An end-to-end code audit that reads your source, not your live app.
The Full Monty is a structured code audit I run against your codebase. It's not a vulnerability scan you can buy off the shelf and it's not a "let me click around your live app for an hour." I read your code. I run your tests. I run three independent scans — security, performance, UX — in parallel, against the actual source. I cross-check what one pass finds against the others. Then I write it all up in a PDF you can hand to your team, your board, or your auditor.
Full audit, your team ships the fixes.
Audit plus prioritized patches applied by me.
Apply patches from a previous report.
Every engagement ships a project-branded PDF report.
Executive summary
Total findings, severity counts, per-class breakdown — so a non-technical reader gets the punchline in 30 seconds.
Three detailed findings sections
Security, Performance, and UI/UX — each with its own severity count table.
One finding per row
ID, severity, class, file:line, vulnerable code excerpt, description, recommended fix. No vague hand-waving; every finding tells your dev exactly what to change.
Methodology section
Explains how the audit was done so other engineers can verify or repeat it.
Stack-specific tooling recommendations
Additional SAST/SCA tools (Semgrep, Bandit, gosec, Trivy, gitleaks) that catch what the human-readable audit might miss.
Excluded folders & deletion policy
The report also functions as a deploy checklist — you know exactly what was and wasn't scanned.
Stable finding IDs across all three tracks: H-NN for security, M-NN / L-NN for severity, P-NN for performance, U-NN for UI/UX. Numbered in order written, not by severity — so "fix H-04 by Friday" is unambiguous.
What I look for — every time, no cherry-picking.
Security
16 classesSQL injection, XSS, CSRF, IDOR, auth bypass / privilege escalation, hardcoded secrets, session/cookie hardening, file upload / path traversal, timing attacks, cron / race conditions, information disclosure, insecure deserialization, open redirects, missing rate limits, CORS / origin checks, header injection.
Performance
16 classesN+1 query patterns, missing or unindexed query paths, unbounded result sets, sync external calls in hot paths, missing or broken caching, asset bloat, render-blocking resources, excessive DOM size, memory and allocation hot paths, resource / connection leaks, cron inefficiency, cold-start / boot-time work, frontend runtime cost, network payload size, database connection pooling, concurrency / parallelism missed.
UI/UX
17 classesAccessibility, form UX, loading and empty states, error handling UX, information architecture, visual consistency, responsive design, internationalization, state and feedback, discoverability, native dialog abuse, custom select / data binding widgets, dead UI, color and contrast, copy and microcopy, motion and animation, print and export.
This isn't an off-the-shelf scanner.
Pick the moment that fits.
You're shipping a major release
Know what else is in there before it goes out the door.
You've inherited a codebase
Promotion, acquisition, new job, contractor handoff — get a prioritized punch list fast.
You're about to take on real risk
Outside users, real money, sensitive data, regulatory exposure — SOC 2 prep, HIPAA scope, payment flows.
Your tests pass but the app feels wrong
Slow pages, weird UX, the kind of thing tests don't catch. Performance and UX scans are built for this.
You need a written artifact for a stakeholder
Board, investor, enterprise customer, external auditor, your own boss. A polished PDF with severity counts beats "yeah, looks fine."
Real runs, real findings, real reports.
LunasOS
Full audit of a PHP/MySQL/Alpine.js construction-ops platform. LunasOS is a suite of tools for a construction cleanup company that mirrors the layout and functions of outdated spreadsheets, but presents the information and workflow in a modern format. From builder onboarding, to contract intake, job scheduling and completion, to sub payment, it handles everything end-to-end.
JobPulse
Full audit of a suite of tools that helps jobseekers optimize their resumes into job-specific ones, scoring their compatibility based on their resume and the job description before they ever apply. Audit included LLM integration review and a static analysis of the resume optimization pipeline. The project is currently being adapted to a SaaS solution that simplifies operation.
Fumos
Full audit of an in-progress e-commerce suite designed for smoke shops — good for any retail operation that wants to go digital with a full suite of ordering, delivery, and pickup options. PHP backend with Grav plugin + standalone mothership.
OpenBuilder
Full audit of an in-progress open source alternative to ProCore and other expensive enterprise-grade project management software for the construction industry. Focused on redirect handling, E2E auth tripwires, and the security surface of a multi-tenant construction PM tool.
