Technical Documentation

Cryptographic Audit Methodology

Vauntico audits repositories across six distinct vectors of algorithmic and infrastructure risk. Each dimension is independently scored, cryptographically sealed, and composited into a tamper-evident TrustScore certificate — verifiable by any third party without requiring access to your codebase.

Back to Overview

Section 01

Six Dimensions of Infrastructure Health

01Dependency Surface

Dependency Surface Integrity

Every third-party package is a potential attack vector. Vauntico scans the full transitive dependency graph — not just direct imports — resolving each node against the NVD CVE database and private advisory feeds updated in real time.

Scoring Equation

DSI = (P_resolved / P_total) × (1 − CVE_critical / P_total)

Dependency Surface Index

Transitive graph traversal across npm, pip, Go modules, and Cargo lock files
CVSS v3.1 severity weighting with exploit-prediction scoring (EPSS)
License boundary detection — flags GPL contamination in commercial stacks
Pinned-vs-floating version drift alerts across branches

02Workflow Continuity

CI/CD Workflow Continuity Score

A healthy pipeline is proof of engineering discipline. WCS weighs the ratio of passing workflows against a time-decay function of the last failure event — rewarding teams that maintain green CI and penalising chronic instability.

Scoring Equation

WCS = (W_passing / W_total) × e^(−λ · T_last_fail)

Workflow Continuity Score (λ = decay constant)

GitHub Actions, GitLab CI, and Bitbucket Pipelines natively supported
Time-decay constant λ calibrated to a 30-day rolling window
Branch-protection rule compliance check (required status checks, merge queues)
Deployment frequency and change-failure rate tracked via DORA proxy signals

03Secret Hygiene

Secret & Credential Hygiene Rating

Exposed secrets are the single most common root cause of production breaches. Every commit in the repository history is re-scanned — including squashed merges and force-pushed branches — using a 2,400+ pattern ruleset derived from GitGuardian, TruffleHog, and Vauntico's own threat intelligence.

Scoring Equation

SHR = 1 − (S_exposed / S_scanned) × (R_severity)

Secret Hygiene Rating (R_severity = weighted risk coefficient)

Full git history traversal — not just HEAD
Entropy-based heuristics catch novel secrets with no known pattern
Rotation-status detection: flags secrets that exist in vault but are also hardcoded
Instant quarantine advisory with remediation commit template generated

04Infrastructure Posture

Infrastructure Configuration Posture

IaC files, Dockerfile layers, Kubernetes manifests, and Terraform plans are parsed through a policy engine aligned to CIS Benchmarks Level 2. Each control is independently scored and weighted by exploitability before being aggregated into the Infrastructure Configuration Posture index.

Scoring Equation

ICP = Σ(w_i · C_i) / Σ(w_i) where C_i ∈ [0, 1]

Weighted Infrastructure Configuration Index

CIS Benchmark Level 2 controls for AWS, GCP, Azure, and self-hosted Linux
Dockerfile least-privilege checks: USER directives, COPY vs ADD, multi-stage hygiene
Kubernetes RBAC boundary analysis — detects wildcard ClusterRoleBindings
Terraform plan drift analysis flags configuration that diverges from state

05Compliance Boundary

Regulatory Compliance Boundary Mapping

Vauntico maps repository signals to formal control frameworks — GDPR Article 32, SOC 2 Type II CC6 through CC9, ISO 27001 Annex A.12, and NDPR (Nigeria Data Protection Regulation). Each framework generates a standalone gap matrix so teams understand exactly which controls are evidenced and which are missing.

Scoring Equation

CBM = (Controls_met / Controls_required) × (1 − Gap_criticality)

Compliance Boundary Mapping Score

GDPR Article 32 technical and organisational measure mapping
SOC 2 Type II CC6–CC9 control evidence extraction from CI artifacts
ISO 27001 Annex A.12 (Operations Security) automated evidence tagging
NDPR alignment layer for Nigerian data-resident systems

06TrustScore Ledger

Cryptographic TrustScore Ledger Validation

The five preceding vectors feed a multiplicative weighting function capped at 850. The result is sealed via SHA-256 HMAC using Vauntico's signing key, anchored to a per-repository nonce, and timestamped — producing a tamper-evident proof certificate that third parties can verify without requiring access to your codebase.

