CodeFixture — StaticCodeAudit
Why StaticCodeAudit?
Built for developers who value privacy, simplicity, and thoroughness.
Security First
94 security rules covering SQL injection, XSS, SSRF, path traversal, hardcoded secrets, unsafe deserialization, weak cryptography, cookie security, LDAP injection and more. Mapped to OWASP Top 10, CWE, GDPR and ISO 27001 Annex A.
Enterprise-Grade Reports
Self-contained HTML reports with 12+ interactive charts, health scoring, historical comparison and findings grouped by severity and category. One file, no server needed.
Zero Dependencies
Runs on Python standard library only. No pip install, no external APIs, no cloud services, no telemetry. Your code never leaves your machine.
8 Audit Categories. 176 Rules.
Comprehensive coverage from security vulnerabilities to accessibility compliance.
Security
SQL injection, XSS, SSRF, path traversal, secrets, eval, deserialization, weak crypto, command injection, LDAP injection, cookie security, GDPR compliance...
Architecture
Admin route protection, DB logic in routers, direct queries, N+1 patterns, oversized files.
Interface / UI
Inline styles, manual createElement, event listener leaks, DOM manipulation in loops.
Accessibility / UX
ARIA labels, alt text, focus management, autoplay, i18n issues, toast patterns, console.log detection.
Maintenance
Unresolved TODO/FIXME/HACK/XXX, deprecated APIs (5 languages), catch-all exceptions, debug statements, error suppressors.
Dependencies
CVE scanning (pip-audit, npm audit), unpinned versions, license compliance.
Database
PostgreSQL schema drift detection, table/column changes, index tracking, migration analysis.
CI/CD
GitHub Actions security, GitLab CI, expression injection, excessive permissions, unpinned actions.
Supported Languages
Three Commands. Full Audit.
Initialize, scan, and review. No configuration headaches.
Initialize
Register your project with a unique UUID and auto-generated configuration.
./run_audit.py /path --init
Audit
Run the full audit. 176 rules, unit tests, fixture validation, historical comparison.
./run_audit.py /path
Review
Open the standalone HTML report. Interactive charts, findings, health score. Share anywhere.
open SCA-REPORT-*.html
See It In Action
Watch a real audit walkthrough and download a sample report.
Demo video coming soon
Watch our YouTube channel →12+ Interactive Charts
Severity distribution, category breakdown, timing analysis, historical trends.
Health Score
Weighted scoring across all categories with color-coded progress bar and thresholds.
Baseline Comparison
Track new, resolved and persistent issues across up to 10 audit snapshots.
SARIF 2.1.0 Export
GitHub Code Scanning and GitLab SAST compatible. Drop into your CI/CD pipeline.
SBOM Generation
CycloneDX 1.5 Software Bill of Materials. Know every component in your project.
Git Blame Integration
Automatically resolve the committer per finding for team accountability.
What Makes It Different
Unique capabilities you won't find in any other static analysis tool.
Zero Dependencies
Runs on Python standard library only. No pip install, no setup, no runtime requirements.
100% Offline
No network calls, no APIs, no telemetry. Your code never leaves your machine.
Standalone HTML Reports
Single self-contained file with CSS, JS, Chart.js inline. Open in any browser, share by email, print to PDF.
White-Label Branding
Custom tool name, logo, file prefix, and favicon. Free — no enterprise license required.
Reports in 4 Languages
Full FR/EN/ES/DE localization: rules, risks, solutions, benefits, chart labels, glossary.
Historical Comparison
Baseline over 10 audit snapshots. Track new, resolved, and persistent issues over time.
12+ Interactive Charts
Chart.js inline: severity, categories, timelines, trends. Tooltips and responsive.
Report Retention
Auto-cleanup by count, days, or both. Dry-run mode to preview before deleting.
793 Unit Tests
Every rule validated by vulnerable + clean fixtures. The tool tests itself.
Fully Portable
Copy the folder, run python3. No install, no PATH, no config. Works anywhere.
Pre-Commit Hook
Install with --install-hook. Automatic audit before every commit.
PostgreSQL Audit
Schema drift detection, migration tracking, index analysis. Integrated in the same report.
ISO 27001 Matrix
Compliance matrix mapping 149 rules to 93 Annex A controls across 4 themes. Coverage by theme with visual indicators.
Category Grouping
Findings grouped by severity, then by source (Business Code / Dependencies), then by category. Collapsible sections for easy navigation.
Print Mode
One-click printable version. All sections expanded, optimized layout for PDF export and paper printing.
Keyboard Navigation
Navigate findings with j/k shortcuts, jump to top with Ctrl+Home. Efficient report review without a mouse.
