SAMPLE REPORT
THUBAN
← Back to Pricing
SAMPLE REPORT

Code Quality & Security Assessment

Automated AI-powered analysis — Thuban Scanner + Crucible Adversarial Engine

Target
acme-fintech/payments-api
Generated
5 July 2026, 12:04 UTC
Scan Duration
4.2 seconds
Report ID
THB-2026-07-05-A7F3

Executive Summary

Thuban performed a comprehensive dual-engine analysis of the acme-fintech/payments-api repository. The codebase contains 342 files across 4 languages (TypeScript, JavaScript, SQL, Shell), totalling 28,491 lines of code.

The Thuban Scanner identified 3 critical security vulnerabilities (SQL injection, hardcoded API key, insecure JWT verification), 2 AI hallucination issues (non-existent Stripe API methods), and 4 code quality warnings (ghost functions, clone clusters, high complexity). The Crucible adversarial engine tested the codebase against 486 attack patterns and confirmed that 12 attack vectors are exploitable in the current state.

Overall, the codebase demonstrates solid architectural decisions and competent engineering, but the critical security findings must be remediated before production deployment or investment close. Estimated remediation effort: 2–4 developer days.

⚠ CONDITIONAL PASS — Remediable issues found. See recommendations below.
📊

Trust Scores

Thuban Trust Score
68/100
Security + Quality + Maintainability
Crucible Score
71/100
Attack Resistance Rating
Post-Fix Estimate
91/100
After recommended remediations
Technical Debt
Low
Clean architecture, well-structured modules
📂

Codebase Overview

MetricValueAssessment
Total files342✓ Reasonable size
Lines of code28,491✓ Manageable
LanguagesTypeScript (78%), JS (12%), SQL (8%), Shell (2%)✓ Consistent stack
Dependencies47 direct, 312 transitive⚠ 3 outdated
Test files89 (26% of codebase)✓ Good coverage
Avg. complexity per file4.2 (cyclomatic)✓ Low complexity
Largest filesrc/services/payment-processor.ts (847 lines)⚠ Consider splitting
🛡

Thuban Scanner — Security & Quality Findings

3 Critical 2 Hallucinations 4 Warnings 3 Auto-fixable
Critical
SEC003 — SQL Injection via User Input
src/services/payment-processor.ts:142
User-supplied transaction ID is concatenated directly into a SQL query without parameterisation. An attacker could extract the entire payments database or escalate privileges.
140async function getTransaction(txId: string) {
141 const pool = await getDbPool();
142 const result = await pool.query(`SELECT * FROM transactions WHERE id = '${txId}'`);
143 return result.rows[0];
OWASP A03:2021 CWE-89 Auto-fixable Taint: req.params.txId → pool.query()
Critical
SEC001 — Hardcoded Stripe Secret Key
src/config/stripe.ts:8
Production Stripe secret key is hardcoded in source. This key provides full access to the Stripe account including charges, refunds, and customer data.
8const STRIPE_KEY = "sk_live_51N8x2KF61FJG0TcsABCDEFGH...";
OWASP A02:2021 CWE-798 Immediate rotation required
Critical
SEC007 — JWT Verification Disabled
src/middleware/auth.ts:23
JWT verification is using algorithms: ['none'], which accepts unsigned tokens. Any user can forge authentication tokens.
23const decoded = jwt.verify(token, secret, { algorithms: ['none', 'HS256'] });
OWASP A07:2021 CWE-327 Auto-fixable
Halluc.
HALL001 — Non-existent Stripe API Method
src/services/refunds.ts:34
stripe.refunds.createInstant() does not exist in any version of the Stripe Node SDK. The correct method is stripe.refunds.create(). This was likely generated by an AI coding assistant that hallucinated the method name.
AI Hallucination Runtime crash guaranteed Auto-fixable
Halluc.
HALL001 — Non-existent Node.js Crypto Method
src/utils/tokens.ts:12
crypto.generateKeyPairAsync() does not exist. The correct method is crypto.generateKeyPair() (callback) or crypto.generateKeyPairSync(). Another AI hallucination.
AI Hallucination Runtime crash
Warning
GHOST001 — 7 Unused Exported Functions
Multiple files
7 functions are exported but never imported anywhere in the codebase. These are dead code that increases bundle size and cognitive load. Likely remnants of a refactoring or AI-generated boilerplate.
Dead code Maintainability
Warning
CLONE001 — 3 Duplicate Code Clusters
src/api/users.ts ↔ src/api/merchants.ts ↔ src/api/admins.ts
Input validation logic is copy-pasted across 3 API route files with 91% average similarity. Should be extracted to a shared validation module.
DRY violation 89-93% similarity

Crucible Adversarial Engine — Attack Resistance

The Crucible engine subjected the codebase to 486 known attack patterns including SQL injection variants, XSS payloads, command injection, prototype pollution, and path traversal. Results below.

