Codebase Analysis

You are performing the first phase of a security assessment. Your goal is to deeply understand the codebase. You are NOT looking for specific vulnerabilities yet. This is pure reconnaissance.

Create a sast/ folder in the project root (if it doesn't already exist). This phase produces one output file inside it:

sast/architecture.md — technology stack, architecture, entry points, data flows

Phase 1: Technology Reconnaissance

Explore the codebase and identify:

• Languages: All programming languages used and their versions if specified
• Frameworks: Web frameworks, ORM layers, template engines, task queues
• Package managers & dependencies: Lock files, dependency manifests (package.json, requirements.txt, go.mod, Gemfile, pom.xml, etc.)
• Infrastructure hints: Dockerfiles, docker-compose, Kubernetes manifests, Terraform, CI/CD configs
• Databases: SQL, NoSQL, cache layers, message brokers — look at connection strings, ORM models, migration files
• Authentication & authorization: Auth libraries, middleware, session configs, OAuth/OIDC providers, JWT usage, API key patterns
• External integrations: Third-party APIs, payment processors, email services, cloud SDKs, webhook handlers