Skip to main content

For law firms & technical auditors

When NDA forbids uploading client code.

Tech due-diligence, M&A code review, IP litigation, audit firm engagements — your NDA explicitly forbids sending client source code to a third-party SaaS. StaticCodeAudit runs on your laptop. End of conversation.

The 1-binary, N-clients use case

With one StaticCodeAudit license, you can audit as many distinct client codebases as you want. The tool runs locally on your laptop — your client's code never leaves your machine, and you can hand them a fully-branded PDF/HTML report at the end of the engagement.

⚖️

Law firms (IP, M&A)

Source-code escrow review, patent infringement analysis, due-diligence on a target — all under client privilege. Cloud SAST = privilege break.

🔬

Technical due-diligence

PE/VC tech DD, code-quality assessment before acquisition. The target's source is shared under strict NDA — uploading it to a SaaS is a deal-killer.

📋

Audit firms (cybersec, compliance)

ISO 27001 / SOC 2 / RGPD audits where the client wants the audit done on-site, with no traffic leaving their network.

White-label your reports

Configure tool name, company name, logo, file prefix, and favicon in audit.config.json. The HTML report is delivered with your branding, not ours. Your client sees an audit report from your firm, powered by a tool they don't even need to know exists.

White-label branding is included free in every paid tier (Solo and above).

Pricing for auditors

The Solo Plus tier (€1 590/year) covers 2 machines and 100 K SLOC per scan — usually enough for a freelance consultant working on multiple clients in parallel.

For audit firms with several engagements running simultaneously, Team (€3 990/year, 4 500 files / 500 K SLOC) or Team Plus (€11 990/year, 10 K files / 2 M SLOC) is typically the right fit. See the pricing model.

Why SaaS SAST is a non-starter under most engagement NDAs

Most engagement NDAs signed with audit clients prohibit transmission of source code to third parties — explicitly or implicitly via clauses on processing, storage, and sub-processors. SaaS SAST tools (Snyk Code, SonarCloud, GitHub Advanced Security) upload source code to vendor infrastructure for analysis. The vendor becomes a sub-processor of client data, which typically requires:

  • Adding the SAST vendor to the client's authorized sub-processors list (often refused).
  • Updating the engagement DPA / Schedule F to disclose the upload.
  • Demonstrating the vendor's SOC 2 / ISO 27001 certifications meet the client's bar.
  • Re-negotiating fees if the vendor's pricing model exposes client data volume.
  • Auditing the vendor's data retention and deletion procedures.

StaticCodeAudit eliminates this entire chain: the binary runs on the auditor's machine (or a client-loaned workstation), no upload happens, no third-party processing exists. The NDA's existing language already covers this case — no addendum needed.

Audit deliverables a regulator (or judge) will accept

  • Self-contained HTML report with brand-able header — open in any browser, no internet required to view findings.
  • SARIF JSON (OASIS standard) — machine-readable, integrates with the client's existing GRC or vulnerability tracker.
  • SBOM (CycloneDX) — required for software supply chain attestations under recent NIS2 and US Executive Order 14028.
  • Historical baseline comparison — show « what changed between v1.2 and v1.3 » in the same report.
  • CWE / OWASP / ISO 27001 / ASVS / NIST CSF mapping per finding — every issue is traceable to a published standard, which courts and regulators recognise.

Each report is a single .html file that can be archived alongside the engagement letter, working papers, and final opinion. No external CDN, no remote scripts — works in a sealed evidence room.

Frequently asked questions (legal firms)

Does StaticCodeAudit make outbound network calls during analysis?

Zero. The binary does not initiate HTTP, DNS, or any network call during a scan. You can verify with tcpdump -i any host www.codefixture.com while a scan is running — capture file will be empty. This claim is part of our public posture and we welcome verification by your tech team.

Can we run StaticCodeAudit on a workstation provided by the client?

Yes. The binary is portable: drop it on the workstation, run it, copy the HTML report back to your audit binder. No installation, no admin rights required, no registry changes on Windows. If the client's workstation is air-gapped, the binary still runs.

What does the auditor need to provide the client as part of the engagement?

Typically: the engagement letter; the StaticCodeAudit license you used (one of our paid tiers); the binary hash (SHA-256 we publish on our download page); and the HTML report itself. The client can verify the hash to confirm the binary was unmodified.

Can the report be redacted before client delivery?

Yes. The HTML report is plain text — you can open it in any editor and remove paragraphs (e.g., findings the auditor decides are out of scope). The SARIF JSON is similarly editable. The « audit binder » format means each artifact can be reviewed and redacted before release.

Does using StaticCodeAudit affect the legal weight of our opinion?

It strengthens it. Every finding maps to a publicly recognised standard (CWE, ASVS, OWASP). When you assert « no high-severity findings against ASVS v5 §4 », that statement is reproducible by another auditor running the same tool on the same code. SaaS tools, by contrast, run an opaque ML model — you cannot reproduce the analysis without access to the vendor's cloud.

Need a sample report for a client engagement?

Open the live demo, white-labelled in your firm's colors. Or book a 20-min walk-through where we run StaticCodeAudit on a sample codebase you bring.

Open the live report Book a walkthrough