486
Patterns Tested
474
Blocked / Mitigated
12
Exploitable
Attack CategoryTestedBlockedExploitableStatus
SQL Injection87825✗ Fail
Cross-Site Scripting64613✗ Fail
Authentication Bypass42384✗ Fail
Command Injection38380✓ Pass
Path Traversal31310✓ Pass
Prototype Pollution28280✓ Pass
SSRF24240✓ Pass
Deserialization22220✓ Pass
Chaos Mutations1501500✓ Pass
📦

Dependency Supply Chain Analysis

Thuban analysed all 47 direct and 312 transitive dependencies for known CVEs, malicious packages, licence risks, and deprecated libraries. Supply chain attacks are the fastest-growing vector in software security.

47
Direct Deps
312
Transitive Deps
4
Known CVEs
0
Malicious Packages

Known Vulnerabilities (CVEs)

PackageInstalledCVESeverityFix Available
jsonwebtoken 8.5.1 CVE-2022-23529 HIGH ✓ 9.0.0+
express 4.17.1 CVE-2024-29041 MEDIUM ✓ 4.19.2+
semver 5.7.1 CVE-2022-25883 MEDIUM ✓ 5.7.2+
qs 6.5.2 CVE-2022-24999 LOW ✓ 6.5.3+
No Malicious Packages Detected
All 359 packages checked against known malware registries, typosquat databases, and suspicious publish patterns.

Licence Compliance

LicenceCountRiskCommercial Use
MIT241✓ None✓ Permitted
ISC48✓ None✓ Permitted
BSD-2-Clause23✓ None✓ Permitted
Apache-2.031✓ None✓ Permitted
BSD-3-Clause12✓ None✓ Permitted
GPL-3.02⚠ Copyleft⚠ Viral clause
UNLICENSED2⚠ Unknown⚠ Verify
⚠ Licence Alert: 2 packages use GPL-3.0 (@acme/logger, text-table). If the product is distributed as proprietary software, GPL dependencies require legal review. 2 packages have no licence declaration — contact maintainers or replace.
📜

Software Bill of Materials (SBOM)

Complete inventory of all direct dependencies. Full SBOM including transitive dependencies available in CycloneDX and SPDX formats via export.

Format: CycloneDX 1.5 47 direct | 312 transitive Last updated: 5 July 2026
PackageVersionLicenceDirectCVEStatus
@stripe/stripe-node14.2.0MIT✓ Clean
express4.17.1MIT1⚠ Update
pg8.11.3MIT✓ Clean
jsonwebtoken8.5.1MIT1✗ Vuln
bcryptjs2.4.3MIT✓ Clean
helmet7.1.0MIT✓ Clean
cors2.8.5MIT✓ Clean
winston3.11.0MIT✓ Clean
zod3.22.4MIT✓ Clean
dotenv16.3.1BSD-2✓ Clean
redis4.6.10MIT✓ Clean
bullmq4.12.0MIT✓ Clean
pino8.16.2MIT✓ Clean
uuid9.0.0MIT✓ Clean
axios1.6.2MIT✓ Clean

Showing 15 of 47 direct dependencies. Full SBOM available as CycloneDX JSON or SPDX export.

🏗

Architecture & Module Map

Auto-generated module dependency graph showing the codebase structure, entry points, and data flow paths. Modules with security findings are highlighted.