How We Compare
See how StaticCodeAudit stacks up against typical static analysis tools.
| Capability | StaticCodeAudit | Typical SAST Tools |
|---|---|---|
| Multi-language SAST | 176 rules, 7 languages | Mono-language |
| 100% Offline | ✓ | Rare |
| Zero Dependencies | ✓ | pip / npm / Go |
| Standalone HTML Reports | 12+ charts, printable | Server-based |
| White-Label Branding | Free | Paid |
| Reports in 4 Languages | FR/EN/ES/DE | ✗ |
| Historical Comparison | 10 snapshots | Cloud only |
| SARIF Export | ✓ | ✓ |
| SBOM Generation | CycloneDX 1.5 | Limited |
| ISO 27001 Compliance | 93 Annex A controls | ✗ |
| Database Schema Audit | PostgreSQL drift | ✗ |
| CI/CD Workflow Audit | 8 rules GHA + GitLab | Specialized tools |
| Built-in Glossary | 33 terms | ✗ |
| Health Score | Weighted by category | Quality Gate |
| Self-Testing | 793 tests | ✗ |
| Category Grouping | 3-level nesting | ✗ |
| Print Mode | One-click PDF | ✗ |
| Keyboard Shortcuts | j/k navigation | ✗ |
| Installation Required | None | pip / npm / Go |
Standards & Compliance
Comprehensive mapping to international security, quality and accessibility standards.
OWASP Top 10
Web application security risks
CWE
Common Weakness Enumeration
WCAG 2.1
Accessibility guidelines
GDPR / RGPD
Data protection regulation
OWASP CI/CD
Pipeline security Top 10
SARIF & SBOM
SARIF 2.1.0 + CycloneDX 1.5
ISO/IEC 27001:2022 — Annex A
Compliance matrix mapping 149 detection rules to 93 Annex A controls.
SAST tools primarily cover technological controls (A.8). The compliance matrix indicates which controls are testable by static analysis, not full compliance certification.
Frequently Asked Questions
What is static code analysis (SAST)?
Static Application Security Testing (SAST) analyzes source code without executing it, identifying vulnerabilities, code quality issues, and compliance violations before deployment. StaticCodeAudit performs SAST across 7 programming languages with 176 detection rules.
Does StaticCodeAudit require an internet connection?
No. StaticCodeAudit runs 100% offline with zero external API calls. Your source code never leaves your machine. The tool uses only Python's standard library — no pip install, no cloud services, no telemetry.
Which programming languages are supported?
Python, JavaScript/TypeScript, HTML (including Vue, Svelte, EJS, Jinja, Twig templates), Java, C#, PHP, and YAML (for CI/CD pipeline analysis). Each language has dedicated detection rules.
How is StaticCodeAudit different from SonarQube or ESLint?
Unlike SonarQube (which requires a server) or ESLint (JavaScript only), StaticCodeAudit is a standalone tool that produces self-contained HTML reports with no infrastructure. It also supports white-label branding, 4-language reports, PostgreSQL schema audits, and CI/CD workflow analysis — all for free.
What security standards does it cover?
StaticCodeAudit maps findings to OWASP Top 10, CWE (Common Weakness Enumeration), WCAG 2.1 accessibility guidelines, GDPR/RGPD data protection, OWASP CI/CD Top 10, and ISO/IEC 27001:2022 Annex A (93 controls compliance matrix). It also exports in SARIF 2.1.0 format for integration with GitHub and GitLab security dashboards.
Can I customize the reports with my company branding?
Yes. White-label branding is free and built-in. You can configure the tool name, company name, logo (SVG/PNG/JPG), file prefix, and favicon in your project's audit.config.json. The generated reports use your branding throughout — including headers, footers, and browser tab.
How are findings organized in the report?
Findings are organized in a 3-level hierarchy: first by severity (Critical, High, Medium, Low, Info), then by source (Business Code vs Dependencies), then by category (Security, Architecture, UI, UX, Maintenance, etc.). Each level is collapsible for efficient navigation.
CodeFixture
Built for Privacy-Conscious Teams
StaticCodeAudit was born from a simple principle: your source code should never leave your infrastructure. No cloud uploads, no external APIs, no telemetry. Every audit runs 100% locally.
We believe security tools should be as lightweight as the code they protect. That's why StaticCodeAudit runs on Python's standard library alone, with zero external dependencies.
Reports in 4 Languages
Every string localized: rules, solutions, chart labels, glossary terms.
Try StaticCodeAudit for Free
See what a real audit report looks like. Download our demo report and explore every section — findings, severity breakdown, historical comparison, and more.
Get In Touch
Have a question about StaticCodeAudit? Want to discuss a custom audit? Reach out through any of these channels.