// Sample Triage Audit

We ran this pipeline on our own shipped iOS app and published the report.

DeckScore's self-audit found a revenue-impacting StoreKit issue and three other urgent launch risks. Those findings are being addressed in upcoming releases; public samples redact private implementation details while preserving the trust signal and report structure.

// Project Dashboard

DeckScore audit snapshot

  • Engagement window May 2026 self-audit
  • Target app DeckScore on the App Store
  • Platform iOS
  • Code scanned Private Swift app source snapshot + supporting configuration (implementation details redacted publicly)
  • Tools used scc, gitleaks, semgrep, trivy, swiftlint, Claude-assisted review
  • In / out of scope Static launch-risk triage. No runtime testing, penetration test, App Review certification, or exhaustive security audit.
Download the 10-page report (PDF) →
// Snapshot

What the audit produced

These figures come from the final Day 2.5 render, not marketing copy.

10
Pages in the triage report
4
Release-blocker & before-launch findings
10
Backlog findings sampled
33
Total findings detected by the pipeline
// Findings

What the report found

The four urgent findings are distinct. Public summaries preserve the business impact while redacting file paths, method names, variable names, and exploit mechanics.

Paid entitlement trust boundary

A release-blocker finding identified paid-access state being persisted in a way that could be tampered with outside the normal purchase flow.

Launch-time paid-state window

A before-launch finding showed the app could briefly trust locally cached paid state before the authoritative StoreKit check completed.

Statistics race condition

A before-launch finding flagged a game-completion path where player statistics could be recorded more than once.

Completed-game state transition

A second game-state finding showed how an edge-case flow could re-credit a completed game after the normal completion path.

// Methodology

How the work was done

Triage combines static scanners with Claude-assisted review, then renders an evidence-backed PDF. The audit names its tools, separates urgent findings from backlog sample items, and discloses the limits of the automated tier.

// Public redaction policy

The private report contains exact source references for the client. The public sample removes source paths, method names, variable names, and executable snippets so the sales proof does not publish the app's internal implementation map.

// Boundaries

What this report is NOT

The sample is public because the scope is explicit.

Not penetration testing

No exploit development, runtime probing, or live attack path validation.

Not App Review certification

Apple still decides what passes. The audit identifies launch risk; it does not guarantee approval.

Not a full security audit

No formal threat model, compliance attestation, or exhaustive coverage guarantee.

Not runtime exploit proof

Findings are source-anchored static analysis and AI-curated review, with limits disclosed in the PDF.

Earlier deliverable examples are available on request.

// Next step

Run this on your codebase.

$500. 60-second intake. 10-page PDF in your inbox within 48 hours of repo access.

Run this on your codebase — Continue to payment — $500 View Triage details