Module Dependency Graph
                          ┌─────────────────────┐
                          │    API Gateway     │
                          │  src/app.ts (entry) │
                          └─────────┬───────────┘
                                   │
              ┌─────────────┴─────────────┐
              │                           │
    ┌────────┴─────────┐    ┌────┴────────────┐
    │  ⚠ Middleware      │    │  Route Handlers    │
    │  src/middleware/   │    │  src/api/           │
    │  auth.ts [SEC007]  │    │  users.ts           │
    │  rate-limit.ts    │    │  merchants.ts [CLONE]│
    │  cors.ts          │    │  admins.ts [CLONE]   │
    └──────────────────┘    └─────────┬────────┘
                                        │
              ┌─────────────┴─────────────┐
              │                           │
    ┌────────┴─────────┐    ┌────┴────────────┐
    │  ⚠ Services       │    │  Utilities          │
    │  payment-         │    │  src/utils/          │
    │  processor.ts     │    │  tokens.ts [HALL]    │
    │  [SEC001,SEC003]   │    │  format.js [GHOST]   │
    │  refunds.ts [HALL] │    │  crypto.ts           │
    └──────────────────┘    └─────────────────┘
              │
    ┌────────┴─────────┐
    │  ⚠ Database       │
    │  src/db/           │
    │  query.js [SEC003]  │
    │  migrations/       │
    │  seeds/            │
    └──────────────────┘
ModuleFilesLOCComplexityFindingsHealth
src/api/122,8413.81 clone cluster⚠ Fair
src/services/84,2936.12 critical, 1 halluc.✗ Poor
src/middleware/56122.41 critical✗ Poor
src/utils/91,1022.81 halluc., 1 ghost⚠ Fair
src/db/61,8473.21 critical (SQL inj)✗ Poor
src/config/41891.01 critical (API key)✗ Poor
src/types/118911.0✓ Clean
tests/897,4211.8✓ Clean
📈

Team Velocity & Development Indicators

Git history analysis showing development patterns, contributor distribution, and project health indicators. These metrics help investors assess team capability and sustainability.

847
Total Commits
6
Contributors
2.3
Bus Factor
14mo
Repo Age

Contributor Distribution

ContributorCommitsLines AddedLines DeletedLast ActiveFocus Areas
dev-lead-alex412 (49%)18,2916,1032 days agoServices, API, DB
backend-sarah198 (23%)8,4123,2013 days agoAuth, middleware
fullstack-mike127 (15%)5,8912,4871 week agoAPI routes, tests
devops-jen63 (7%)1,2034125 days agoCI/CD, infra
junior-tom31 (4%)2,1048912 weeks agoUtils, tests
intern-emma16 (2%)8903123 weeks agoDocumentation

Development Health Indicators

Commit Frequency (last 90 days)
4.2 commits/day
✓ Active development — above average for team size
PR Merge Rate
94%
✓ Healthy code review process — low abandonment
Average PR Review Time
18 hours
⚠ Slightly slow — typical for small teams without dedicated reviewers
Bus Factor
2.3
⚠ Primary contributor owns 49% of code — monitor for single-point-of-failure risk
📋

Compliance & Standards Mapping

Automated mapping of scan findings against major compliance frameworks. This is a code-level assessment and does not replace a full compliance audit, but gives investors visibility into the codebase's alignment with industry standards.

FrameworkRequirementStatusFindings
OWASP Top 10 (2021) A01 — Broken Access Control ✗ Fail SEC007: JWT allows unsigned tokens
A02 — Cryptographic Failures ✗ Fail SEC001: Hardcoded Stripe secret key
A03 — Injection ✗ Fail SEC003: SQL injection (5 instances)
A04–A10 ✓ Pass No findings in remaining categories
Overall: 3/10 categories failed — remediation required
SOC 2 Type II CC6.1 — Logical Access Controls ✗ Fail JWT verification disabled; secrets in source
CC6.6 — System Boundaries ✓ Pass Proper CORS, rate limiting, input validation
CC7.1 — Vulnerability Management ⚠ Partial 4 CVEs in dependencies; no automated scanning in CI
CC8.1 — Change Management ✓ Pass PR-based workflow, branch protection, review required
PCI DSS v4.0 Req 6.2 — Secure Development ✗ Fail SQL injection, hardcoded keys violate secure coding standards
Req 6.3 — Vulnerability Management ⚠ Partial Known CVEs not patched; no SBOM process
Req 8 — Authentication ✗ Fail JWT allows algorithm:none — critical auth bypass
ISO 27001:2022 A.8.25 — Secure Development Life Cycle ⚠ Partial Good practices in place, but no automated security scanning in CI
A.8.28 — Secure Coding ✗ Fail Injection flaws, hardcoded secrets, AI hallucinations in production code
📈

Historical Trend Analysis

Score progression across previous Thuban scans. Trend data shows whether the team is actively improving code quality or allowing technical debt to accumulate.

