Frequently Asked Questions

What is a CodeGRC Audit Attestation?

It is an independent professional opinion that your code has been reviewed against recognized security standards (OWASP ASVS, WSTG, CWE) at a specific point in time. It is not a statutory certification or compliance guarantee.

What does the audit cover?

We perform manual code review covering authentication, authorization, session management, input validation, cryptography, error handling, business logic, and dependency security. The exact scope is agreed before engagement.

How do you access my code?

After initial contact and mutual NDA, we arrange access through GitHub/GitLab repository invitations or another secure channel you prefer. We do not require code uploads through our website.

What do I receive after the audit?

A private detailed report with findings (classified by CWE, scored by CVSS), remediation guidance, and after successful retest, a CodeGRC Audit Attestation certificate with a unique verifiable ID and digital seal.

What does public verification show?

Only: certificate status (valid/expired/revoked), issued date, expiry date, and a cryptographic fingerprint. Your project name, repository, findings, and contact details are never exposed.

How long does an audit take?

Typically 2-4 weeks depending on codebase size and complexity. Urgent timelines (1-2 weeks) are available for smaller scopes. We provide a timeline estimate after reviewing your submission.

Does the attestation guarantee my code is secure?

No. The attestation confirms that the reviewed scope was assessed against stated standards and that identified issues were remediated. It does not guarantee the absence of all vulnerabilities. Security is an ongoing process.

How long is the certificate valid?

Certificates are typically valid for 12 months from issuance. Significant code changes may warrant a new review. We recommend annual re-attestation for actively developed projects.