How Firstlight scores a codebase
Two layers — a deterministic rule layer and a set of LLM dimension analysers — both worked against one versioned rubric, every finding cited to a line of your code.
Deterministic checks — fast, exact, reproducible
A layer of explicit rules runs against the repo: live credentials committed to git history, tenant IDs trusted from client-supplied headers, unpinned CVE'd dependencies, a missing dependency-scanning CI gate, no rollback runbook, bus-factor comments, and the rest. Same input, same finding — no model involved here.
LLM dimension analysers — one per dimension
On top of that, a dedicated analyser scores the codebase across seven dimensions — architecture, code quality, security posture, multi-tenant isolation, AI claims (a real governed model, or a wrapper?), documentation maturity, operational governance — each working the shared DD rubric and citing a file:line for every claim it makes.
One rubric, one severity ladder
Both layers score on the same red-flag taxonomy a white-glove diligence team uses, with the same evidence requirement: deal-killers first, then high, then medium, then low. Counts roll up by severity and by dimension. The rubric is versioned (“DD rubric v1”) so two runs are comparable.
Mapped to the frameworks — and to your checklist
Every finding is mapped to the eight framework families it touches (Google SRE + DORA, ISO/IEC 25010, OWASP ASVS + SAMM, NIST SSDF, NIST AI RMF, Google SAIF, OWASP Top 10 for LLMs, Diátaxis + arc42 / C4) and additionally tagged to SOC 2 Trust Services Criteria and ISO/IEC 27001 Annex A — so it drops straight into a security questionnaire or a diligence checklist.
Evidenced, logged, reproducible
The deterministic layer is reproducible by construction; the LLM layer cites a file:line for every claim so you can verify it yourself. Every run is logged — repo hash, tokens, cost, start and finish, nothing customer-identifying. The result ships as the eight artefacts: exec summary, technical findings, remediation workbook, AI-agent fix scripts, code-quality report, audit trail, compliance crosswalk, JSON export.