Trust Score Over Time
41
Jan 26
52
Feb 26
58
Mar 26
63
Apr 26
65
May 26
68
Now
91
Post-fix
+27
Score Improvement (6mo)
Trend Direction
4.5/mo
Avg Monthly Gain
📊

Benchmark: How Does This Codebase Compare?

Anonymous aggregate comparison against all codebases scanned by Thuban in the same category (FinTech, TypeScript, 20k–50k LOC). Data based on 2,400+ scans across 340+ repositories.

MetricThis CodebaseCategory AverageTop 10%Percentile
Trust Score 68 61 89+ 72nd
Critical Findings 3 4.2 0 58th
AI Hallucinations 2 3.8 0 65th
Test Coverage Ratio 26% 18% 45%+ 71st
Avg Complexity 4.2 6.8 <3.0 76th
Dependency CVEs 4 7.1 0 62nd
Ghost Code % 2.4% 5.1% <1% 69th
Clone Ratio 3.1% 6.3% <2% 67th
Benchmark Summary
This codebase ranks in the 65th–76th percentile across all metrics — significantly above average for FinTech applications of this size. The critical security findings are the primary drag on the score. With remediation, this codebase would enter the top 10% of comparable projects.
💰

Risk-Adjusted Valuation Impact

Estimated financial exposure if critical findings remain unaddressed. Based on industry breach cost data (IBM Cost of a Data Breach Report 2025, Ponemon Institute) adjusted for company stage and data sensitivity.

Maximum Estimated Exposure
$2.4M – $4.8M
If SQL injection + JWT bypass + exposed Stripe key are exploited in production with active customer payment data.
Risk ScenarioFindingProbabilityImpact EstimateExpected Loss
Payment data breach via SQL injection SEC003 High (70%) $1.2M – $3.2M $840K – $2.24M
Account takeover via JWT bypass SEC007 High (60%) $500K – $1.5M $300K – $900K
Stripe account compromise SEC001 Medium (40%) $200K – $800K $80K – $320K
Runtime crash from hallucinated APIs HALL001 Certain (100%) $10K – $50K $10K – $50K
GPL licence violation lawsuit Licence Low (10%) $100K – $500K $10K – $50K
Cost If Unfixed
$1.24M – $3.56M
Expected loss (probability x impact) across all risk scenarios
Cost to Fix
$2,400 – $4,800
2–4 developer days at $150/hr. Thuban auto-fixes 3 of 9 findings.
Return on remediation: Every $1 spent on fixing these issues prevents an estimated $517 – $742 in expected losses.
💡

Investment Recommendations

🚨

Before Close: Rotate Stripe Key Immediately

The hardcoded Stripe secret key (SEC001) must be rotated in the Stripe dashboard and moved to environment variables. This is a blocking issue — the key grants full account access. Estimated effort: 30 minutes.

🚨

Before Close: Fix JWT Verification

Remove algorithms: ['none'] from JWT verification (SEC007). This allows any user to forge authentication tokens. Thuban can auto-fix this. Estimated effort: 15 minutes.

Within 30 Days: Parameterise All SQL Queries

5 SQL injection points found (SEC003). All can be auto-fixed by Thuban. The engineering team should also adopt a query builder (e.g., Knex) to prevent recurrence. Estimated effort: 1 day.

Within 30 Days: Fix AI Hallucinations

2 non-existent API methods will crash at runtime. These indicate AI-generated code that was not reviewed. Recommend integrating Thuban into CI to prevent future hallucinations from reaching production. Estimated effort: 2 hours.

Positive: Strong Architecture & Test Coverage

The codebase demonstrates clean separation of concerns, consistent TypeScript usage, 26% test coverage, and low average complexity (4.2). The engineering team is competent — the critical issues are fixable and do not indicate systemic problems.

Positive: Post-Fix Trust Score of 91/100

After implementing the recommended fixes, the Trust Score is projected to rise from 68 to 91 and the Crucible Score from 71 to 94. The codebase has strong fundamentals.

Final Verdict

Conditional Pass

The codebase is architecturally sound with strong engineering fundamentals. 3 critical security issues must be remediated before investment close. All issues are fixable within 2–4 developer days. Thuban can auto-fix 3 of the 9 findings.

68
Current Score
91
Post-Fix Estimate