Building Automated Technical Due Diligence Reports Pack

The Manual Due Diligence Trap

We built this pack because manual technical due diligence is a black hole for engineering time. When you're evaluating a target company or auditing a critical internal service, you can't afford to stitch together outputs from SonarQube, CodeQL, and OpenSSF Scorecard by hand. The process is slow, error-prone, and leaves you vulnerable to missing the risks that actually matter.

Automated code review is the practice of using software tools to systematically examine source code for bugs, security vulnerabilities, and deviations from best practices ^[3]. But "systematic" doesn't mean "easy" if you're running each tool in a silo. You're left with a SonarQube JSON blob, a CodeQL SARIF file, and a Scorecard JSON output, none of which speak the same language. Aggregating these into a coherent risk assessment takes hours of manual parsing, and even then, you're likely to miss cross-tool correlations.

Worse, you're probably only looking at the code. Technical due diligence evaluates far more than just code quality. It spans system architecture, infrastructure resilience, security posture, and supply chain risks ^[2]. If you're relying on a junior engineer to run a few linters and write a summary, you're missing the forest for the trees. We created this pack to eliminate the manual aggregation step and force a standardized, comprehensive review that covers every angle a buyer or auditor will scrutinize. If you're already using sonarqube-analysis-pack for deep code quality checks, this pack bridges the gap to a full due diligence report.

Why Your Current Review Process Is Leaking Value

When you skip a thorough technical review, you're not just saving a few hours; you're taking on massive, unpriced risk. A single missed vulnerability or a poorly understood architectural dependency can trigger valuation adjustments, deal-breakers, or post-acquisition fire drills that cost millions.

NIST SP 1326 emphasizes the critical role of cybersecurity supply chain risk management (C-SCRM) in due diligence, noting that supply chain risks can undermine the entire security posture of an acquired asset ^[1]. If your review process doesn't explicitly check for dangerous workflows, unpinned dependencies, or license violations, you're blind to these threats until it's too late. OpenSSF Scorecard alone checks for over 15 distinct risk factors, from branch protection policies to secret detection. Missing even one of these can be a deal-killer.

The financial impact is real. A 2025 analysis of real tech due diligence processes highlights how architecture and security findings directly shape deal terms and valuations ^[5]. If you find a critical SQL injection vulnerability in the target's core service during the final week of diligence, you don't just flag it; you renegotiate the price or walk away. But if you miss it, you inherit the liability.

Manual reviews also suffer from inconsistency. One engineer might prioritize code coverage; another might focus on security. Without a standardized policy, your reports are subjective. By integrating codeql-query-builder patterns into a unified workflow, you ensure that every review uses the same security query templates and risk scoring logic. This isn't about being thorough for the sake of it; it's about protecting the deal and your reputation.

Inside a Real Acquisition Review

Let's look at how a rigorous review actually plays out in practice. A 2025 dev.to post ^[5] walks you inside a real technical due diligence, not the theoretical kind, but the kind that shapes valuations, deal terms, and post-acquisition integration. In that scenario, the review team didn't just scan for bugs; they evaluated the entire technical stack, from the database schema to the CI/CD pipeline.

Imagine a team reviewing a fintech target with 200 endpoints. They run OpenSSF Scorecard and find that the repository has no branch protection policy and uses unpinned dependencies. This alone triggers a high-risk flag. They then run SonarQube and discover a critical code smell in the authentication module. Finally, they run CodeQL and find a taint-tracking vulnerability where user input flows directly into a SQL query.

These aren't isolated findings; they tell a story. The lack of branch protection suggests a chaotic development process. The code smell suggests technical debt. The SQL injection suggests a security liability. When aggregated into a single report, these findings justify a 15% valuation reduction or a requirement for the target to remediate issues before closing.

Without a structured pack, this level of detail is hard to achieve consistently. You need a tool that enforces a policy, like the one in openssf-scorecard-config, and a framework that knows how to interpret the results. Our pack provides exactly that: a decision tree for when to use each tool, a policy for what constitutes a failure, and a template for how to present the findings to stakeholders.