Scoring Equation

TS = 850 × ∏(V_i^α_i) subject to: TS ≤ 850

TrustScore Composite (α_i = dimension weight, V_i ∈ [0,1])

SHA-256 HMAC-signed certificates with per-scan nonce binding
Public verification endpoint — investors verify without codebase access
Score is immutable once issued; a new scan creates a new certificate
Healing trajectory tracked across consecutive nightly scans

Section 02

Cryptographic Ledger Validation

Composite TrustScore Formula

The five vector scores are fed into a multiplicative model. Multiplicative composition means a zero-score in any single dimension collapses the overall TrustScore — no single hidden failure can be masked by excellence elsewhere.

Master Equation

TS = 850 × ∏(V_i^α_i)
subject to: TS ≤ 850, TS ≥ 0

V_i — normalised score for dimension i ∈ [0, 1]

α_i — dimension weight (Σα_i = 1)

Dimension weights: DSI 0.20 · WCS 0.18 · SHR 0.22 · ICP 0.18 · CBM 0.12 · Ledger 0.10

Certificate Anatomy

Every TrustScore certificate is sealed with SHA-256 HMAC using Vauntico's rotating signing key, bound to a per-repository nonce, and timestamped at nanosecond resolution. The public verification endpoint allows any investor or procurement team to validate authenticity without repository access.

schema_version:"v2.1"

repo_nonce:"sha256:9f3a...e12b"

trust_score:742

issued_at:"2026-05-29T04:00:00.000Z"

expires_at:"2026-05-30T04:00:00.000Z"

hmac_sig:"HS256:8c4f...a9d0"

Nightly Healing Trajectory

TrustScore is never decreased automatically. Each nightly scan either holds the score steady or heals it upward based on measurable improvements — aligned with the Permanent Green Protocol. Genesis Founders receive a 150-point healing rate ceiling, the highest tier available on the platform.

Genesis Founder

150 pts / night

Sovereign

80 pts / night

Architect

40 pts / night

Standard

20 pts / night

Section 03

Technical Compliance Parameters

Vauntico maps repository signals to the following formal control frameworks. Each framework generates a standalone gap matrix so teams understand precisely which controls are evidenced by the repository state and which require remediation.

Framework	Article / Section	Control Domain	Status
GDPR	Art. 32	Technical & Organisational Measures	Mapped
SOC 2 Type II	CC6–CC9	Logical & Physical Access Controls	Mapped
ISO 27001	Annex A.12	Operations Security Controls	Mapped
NDPR	§2.1(b)	Data Protection by Design	Mapped
NIST CSF	PR.DS	Data Security Sub-category	Partial
PCI DSS v4	Req 6	Secure Development Lifecycle	Partial

“Partial” status indicates controls that are mapped but require supplementary manual evidence (e.g., penetration test reports or auditor attestations) not derivable from repository state alone.

Ready to generate your TrustScore certificate?

Run a free public scan in under 60 seconds — no account required. Upgrade to receive a signed certificate valid for investor and procurement due diligence.

Run a Free Scan Create Account →

Loading the Vault...

Technical Documentation

Cryptographic Audit Methodology

Back to Overview

Section 01

Six Dimensions of Infrastructure Health

01Dependency Surface

Dependency Surface Integrity

Scoring Equation

DSI = (P_resolved / P_total) × (1 − CVE_critical / P_total)

Dependency Surface Index

Transitive graph traversal across npm, pip, Go modules, and Cargo lock files
CVSS v3.1 severity weighting with exploit-prediction scoring (EPSS)
License boundary detection — flags GPL contamination in commercial stacks
Pinned-vs-floating version drift alerts across branches

02Workflow Continuity

CI/CD Workflow Continuity Score

Scoring Equation

WCS = (W_passing / W_total) × e^(−λ · T_last_fail)

Workflow Continuity Score (λ = decay constant)

