’ CRITICAL escalation | Chain ID: CHAIN_0001
PHASE 04

AI False-Positive Filter

Top findings (including chain context) are sent to AI for contextual verification β€” eliminating noise before scoring.

  • Gemini 2.5 Flash β€” primary AI engine
  • Groq (Llama 3.3 70B) β€” automatic fallback on quota
  • Local LLM mode β€” llama.cpp, fully offline, air‑gap ready
  • Chain‑aware AI β€” receives full attack path context
  • Each finding verdict: AI VERIFIED or AI FALSE POSITIVE
  • AI unavailable β†’ core scan continues without enrichment
Chain+Findings
Gemini
Groq
Chain‑Aware Verdict
PHASE 05

WSPM v2.2 Scoring

Weighted Security Posture Metric v2.2 transforms raw findings (with chain escalation) into a single authoritative SPI score (0–100).

  • Critical: weight 10 Β· High: 7 Β· Medium: 4 Β· Low: 1
  • Chain‑escalated findings contribute with escalated severity
  • Codebase size normalisation applied
  • AI-confirmed false positives excluded from score
  • Context Intelligence: test/, docs/, examples/ classified NON_RUNTIME β€” excluded from SPI
  • Gate Override: effective grade capped at C when CRITICAL findings exist in production
  • SPI = 100 βˆ’ (Weighted Score / Normaliser) Γ— 100
  • Five posture labels from Critical Risk to Hardened
PHASE 06

Report Generation

Findings, chains, scores, and AI verdicts are assembled into three output formats β€” PDF, HTML, and JSON.

  • PDF Executive Summary β€” 7-page document with Attack Path Appendix (chain visualization), Evidence Appendix (source context for CRITICAL/HIGH findings), remediation roadmap, and attestation block for SOC 2 / cyber insurance
  • Interactive HTML with AI VERIFIED / AI FALSE POSITIVE badges, collapsible chain cards, and SOC 2 / CIS / ISO 27001 control tags
  • JSON output with chain block per finding, attack_paths root object, compliance_mapping, and framework_summary block for SIEM integration
  • Per-finding CWE mapping to MITRE framework
  • Duplicate aggregation β€” multiple findings in same file grouped as one block with line list
  • Architectural analysis block from AI layer
PHASE 07

Human Validation

For the professional Audit Service β€” every finding and chain is manually reviewed for real-world exploitability and impact.

  • Manual verification under authorized, controlled conditions
  • Chain validation β€” confirm exploit path feasibility
  • Risk prioritization based on actual threat models
  • Tailored remediation code snippets and config fixes
  • Technical debriefing session with remediation roadmap
This phase applies to the professional Audit Service β€” not to standalone Auditor Core scans.

WSPM v2.2 Scoring Formula

Weighted Security Posture Metric β€” deterministic, reproducible, codebase-normalised.

Severity Weights

Critical
Γ— 10
High
Γ— 7
Medium
Γ— 4
Low
Γ— 1
Formula
WS = Ξ£(severity_weight Γ— count)
N = log(files + 1) + 1
SPI = max(0, 100 βˆ’ (WS / N) Γ— 10)

SPI Posture Labels

0 – 29
Critical Risk
30 – 49
High Risk
50 – 69
Vulnerable
70 – 89
Resilient
90 – 100
Hardened
AI-confirmed false positives are excluded from WS before SPI is calculated. Chain‑escalated findings contribute with their escalated severity.

v2.2.1 Intelligence Engine

Three core mechanisms that make scoring more accurate and reports more actionable.

CHAIN ANALYSIS

Attack Path Detection

Correlates findings across detectors. A hardcoded API key (LOW) and a command injection sink (MEDIUM) in the same module become a CRITICAL chain. Severity escalation ensures correlated risks are never underreported.

  • Deterministic chain rules β€” no probabilistic matching
  • Chain escalation applied before SPI calculation
  • Chain‑aware AI receives full attack path context
  • Chains appear in PDF Attack Path Appendix, HTML collapsible cards, and JSON attack_paths root
  • Configurable via audit-config.yml::chaining block
CONTEXT INTELLIGENCE

NON_RUNTIME Exclusion

Findings in non-production directories are classified as NON_RUNTIME and excluded from the SPI calculation by default β€” eliminating false severity inflation from test and documentation code.

  • test/, tests/, spec/ β†’ NON_RUNTIME
  • docs/, examples/ β†’ NON_RUNTIME
  • Detector fixture files recognised as SETUP context
  • Taint analysis and reachability scoring applied before verdict
  • Production code (CORE / INFRA) weighted at full exposure value
GATE OVERRIDE

CRITICAL Grade Cap

When CRITICAL findings exist in production code (including chain‑escalated CRITICAL), the effective grade is capped at C regardless of the mathematical SPI score β€” resolving the cognitive dissonance of a high SPI alongside a FAIL decision.

  • CRITICAL in production β†’ max effective grade: C
  • Mathematical SPI still reported β€” cap is display-only override
  • Eliminates false confidence for CISO and underwriter audiences
  • Applies to PDF, HTML, and JSON output simultaneously
  • Sentinel enforces BLOCK regardless of SPI when CRITICAL present
SPI: 91.4 β†’ Grade: A (math)
CRITICAL chain found in production
Effective Grade: C (override)

Ethics & Scope Boundaries

Auditor Core v2.2.1 is a passive analysis engine β€” it never modifies, exploits, or disrupts any system.

What We Do

  • Scan authorized repositories and environments
  • Analyse public repositories for research purposes
  • Report findings to authorized parties only
  • Follow Coordinated Disclosure at all times

What We Never Do

  • Exploit vulnerabilities in any environment
  • Access production data or credentials
  • Disrupt CI/CD pipelines or deployments
  • Scan systems without explicit authorization

Zero Telemetry Guarantee

  • No usage data collected or transmitted
  • No scanned code ever leaves your machine
  • AI API calls contain findings only β€” never source
  • Local LLM mode β€” fully offline, no outbound calls
  • Engine never self-updates or calls home

Ready for a Deep Review?

Run Auditor Core v2.2.1 yourself β€” or commission a full professional audit with human validation, chain analysis, and remediation roadmap.

Get Auditor Core Request Professional Audit

View a real scan result β†’ Demo Report