What Changes When You Install the Pack

Once this skill is installed, your due diligence workflow shifts from a manual scavenger hunt to an automated pipeline. You no longer need to worry about whether you ran the right SonarQube properties or if your CodeQL queries are up to date. The pack handles the orchestration, aggregation, and validation.

The core outcome is a production-grade YAML report that includes an executive summary, architecture review, security findings, code quality metrics, and a composite risk score. This report is generated by aggregate-results.py, which parses the outputs from SonarQube, CodeQL, and Scorecard and computes a unified risk score based on configurable weights. You get a single source of truth that you can share with investors, legal teams, or internal stakeholders.

We also include a validator that ensures the report is complete. If a critical section like security_findings or risk_assessment is missing, the script exits with an error, forcing you to fix the pipeline before shipping the report. This prevents the "incomplete report" problem that plagues manual reviews.

For teams that need deeper integration, this pack complements risk-assessment-metrics by providing the raw data and scoring logic. It also aligns with modern compliance standards, making it easier to demonstrate due diligence to auditors. AI-powered technical due diligence is accelerating in the industry, and tools that simplify technical summaries and cost-to-replicate analysis are becoming essential ^[8]. This pack puts that power in your hands.

What's in the Pack

• skill.md — Orchestrator skill that defines the technical due diligence workflow, references all templates/scripts/references, and provides decision trees for when to use each tool
• templates/due-diligence-report.yaml — Production-grade YAML report template with sections for executive summary, architecture review, security findings, code quality metrics, and risk scoring
• templates/scorecard-policy.yml — OpenSSF Scorecard policy configuration with enforced minimum scores for Binary-Artifacts, Branch-Protection, Code-Review, Dangerous-Workflow, License, Pinned-Dependencies, SAST, and Vulnerabilities checks
• templates/sonar-project.properties — SonarQube analysis configuration with project key, source paths, encoding, and Java heap space settings for large codebases
• templates/codeql/security-query-template.ql — CodeQL taint-tracking query template for detecting data flow vulnerabilities (SQL injection, command injection, unsafe deserialization) using ConfigSig modules
• scripts/run-due-diligence.sh — Executable orchestration script that runs SonarQube analysis, CodeQL scanning, OpenSSF Scorecard checks, and aggregates results into the due diligence report
• scripts/aggregate-results.py — Python script that parses SonarQube JSON, CodeQL SARIF, and Scorecard results to compute composite risk scores and generate the final report YAML
• validators/validate-report.sh — Validator that checks the generated report YAML for required sections (executive_summary, architecture, security_findings, code_quality, risk_assessment) and exits 1 if any are missing
• validators/check-scorecard-compliance.sh — Validator that runs Scorecard against a repo and exits 1 if any enforced policy check falls below the minimum score threshold defined in scorecard-policy.yml
• references/tdd-framework.md — Canonical technical due diligence methodology covering codebase analysis, architecture review, security assessment, compliance verification, and risk scoring frameworks used by top-tier advisory firms
• references/sonarqube-metrics.md — Complete SonarQube scanner configuration reference including sonar-project.properties keys, Docker execution patterns, cache mounting, and Java heap tuning for large repos
• references/codeql-security-patterns.md — CodeQL query patterns for detecting buffer overflows, SQL injection, SPARQL injection, use-after-free, unsafe deserialization, and environment variable to URL flow vulnerabilities
• references/openssf-scorecard.md — OpenSSF Scorecard reference covering all 15+ checks, policy configuration, GitHub Actions integration, SARIF upload, REST API usage, and Go library patterns for custom integrations
• examples/worked-example-report.yaml — Complete worked example of a due diligence report for a hypothetical acquisition target showing realistic findings, scores, and remediation recommendations

Stop Guessing, Start Validating

If you're still doing due diligence manually, you're risking the deal. Upgrade to Pro to install this pack and automate your technical reviews. Stop guessing about risks and start validating them with a standardized, auditable workflow.

For teams that need to extend this workflow into broader audit pipelines, check out audit-pipeline-orchestrator. If you need to ensure your compliance checks meet specific regulatory standards, compliance-check-list provides additional validation patterns.