How Firstlight scores a codebase
Two layers — 5,500+ deterministic checks and a set of multi-agent LLM AI dimension analysers — both worked against one versioned rubric, every finding cited to a line of your code.
5,500+ deterministic checks — fast, exact, reproducible
A layer of explicit rules — over 5,500 of them — runs against the repo: live credentials committed to git history, tenant IDs trusted from client-supplied headers, unpinned CVE'd dependencies, a missing dependency-scanning CI gate, no rollback runbook, bus-factor comments, and the rest. Same input, same finding — no model involved here.
Multi-agent LLM scans — one analyser per dimension
On top of that, a dedicated LLM analyser scores the codebase across seven dimensions — architecture, code quality, security posture, multi-tenant isolation, AI claims (a real governed model, or a wrapper?), documentation maturity, operational governance — each working the shared DD rubric and citing a file:line for every claim it makes.
One rubric, one severity ladder
Both layers score on the same red-flag taxonomy a white-glove diligence team uses, with the same evidence requirement: deal-killers first, then high, then medium, then low. Counts roll up by severity and by dimension. The rubric is versioned (“DD rubric v1”) so two runs are comparable.
Mapped to the frameworks — and to your checklist
Every finding is mapped to the 14+ framework families it touches (Google SRE + DORA, Google Secure-OSS + SLSA, Google SAIF, Cloud WA, ISO/IEC 25010, OWASP ASVS + SAMM, NIST SSDF, ISO/IEC 27001, PCI DSS, NIST AI RMF, OWASP Top 10 for LLMs, Diátaxis + arc42 / C4) and additionally tagged to SOC 2 Trust Services Criteria and ISO/IEC 27001 Annex A — so it drops straight into a security questionnaire or a diligence checklist.
Evidenced, logged, reproducible
The deterministic layer is reproducible by construction; the LLM layer cites a file:line for every claim so you can verify it yourself. Every run is logged — repo hash, tokens, cost, start and finish, nothing customer-identifying. The result ships as the eight artefacts: exec summary, technical findings, remediation workbook, AI-agent fix scripts, code-quality report, audit trail, compliance crosswalk, JSON export.