Request Portal
Full audit of a support center with a full live contact center — chat, custom ticket statuses, metered support plans, billing for support, and call tracking. The call tracking and billing layer also powers an answering service for clients. 17 findings including: H-01 PayPal IPN payment-confirmation forgery (auth + CSRF bypass) · H-02 Subscription IDOR · H-03 Backup-restore SQL injection · H-06 Cron job timing race condition · H-07/H-08/H-09 db-admin SQL injection (3 chained findings) · M-03/M-04/M-05 Stored XSS vectors · L-01 Hardcoded NEXTAUTH_SECRET exposure.
Every engagement ships a PDF. Every finding has a file:line, an ID, a severity, and a recommended fix. No "your code could be better" hand-waving.
How an engagement works.
Intake (free, 30 min)
You tell me about the project: stack, where the code lives, known pain points, deadlines. I tell you whether I'm the right fit and quote you.
Kickoff
You share the repo (or read-only mirror). I capture a project profile: paths, deploy target, infra quirks, conventions. I confirm scope.
The cycle
I run the test suite, run three scans in parallel, cross-reference findings, write the report. For Report + Fix, I apply high-priority patches and re-verify.
Delivery
PDF, raw findings JSON, tooling reports, and (if applicable) the patch set. 60-minute walkthrough call included.
Optional re-audit
Focused re-run after your team applies fixes, at a discounted rate. Most clients do this at least once.
Per-engagement pricing, scoped to your codebase.
Pricing depends on codebase size, mode, stack complexity, and urgency. Standard turnaround is 5 business days; rush is 2 business days at a premium.
Answers to the questions you're about to ask.
Will you run the audit on a live server?
No. The audit reads your code from a repo (or read-only mirror) on disk. Nothing is run against your production environment.
Do I need to give you access to production?
No. The audit is purely static. No production data, no live credentials, no real users touched.
Can you sign an NDA?
Yes. NDA before intake is fine. Mutual NDA or your standard form both work.
How long does a typical engagement take?
Standard turnaround is 5 business days from kickoff. Rush turnaround (2 business days) is available at a premium.
What if the report is mostly fine?
Then the report is mostly fine. You still get a clean PDF you can hand to a stakeholder, plus a "nothing scary here, here's what we checked" record. That's valuable too.
What if you don't find anything?
Unlikely across all three scans, but possible on a small surface. You still get the PDF. The "we ran all 49 checks, here's the per-class checklist with green checkmarks" is itself a deliverable.
Can you re-run the audit later?
Yes — at a discounted rate. Most clients do a focused re-audit after applying the initial findings. The first audit sets the baseline; the second confirms the fix and catches what changed in the meantime.
Do you fix the issues, or just report them?
Either. Report Only, Report + Fix, or Fix Only. Pick per engagement.
What languages do you work in?
19+ stacks including PHP, JavaScript/TypeScript, React, Next.js, Vue, Svelte, Python (Django/Flask/FastAPI), Go, Rust, Java, Kotlin, Ruby/Rails, Elixir, .NET. Stack-agnostic methodology, stack-specific tooling per project.
Do you use AI to do the audit?
Yes — transparently. The methodology uses two AI models in parallel (GPT-OSS-20b for per-file review, plus heuristic sweeps) plus a wide range of non-AI static analysis tools (Semgrep, Bandit, gosec, Trivy, etc.). The AI is a tool, not the entire audit. Every finding is cross-referenced. The PDF methodology section explains exactly what was used.
Can you audit proprietary code without it leaving my infra?
Yes, for an extra setup fee. I can run the full audit cycle on a VM you provide, with no external network calls. The tooling and models all run locally. Talk to me about this on the intake call.
Here's what I need to give you a quote.
That's it. No production access, no live creds, no office visits.
Want to know what's in your codebase before someone else finds it?
Book a free 30-minute intake call. No commitment. I'll tell you what I see, what scope an engagement would cover, and what it would cost. You'll leave the call with a clearer picture of your codebase's risk profile regardless of whether you hire me.
Or email me directly at contact@georgethegeek.com
Recent clients: Recent engagements: LunasOS, JobPulse, Request Portal, Fumos, OpenBuilder. NDA on request.
