{"id":50519387,"url":"https://github.com/GiulioDER/cca-audit","last_synced_at":"2026-06-19T20:00:59.299Z","repository":{"id":358867814,"uuid":"1243434847","full_name":"GiulioDER/cca-audit","owner":"GiulioDER","description":"6-layer parallel code audit pipeline powered by LLMs. 6 specialized auditors with non-overlapping scopes. Claude Code, Codex CLI, and OpenRouter API variants.","archived":false,"fork":false,"pushed_at":"2026-05-19T12:41:30.000Z","size":1684,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-19T13:31:24.072Z","etag":null,"topics":["ai-code-review","claude-code","code-audit","code-review","llm-tools","openai-codex","openrouter","static-analysis"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GiulioDER.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-19T10:39:51.000Z","updated_at":"2026-05-19T12:41:34.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/GiulioDER/cca-audit","commit_stats":null,"previous_names":["giulioder/cca-audit"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/GiulioDER/cca-audit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GiulioDER%2Fcca-audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GiulioDER%2Fcca-audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GiulioDER%2Fcca-audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GiulioDER%2Fcca-audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GiulioDER","download_url":"https://codeload.github.com/GiulioDER/cca-audit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GiulioDER%2Fcca-audit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34546199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-19T02:00:06.005Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-code-review","claude-code","code-audit","code-review","llm-tools","openai-codex","openrouter","static-analysis"],"created_at":"2026-06-03T03:00:21.036Z","updated_at":"2026-06-19T20:00:59.264Z","avatar_url":"https://github.com/GiulioDER.png","language":"Python","funding_links":[],"categories":["Security \u0026 Compliance"],"sub_categories":["Security Analysis"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"banner.jpg\" alt=\"Claude Code Audit — 6 parallel agents, zero overlap\" width=\"100%\"/\u003e\n\u003c/p\u003e\n\n# CCA-Audit\n\n**6-layer parallel code audit pipeline powered by LLMs.**\n\nCCA-Audit runs 6 specialized auditors in parallel on your codebase, deduplicates findings, auto-fixes critical issues, re-verifies, and gates the result through an architect review -- all in one command.\n\nWorks with **any language** (Python, TypeScript, Go, Rust, Java, Ruby) via auto-detection.\n\n## Pipeline\n\n```mermaid\nflowchart LR\n    A[\"Step 0\\nDetect Files\"] --\u003e B[\"Step 0.5\\nLanguage Detection\"]\n    B --\u003e C[\"Step 1\\n6 Parallel Auditors\"]\n    C --\u003e D[\"Step 2\\nConsolidate + Dedup\"]\n    D --\u003e E[\"Step 3\\nFix Plan\"]\n    E --\u003e F[\"Step 4\\nImplement Fixes\"]\n    F --\u003e G[\"Step 5\\nRe-verify\\n(tests + lint)\"]\n    G --\u003e H[\"Step 6\\nArchitect Gate\\nAPPROVED / REVISE / BLOCKED\"]\n    H --\u003e I[\"Step 7\\nCommit\"]\n```\n\n### The 6 Auditors\n\nEach auditor has a **non-overlapping scope** -- no duplicate findings:\n\n| Auditor | Scope | Does NOT Check |\n|---------|-------|----------------|\n| **Code Quality** | Type safety, DRY, complexity, naming, dead code | Security, runtime bugs, performance |\n| **Bug Scanner** | Null refs, error handling, race conditions, resource leaks | Security vulns, code style |\n| **Security** (single authority) | OWASP Top 10, injection, auth, secrets, CVEs | Runtime bugs, code quality |\n| **Performance** | Slow queries, hot paths, memory, connection pools | Security, code style |\n| **Documentation** | Missing docs, stale comments, type annotations | TODOs, debug statements |\n| **Environment** | Config completeness, format validation, naming | Secrets (owned by Security) |\n\nPlus 2 support agents: **Dependency Auditor** (maintenance health, licenses, unused deps) and **Fix Planner** (dedup + prioritization).\n\n## Three Variants\n\nChoose the variant that fits your workflow:\n\n### 1. Claude Code (Recommended)\n\nDrop-in agents for [Claude Code](https://docs.anthropic.com/en/docs/claude-code). One command installs, one slash command runs.\n\n```bash\n# Install\ncurl -fsSL https://raw.githubusercontent.com/GiulioDER/cca-audit/main/claude-code/install.sh | bash\n\n# Run (two-pass workflow)\n/audit-fix              # Round 1: audit + fix P1+P2, defer P3\n/audit-fix deferred     # Round 2: fix deferred P3 items from previous round\n/audit-fix no-fix       # audit only, no fixes\n/audit-fix p1-only      # fix only critical findings\n/audit-fix commit 3     # audit last 3 commits\n```\n\n[Claude Code README](claude-code/README.md)\n\n### 2. Codex CLI\n\nShell orchestrator for [OpenAI Codex CLI](https://github.com/openai/codex). Runs auditors in parallel via background jobs.\n\n```bash\n# Install\ncd your-project \u0026\u0026 bash /path/to/cca-audit/codex/install.sh\n\n# Run (two-pass workflow)\nbash cca-audit.sh                    # Round 1: full pipeline (P1+P2)\nbash cca-audit.sh --deferred         # Round 2: fix deferred P3 items\nbash cca-audit.sh --no-fix           # audit only\nbash cca-audit.sh --auditors security,bug   # specific auditors\n```\n\n[Codex README](codex/README.md)\n\n### 3. OpenRouter API (Python CLI)\n\nStandalone Python CLI. Works with any model via [OpenRouter](https://openrouter.ai/) (Claude, GPT-4, Gemini, Llama, etc.).\n\n```bash\n# Install\npip install cca-audit\n\n# Run (two-pass workflow)\ncca-audit                          # Round 1: full pipeline (P1+P2)\ncca-audit --deferred               # Round 2: fix deferred P3 items\ncca-audit --no-fix                 # audit only\ncca-audit --model anthropic/claude-sonnet-4   # choose model\ncca-audit --format json            # JSON output\n```\n\n[OpenRouter README](openrouter/README.md)\n\n## Priority Framework\n\nAll variants use the same 3-tier priority system:\n\n| Priority | Criteria | Action |\n|----------|----------|--------|\n| **P1 Critical** | Security vulns, data corruption, auth bypass, injection | Fix before deploy |\n| **P2 High** | DRY divergence risk, stale misleading comments, config inconsistencies | Fix now |\n| **P3 Nice-to-have** | Cosmetic, style, naming, unused params | Deferred to Round 2 |\n\n## Two-Pass Workflow\n\nCCA-Audit is designed for a clean two-pass close-out:\n\n1. **Round 1** (`/audit-fix` or `cca-audit`): runs full 6-agent audit, fixes P1 Critical + P2 High, defers P3 cosmetic items. Commits with a structured message listing deferred items.\n2. **Round 2** (`/audit-fix deferred` or `cca-audit --deferred`): reads the deferred list from the previous commit, checks each item is still relevant, fixes what remains, marks stale items. Commits separately.\n\nThis ensures every audit is fully closed out -- no lingering deferred items across PRs.\n\n## Documentation\n\n- [Pipeline Diagram](docs/pipeline-diagram.md) -- detailed walkthrough of each step\n- [Auditor Scopes](docs/auditor-scopes.md) -- full non-overlapping scope matrix\n- [Configuration](docs/configuration.md) -- all config options across variants\n- [Extending](docs/extending.md) -- how to add custom auditors\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGiulioDER%2Fcca-audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGiulioDER%2Fcca-audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGiulioDER%2Fcca-audit/lists"}