Methodology | Auditor Core v2.2 | DataWizual Security

Five-Phase Audit Process

Every scan follows the same reproducible pipeline — deterministic by design.

PHASE 01

Reconnaissance

Before running any scanner, we map the digital territory — trust boundaries, hidden entry points, third-party integrations.

Repository structure analysis — files, folders, CI/CD configs
GitHub Actions, GitLab CI, Jenkinsfile workflow mapping
Third-party integrations and webhook exposure
Exclusion of media, build artifacts, and vendor directories

PHASE 02

Multi-Engine Scanning

Auditor Core v2.2 deploys all 11 detectors in parallel. Each engine covers a distinct threat class.

Bandit — Python SAST: injection, crypto, subprocess risks
Semgrep — multi-language SAST: XSS, SQLi, command injection
Gitleaks — secrets in full git history
Secret Detector — 30+ patterns across all file types
CICD Analyzer — unpinned actions, privileged runners
IaC Scanner — Terraform, Docker, K8s, Helm
Dependency + License Scanner — CVEs, copyleft exposure
Bridge + SAST Scanner — cross-repo exposure, logic flaws

PHASE 03

AI False-Positive Filter

Top findings are sent to AI for contextual verification — eliminating noise before scoring.

Gemini 2.5 Flash — primary AI engine
Groq (Llama 3.3 70B) — automatic fallback on quota
Each finding verdict: AI VERIFIED or AI FALSE POSITIVE
Architectural analysis block in final report
AI unavailable → core scan continues without enrichment

Findings

Gemini

Groq

Verdicts

PHASE 04

WSPM v2.2 Scoring

Weighted Security Posture Metric v2.2 transforms raw findings into a single authoritative SPI score (0–100).

Critical: weight 10 · High: 7 · Medium: 4 · Low: 1
Codebase size normalisation applied
AI-confirmed false positives excluded from score
Context Intelligence: test/, docs/, examples/ classified NON_RUNTIME — excluded from SPI
Gate Override: effective grade capped at C when CRITICAL findings exist in production
SPI = 100 − (Weighted Score / Normaliser) × 100
Five posture labels from Critical Risk to Hardened

PHASE 05

Report Generation

Findings, scores, and AI verdicts are assembled into three output formats — PDF, HTML, and JSON.

PDF Executive Summary — 7-page document with evidence appendix, remediation roadmap, and attestation block for SOC 2 / cyber insurance
Interactive HTML with AI VERIFIED / AI FALSE POSITIVE badges and SOC 2 / CIS / ISO 27001 control tags
JSON output with compliance_mapping per finding and framework_summary block for SIEM integration
Per-finding CWE mapping to MITRE framework
Duplicate aggregation — multiple findings in same file grouped as one block with line list
Architectural analysis block from AI layer

PHASE 06

Human Validation

For the professional Audit Service — every finding is manually reviewed for real-world exploitability and impact.

Manual verification under authorized, controlled conditions
Risk prioritization based on actual threat models
Tailored remediation code snippets and config fixes
Technical debriefing session with remediation roadmap

This phase applies to the professional Audit Service — not to standalone Auditor Core scans.

WSPM v2.2 Scoring Formula

Weighted Security Posture Metric — deterministic, reproducible, codebase-normalised.

Severity Weights

Critical

× 10

High

× 7

Medium

× 4

Low

× 1

Formula


                        WS = Σ(severity_weight × count)

                        N  = log(files + 1) + 1

                        SPI = max(0, 100 − (WS / N) × 10)

SPI Posture Labels

0 – 29

Critical Risk

30 – 49

High Risk

50 – 69

Vulnerable

70 – 89

Resilient

90 – 100

Hardened

AI-confirmed false positives are excluded from WS before SPI is calculated. This ensures the score reflects real risk — not scanner noise.

v2.2 Intelligence Engine

Two new mechanisms introduced in v2.2 that make scoring more accurate and reports more actionable.

CONTEXT INTELLIGENCE

NON_RUNTIME Exclusion

Findings in non-production directories are classified as NON_RUNTIME and excluded from the SPI calculation by default — eliminating false severity inflation from test and documentation code.

test/, tests/, spec/ → NON_RUNTIME
docs/, examples/ → NON_RUNTIME
Detector fixture files recognised as SETUP context
Taint analysis and reachability scoring applied before verdict
Production code (CORE / INFRA) weighted at full exposure value

GATE OVERRIDE

CRITICAL Grade Cap

When CRITICAL findings exist in production code, the effective grade is capped at C regardless of the mathematical SPI score — resolving the cognitive dissonance of a high SPI alongside a FAIL decision.

CRITICAL in production → max effective grade: C
Mathematical SPI still reported — cap is display-only override
Eliminates false confidence for CISO and underwriter audiences
Applies to PDF, HTML, and JSON output simultaneously
Sentinel enforces BLOCK regardless of SPI when CRITICAL present

                    SPI: 91.4 → Grade: A (math)

                    CRITICAL found in production

                    Effective Grade: C (override)

Ethics & Scope Boundaries

Auditor Core v2.2 is a passive analysis engine — it never modifies, exploits, or disrupts any system.

What We Do

Scan authorized repositories and environments
Analyse public repositories for research purposes
Report findings to authorized parties only
Follow Coordinated Disclosure at all times

What We Never Do

Exploit vulnerabilities in any environment
Access production data or credentials
Disrupt CI/CD pipelines or deployments
Scan systems without explicit authorization

Zero Telemetry Guarantee

No usage data collected or transmitted
No scanned code ever leaves your machine
AI API calls contain findings only — never source
Engine never self-updates or calls home

Ready for a Deep Review?

Run Auditor Core v2.2 yourself — or commission a full professional audit with human validation and remediation roadmap.

Get Auditor Core Request Professional Audit

View a real scan result → Demo Report