Skip to Content
code-analysis

Stop guessing your code's health.
Audit it. Grade it. Prove it.

Code Analysis runs 10 static analyzers and a 7-phase AI audit pipeline over any repo — then hands you a four-dimension scorecard and a report you can put in front of a client.

$ code-analysis audit ./acme-api \
    --provider anthropic \
    --max-budget 40 \
    --max-parallel 5

# grounded by .code-analysis/context.md
# resumable · content-hash cached
Static analysis
Indexing
Architecture
Dead code
Module docs · ×12 agents
Security & tech-debt · ×12 agents
Consolidation + report
PDF render
10Static analyzers
7Pipeline phases
4Score dimensions
1Self-contained binary

Gut-feel code reviews hand you opinions you then defend in meetings. Code Analysis hands you deterministic, evidence-backed scores, so the conversation skips straight to what to fix.

Why Code Analysis

An audit you can trust. And rerun.

Ten static analyzers normalized into one schema, then AI agents fanned out per module — grounded by your context, capped by your budget.

Four-dimension scorecard

Architecture, Module Quality, Security, and Tech-Debt — each scored 0–100 and banded A (“market-leading”) to F (“critical”). Same input, byte-equal scores, every run.

Security that refuses to average

Deliberately pessimistic: your worst high-risk module dominates the score. One critical hole can’t hide behind ninety clean files.

Grounded, not guessy

Your project-context file is ground truth. Agents flag divergences instead of inventing them, and every score carries a confidence level.

Budget-capped & resumable

Hard spend caps, content-hash caching, and runs that resume exactly where they stopped.

One binary, anywhere

Static analysis ships self-contained for macOS, Linux, and Windows — no AI, no network required.

Deliverables

Everything an audit should leave behind.

Machine-readable catalogs for your tooling, plus a report you can share as-is.

src/auth/session.ts
src/billing/invoice.ts
src/api/router.ts

Hotspot catalog

HIGHauth/session.ts
MEDbilling/webhook.ts
LOWlib/logger.ts

Finding catalog

Coverage map

{
  "security": { "band": "D" },
  "deterministic": true
}

code-health.json

B

PDF report

Determinism

Same repo in. Same numbers out.

The scoring engine is pure and reproducible — rerun an audit and the numbers don't drift. What changes between runs is your code, not the ruler.

  • Grounded by your project-context file
  • Budget caps, resumable runs, content-hash caching
  • Deterministic scoring — reruns are byte-equal
code-health.json
{
  "scores": {
    "architecture":  { "value": 82, "band": "B", "confidence": "high"   },
    "moduleQuality": { "value": 74, "band": "C", "confidence": "high"   },
    "security":      { "value": 58, "band": "D", "confidence": "medium" },
    "techDebt":      { "value": 71, "band": "C", "confidence": "high"   }
  },
  "deterministic": true
}
FAQ

Questions, answered.

What does it actually run?

Ten static-analysis tools in parallel — scc, gitleaks, trivy, opengrep, eslint, knip, dependency-cruiser, jscpd, lizard, plus a git-history pass — normalized into one schema. Then a 7-phase AI pipeline layers architecture, dead-code, documentation, and security analysis on top, fanning out one agent per module.

How are the grades computed?

Each of the four dimensions — Architecture, Module Quality, Security, Tech-Debt — is scored 0–100 and banded A to F. Scoring is deterministic: the same input produces byte-equal scores. Security is deliberately pessimistic — the worst high-risk module dominates the headline instead of being averaged away.

Won't the AI hallucinate findings?

Every AI phase is grounded by your project-context file — domain, tenancy model, intended architecture. Agents must not contradict it and flag divergences instead of guessing. On top of that, every score ships with a high/medium/low confidence level, so you know exactly how much to trust each number.

What does an audit cost to run?

You set a hard spend cap and the pipeline stops before any phase that would exceed it. Content-hash caching and resumable runs mean interruptions and reruns don't burn the same spend twice.

What do I get at the end?

A hotspot catalog, finding catalog, flow catalog, coverage map, and code-health.json for your tooling — plus a consolidated final report rendered to PDF, written to be client-shareable as-is.

When can I use it?

Code Analysis is launching soon. Join the waitlist for early access, launch pricing, and progress updates. Built by Concepta (conceptatech.com).

Be first in line for the audit.

Code Analysis is launching soon. Join the waitlist for early access, launch pricing, and progress updates.