FAQ
Frequently asked questions
Everything people ask before requesting a free code audit: what you get, how long it takes, and how we handle your code.
FAQ
Frequently asked questions
What is a code audit?
A code audit is a structured review of your codebase by an engineer who did not write it. The auditor reads the code looking for security vulnerabilities, architectural problems, technical debt, and reliability risks, then documents each finding with a severity and its location. The output is a written report, not a fixed codebase: it tells you what is wrong, why it matters, and what to do about it.
What does the audit cover?
Security first: injection, broken authentication and access control, exposed secrets and keys, and unsafe dependencies. Beyond that we look at architecture and scalability, code quality and maintainability, error handling, test coverage, and how the code talks to the database. If something in the codebase is likely to cost you money or sleep in the next year, it belongs in the report.
How is a code audit different from a code review?
A code review looks at one change before it merges: a teammate checks a pull request. A code audit looks at the entire codebase as it exists today, performed by an outsider with no attachment to any of it. Reviews keep new problems out; an audit finds the ones that are already in. Most teams that ask us for an audit have been doing reviews all along.
How is a code audit different from a penetration test?
A penetration test attacks your running application from the outside to see what an intruder could break into, usually without reading the source. A code audit reads the source directly, so it finds root causes instead of probing for symptoms, and it also covers quality, architecture, and technical debt, which a pen test never touches. They complement each other; they are not interchangeable.
How is a manual audit different from running a scanner myself?
Run the scanner too; it is free and catches real things. What it cannot do is tell you which of its hundreds of warnings actually matter in your product, and it misses logic flaws where the code is syntactically fine but does the wrong thing, like an authorization check that exists but checks the wrong resource. A person who has shipped and rescued production systems reads for meaning, not patterns. We use tools as a first pass and spend the real time where tools cannot go.
Is the code audit really free?
Yes. No credit card, no trial that quietly converts, no invoice afterwards. You submit code through the form, a Webisoft engineer reviews it, and you receive written findings by email. That is the entire transaction.
Why is it free? What is the catch?
The audit is how Webisoft meets teams that may later need engineers. Some people who receive findings decide they want the same engineers to fix them, and that sometimes becomes paid work: development, rescue projects, or a fractional CTO. Most people take the report and act on it themselves, which is fine and expected. A shallow audit would defeat the purpose, so it is a real one either way.
What exactly do I get, and in what format?
A written findings report delivered by email. Each finding includes a severity rating, the file and line where we found it, a plain language explanation of why it matters, and a suggested fix concrete enough for any competent developer to act on. Findings are ordered by priority, so working top down is the right plan.
How long does the audit take?
Typically a few business days from the moment we have access, depending on the queue and the size of the codebase. It is a manual review by a working engineer, not an instant automated report, so larger codebases take longer. If yours will need more time than usual, we say so up front.
Do you keep my code private?
We read your code to audit it and we do not retain it afterwards. We never share it, resell it, or train any model on it. Once the report is delivered you should revoke our repository access, and we will remind you to do it.
Will you sign an NDA?
Yes. If your legal team wants an NDA in place before you share anything, mention it in the form and we will sign a reasonable one without drama. Plenty of teams ask, and it barely slows the queue.
How do I give you access to a private repository?
Invite [email protected] as a read-only collaborator on GitHub, GitLab, or Bitbucket. Read-only is all we need and all we want. When the audit is delivered, revoke the access. If you cannot grant repository access at all, an archive of the source works too.
What languages and stacks do you support?
The common production stacks: JavaScript and TypeScript (Node, React, Next.js and friends), Python, PHP, Ruby, Go, Java, and C#, plus mobile codebases in Swift and Kotlin. Webisoft also has a blockchain practice, so Solidity and smart contract code are in scope. If your stack is unusual, say so in the form; if we cannot review it well, we will tell you instead of faking it.
Can you audit AI-generated code from Lovable, Bolt, Cursor, or v0?
Yes, and it is a growing share of what we review. AI tools produce code that runs and demos well but often ships with permissive access rules, exposed keys, missing input validation, and thin error handling, because the model optimizes for satisfying the prompt, not for production. If you built something fast with Lovable, Bolt, v0, or Cursor and want to know whether it is safe to take payments or real user data, that is exactly what this audit is for.
How are findings prioritized?
By real-world consequence, not by scanner score. Critical means exploitable now or already leaking, like an exposed secret or an authentication bypass. High means likely to bite soon; medium and low cover maintainability problems and debt that tax you gradually. The report is ordered so that fixing from the top down is the right move.
What happens after I receive the report?
That is up to you. Most teams fix the findings themselves or hand the report to their developers; it is written to be actionable without us. If you want help, you can book a call to walk through the findings, and if you want the issues fixed by the people who found them, Webisoft quotes that as a separate, clearly scoped engagement. Nobody chases you with a sales sequence either way.
Do you also fix the issues you find?
Not as part of the free audit; the audit is diagnosis, not treatment. If you want the fixes done, Webisoft offers that as normal paid engineering work, quoted after you have the report so you can weigh it against doing the work in-house. There is no obligation, and the findings are not written to manufacture one.
How do I request an audit?
Fill in the form on this site with a short description of the project, your stack, and what worries you. We reply by email to arrange access, usually a read-only collaborator invite to your repository. Then your project enters the queue and you get the findings when the review is done. Total effort on your side is about ten minutes.
My codebase is large. Can you still audit it?
Yes, but we scope it honestly. For very large codebases we agree on the highest-risk areas first, usually authentication, payments, and data handling, rather than pretending a single pass covers a million lines. Mention the rough size in the form and we will propose a sensible scope before starting.
Do I need to prepare anything before the audit?
Not much. Access to the code, a sentence or two about what the product does, and anything you already suspect is a problem. A README and a way to see the app running help but are not required. Do not clean the code up first; we learn as much from the mess as from the tidy parts.
What if my code is embarrassing?
It will not be the worst thing we have seen this month. We audit rushed MVPs, inherited legacy systems, and AI-generated prototypes; mess is the normal condition of code that shipped under pressure. The report judges the code, not you, and nobody outside the audit sees either one.
Who is Webisoft?
Webisoft is a software engineering firm based in Montreal that builds and rescues production systems, from web and backend platforms to blockchain infrastructure. The people doing the audits are the same engineers who do that client work, which is why the findings read like they were written by someone who has been on call. The free audit is how the firm introduces itself to teams that might need that kind of help later.
Free · no strings shown later
Get your free code audit
A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.
Request my free audit