# Code Audit Overview

<table data-view="cards"><thead><tr><th>Section</th><th>What you will find</th><th data-hidden data-card-target data-type="content-ref">Target</th></tr></thead><tbody><tr><td><strong>Create a Code Audit</strong></td><td>Prerequisites and the two-step setup wizard.</td><td><a href="/pages/X4yc23Inhvx1gPKx2AwE">/pages/X4yc23Inhvx1gPKx2AwE</a></td></tr><tr><td><strong>Track Progress and Findings</strong></td><td>Status vocabulary, detail tabs, and how to read findings.</td><td><a href="/pages/P12625XkjR5KcYlJmjTa">/pages/P12625XkjR5KcYlJmjTa</a></td></tr><tr><td><strong>What Code Audit Finds</strong></td><td>Vulnerability classes covered, plus what still needs a live target.</td><td><a href="/pages/vx7C5jq5oGOUqGbKvpE2">/pages/vx7C5jq5oGOUqGbKvpE2</a></td></tr></tbody></table>

## What is Code Audit?

Code Audit runs pentest-grade security reasoning directly on your source code. You don't need a staging URL, a crawl, or pentest scope setup. Connect a repository, confirm the price in credits, and start the audit.

It's a sibling to [Aikido Pentest](/pentests/aikido-pentest.md): same assessment model and issue experience, but repo-focused only.

## How it works

### Connect repositories

You pick the repositories you want audited in the create flow. Code Audit only needs source code — no live target, no domains, no auth setup. See [Aikido Never Stores Your Code](/getting-started/setting-up-your-account/aikido-never-stores-your-code.md) for how your source is handled during an audit.

### Agents reason about your code

Multiple security agents work through the connected codebases together, chaining context across files to surface architectural and logic flaws that traditional static scanners can't see.

### Read the findings

Findings land in the **Issues** tab on the assessment and in your global issue feed, alongside everything else Aikido detects. Each finding includes a summary, root cause, remediation, and code-based **Evidence** — see [Track Progress and Findings](/code-audit/track-progress-and-findings.md) for the full read-out.

## Pricing and credits

Code Audit is paid for with [Aikido credits](/miscellaneous-info/wallet-and-credits.md).

* The **Pricing** step in the create flow shows the exact credit total before you commit.
* Cost depends on the size and complexity of the codebases you select. Larger or more sprawling selections cost more.
* Credits are charged when you click **Start Audit**.

## Code Audit vs Aikido Pentest

Both products run the same agentic engine, but they answer different questions. Code Audit reasons about your **source code**. Aikido Pentest exercises your **running application**.

### Use Code Audit when:

* You want **deep code reasoning** on logic and architectural flaws — broken access control, privilege escalation, and multi-step exploit chains — without configuring a live environment.
* You **don't have a stable staging or QA target**, or auth flows aren't ready for live testing.
* Your codebase is **hard to set up for live testing** — mobile apps, smart contracts, desktop apps, embedded software, libraries, or anything else without a straightforward URL to point a pentest at.
* You need a **fast turnaround** with minimal setup: connect a repo, confirm credits, start.
* You want to validate **changes in source** before they ship to a **live deployment**.

### Use Aikido Pentest when:

* You have a **live target** and want to validate real exploitability with real traffic.
* You want **runtime evidence** — reproduction requests, attack-surface mapping, and live agent activity.
* Your scope includes **domains, authenticated user roles, and crawl-discovered endpoints** beyond what's visible in source.
* You need **follow-up actions** like **Re-test** and **Exploit Further** on validated findings.
* You're satisfying **compliance frameworks** like SOC 2 or ISO 27001 that expect a live penetration test.

## Code Audit vs SAST

Both look at your source code, but they work differently. [SAST](/code-scanning/scanning-practices/sast-by-aikido-supported-languages-and-security-focus.md) flags **patterns** — a tainted parameter, a risky API call, a missing check. Code Audit reasons about **intent and context** across files, so it can identify issues that need an attacker's perspective. The two are complementary, not interchangeable.

### Use Code Audit when:

* You want to catch **logic and architectural flaws** that pattern-matching can't see — broken access control, privilege escalation, business logic bypasses, and multi-step exploit chains.
* You need **cross-file reasoning** that follows references through services, modules, and helpers.
* You're auditing a **high-stakes change, release, or codebase** and want attacker-style review on top of your continuous scans.
* You want **deeper context on a specific finding** — root cause, exploit path, and remediation — instead of just a pattern hit.

### Use SAST when:

* You want **fast, every-commit feedback** on common vulnerability patterns — injection sinks, taint flows, hard-coded secrets, dangerous APIs, IaC misconfigurations.
* You need **broad, continuous coverage** across every PR and branch without spending credits per scan.
* You're enforcing **PR-time gates** in CI/CD on known-bad patterns.

## FAQ

### Why doesn't Code Audit need a live URL?

Code Audit reads and reasons about your source code directly. There's no crawl phase, no traffic replay, and no live exploitation — so there's no environment to point at. If you do want live testing against a deployed target, use [Aikido Pentest](/pentests/aikido-pentest.md) instead.

### Why can't I retest a Code Audit finding?

**Re-test** and **Exploit Further** are designed for live pentest findings, where Aikido can re-issue requests against your environment. Code Audit evidence is code- and reasoning-based, not a live exploit walkthrough, so those actions don't apply. To re-validate, run a new Code Audit against the updated code.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/code-audit/ai-code-audit-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.