GitHub Actions, GitLab CI, and Bitbucket Pipelines natively supported
Time-decay constant λ calibrated to a 30-day rolling window
Branch-protection rule compliance check (required status checks, merge queues)
Deployment frequency and change-failure rate tracked via DORA proxy signals

03Secret Hygiene

Secret & Credential Hygiene Rating

Scoring Equation

SHR = 1 − (S_exposed / S_scanned) × (R_severity)

Secret Hygiene Rating (R_severity = weighted risk coefficient)

Full git history traversal — not just HEAD
Entropy-based heuristics catch novel secrets with no known pattern
Rotation-status detection: flags secrets that exist in vault but are also hardcoded
Instant quarantine advisory with remediation commit template generated

04Infrastructure Posture

Infrastructure Configuration Posture

Scoring Equation

ICP = Σ(w_i · C_i) / Σ(w_i) where C_i ∈ [0, 1]

Weighted Infrastructure Configuration Index

CIS Benchmark Level 2 controls for AWS, GCP, Azure, and self-hosted Linux
Dockerfile least-privilege checks: USER directives, COPY vs ADD, multi-stage hygiene
Kubernetes RBAC boundary analysis — detects wildcard ClusterRoleBindings
Terraform plan drift analysis flags configuration that diverges from state

05Compliance Boundary

Regulatory Compliance Boundary Mapping

Scoring Equation

CBM = (Controls_met / Controls_required) × (1 − Gap_criticality)

Compliance Boundary Mapping Score

GDPR Article 32 technical and organisational measure mapping
SOC 2 Type II CC6–CC9 control evidence extraction from CI artifacts
ISO 27001 Annex A.12 (Operations Security) automated evidence tagging
NDPR alignment layer for Nigerian data-resident systems

06TrustScore Ledger

Cryptographic TrustScore Ledger Validation

Scoring Equation

TS = 850 × ∏(V_i^α_i) subject to: TS ≤ 850

TrustScore Composite (α_i = dimension weight, V_i ∈ [0,1])

SHA-256 HMAC-signed certificates with per-scan nonce binding
Public verification endpoint — investors verify without codebase access
Score is immutable once issued; a new scan creates a new certificate
Healing trajectory tracked across consecutive nightly scans

Section 02

Cryptographic Ledger Validation

Composite TrustScore Formula

Master Equation

TS = 850 × ∏(V_i^α_i)
subject to: TS ≤ 850, TS ≥ 0

V_i — normalised score for dimension i ∈ [0, 1]

α_i — dimension weight (Σα_i = 1)

Dimension weights: DSI 0.20 · WCS 0.18 · SHR 0.22 · ICP 0.18 · CBM 0.12 · Ledger 0.10

Certificate Anatomy

schema_version:"v2.1"

repo_nonce:"sha256:9f3a...e12b"

trust_score:742

issued_at:"2026-05-29T04:00:00.000Z"

expires_at:"2026-05-30T04:00:00.000Z"

hmac_sig:"HS256:8c4f...a9d0"

Nightly Healing Trajectory

Genesis Founder

150 pts / night

Sovereign

80 pts / night

Architect

40 pts / night

Standard

20 pts / night

Section 03

Technical Compliance Parameters

Framework	Article / Section	Control Domain	Status
GDPR	Art. 32	Technical & Organisational Measures	Mapped
SOC 2 Type II	CC6–CC9	Logical & Physical Access Controls	Mapped
ISO 27001	Annex A.12	Operations Security Controls	Mapped
NDPR	§2.1(b)	Data Protection by Design	Mapped
NIST CSF	PR.DS	Data Security Sub-category	Partial
PCI DSS v4	Req 6	Secure Development Lifecycle	Partial

“Partial” status indicates controls that are mapped but require supplementary manual evidence (e.g., penetration test reports or auditor attestations) not derivable from repository state alone.

Ready to generate your TrustScore certificate?

Run a free public scan in under 60 seconds — no account required. Upgrade to receive a signed certificate valid for investor and procurement due diligence.

Run a Free Scan Create Account →