VettCode Guide

Everything you need to know about scanning, reports, and due diligence with VettCode.

Getting Started

VettCode is a privacy-first technical due diligence platform for software M&A. It helps sellers prove their code quality without exposing source code, and helps buyers assess technical risk before acquiring a business.

Three paths, one platform

Free Scan

Run locally. See grades in your terminal. Fix and rescan.

Signed Report

$99–$999. Verified PDF you share with buyers.

Deep Scan

$499–$4,999. AI-powered analysis with post-acquisition roadmap.

I'm a seller

You want to prove your code quality to potential buyers.

Start with: Scanner → Uploading & Payment

I'm a buyer

You received a report link and want to evaluate a deal.

Start with: For Buyers → Reports

Scanner

Installation

# macOS / Linux

curl -sSfL https://get.vettcode.com | sh

# Homebrew

brew install vettcode/tap/vettcode

# Docker

docker run -v $(pwd):/scan vettcode/scanner scan /scan

Your first scan

vettcode scan .

# Scans current directory, displays grades in terminal, saves JSON

Multi-repo scanning

If your product spans multiple repositories, pass all paths in a single command. VettCode aggregates metrics across repos into one combined scan.

# Scan multiple repos as one product

vettcode scan ./backend ./frontend ./infra

# Label repos for clarity in the report

vettcode scan --label api:./backend --label web:./frontend

CLI flags reference

Flag	Description
-o, --output	Output JSON file path (default: ./vettcode-scan-result.json)
--label	Label repos as name:path (e.g., --label frontend:./fe)
--offline	Fully local, no network calls. Report carries "self-reported" trust level.
-q, --quiet	Suppress terminal output (JSON only)
--format	Output format: terminal, json, both (default: both)
--no-git	Skip git-based analysis (activity, contributors)
--timeout	Maximum scan duration (default: 30m)

Troubleshooting

"No supported languages found"

Ensure the directory contains source code in a supported language (JavaScript/TypeScript, Python, Go, PHP, Ruby, Java). Check that you’re pointing to the source root, not a build or dist folder.

"Co-signing failed — falling back to offline mode"

The scanner couldn’t reach VettCode’s platform to co-sign. Your scan still works but carries "Self-Reported" trust level. Check your network connection or use --offline to skip co-signing intentionally.

"Scanner version outdated"

A newer scanner version is available. Update via curl -sSfL https://get.vettcode.com | sh or brew upgrade vettcode. The platform may require a minimum scanner version for signed reports.

Reports

What's in a signed report

A signed report is a verified technical health assessment of your codebase. It includes:

6 Scored Categories

Security Posture (25%)
Code Maintainability (20%)
Handoff Readiness (20%)
Development Activity (15%)
Dependency Health (10%)
SRE & Infrastructure (10%)

Also includes

Overall grade (A\u2013F)
Top 5 risks with buyer impact
Top 5 strengths with buyer impact
3 data-only sections (AI, tech stack, profile)
Plain-English explanations

How grades work

Each category is scored 0\u2013100 and mapped to a letter grade. The overall grade is a weighted average.

A (93\u2013100)A- (90\u201392)B+ (87\u201389)B (83\u201386)B- (80\u201382)C+ (77\u201379)CDF (<60)

Verification

Every report is digitally signed with Ed25519. Anyone can verify a report's authenticity — no account needed.

✓Public verify link — share vettcode.com/verify/{id} with anyone

✓QR code in PDF reports — scan to verify instantly on mobile

✓Tamper-proof — any modification invalidates the signature

Report freshness

Recent — less than 30 days old

Aging — 30\u201390 days old

Stale — over 90 days old

Uploading & Payment

Upload your JSON — Go to /upload, drop your vettcode-scan-result.json, and enter your company name.

Preview your report — See your grades and what the buyer will receive. Your pricing tier is based on total LOC.

Pay via Stripe — One-time payment ($99\u2013$999). Your signed report is generated automatically.

Share with buyers — Copy the report link and send it to buyers.

Tier	LOC Limit	Price
Starter	Up to 30K	$99
Standard	Up to 100K	$299
Professional	Up to 300K	$599
Enterprise	300K+	$999

Git Provider Scans

Instead of running the CLI locally, you can connect your GitHub or GitLab account and let VettCode scan your repos directly. This produces a Vettcode Verified report — the highest trust level.

GitHub

Install the VettCode GitHub App. Select which repos to grant access to. Admin or Maintain permission required.

GitLab

OAuth2 connection. Supports GitLab.com and self-hosted instances. Enter your instance URL for self-hosted.

Bitbucket support is coming in V2.

Deep Scans

Deep Scans use AI (Claude by Anthropic) to analyze source code and produce a comprehensive technical assessment. They answer: “What am I inheriting technically?”

What's included

AI Moat Analysis — Is this a real product or a thin LLM wrapper?

Architecture — System design, complexity, migration risk

Code Quality — Beyond static metrics: anti-patterns, error handling

Technical Debt — Total effort estimate, prioritized breakdown

Security Deep Dive — Logic flaws, auth review, compliance readiness

Infrastructure — Resources, scaling readiness, cost signals

Post-Acquisition Risk — Migration effort, key-person risk, onboarding estimate, first 90-days roadmap

How it works

Buyer requests — enters deal value, sends request to seller

Seller approves — reviews privacy disclosure, confirms deal value, grants temporary code access

Buyer pays — 0.5% of deal value ($499 floor, $4,999 cap) via Stripe

Analysis runs — code cloned into ephemeral container, analyzed by AI, then deleted. Under 10 minutes.

Report delivered — signed deep scan report with all 7 analysis categories

Privacy note for sellers

Deep Scans require your source code to be sent to Anthropic's Claude API for analysis. No human sees your code. Anthropic operates under a zero-retention API policy backed by a Data Processing Agreement. All code is deleted after analysis.

For Buyers

Accessing a report

You'll receive either a direct link or a report ID (like VETT-2026-000042) from the seller. Sign in to view the full report. You can look up reports by ID from the dashboard.

Understanding verification levels

Vettcode Verified

Strongest. VettCode scanned the repos directly via the seller's connected GitHub/GitLab.

Vettcode Cosigned

Good. The seller ran the scanner locally and VettCode co-signed the results.

Self-Reported

Lowest. The seller ran the scanner offline. Consider requesting a Vettcode Verified scan for higher assurance.

What to look at first

1. Overall grade — quick signal on technical health (A–F)

2. Risk summary — top 5 risks with acquisition impact

3. Verification level + freshness — how trustworthy and current is this data?

Scoring Methodology

VettCode grades are based on absolute thresholds from industry best practices — not relative rankings. The same code always produces the same grade.

Category	Weight	What it measures
Security	25%	Vulnerability patterns, CVEs, secret detection
Maintainability	20%	Complexity, duplication, documentation
Handoff Readiness	20%	CI/CD, test coverage, onboarding docs
Activity	15%	Commit frequency, contributors, recency
Dependencies	10%	Outdated packages, license risk, count
SRE	10%	Logging, monitoring, error handling

Three additional sections provide data without scores: AI Detection, Tech Stack, and Codebase Profile.

FAQ

Why not a subscription?

Code due diligence is a point-in-time event. You scan before a deal, get your report, and share it. A subscription would charge you monthly for something you use once.

What if I have multiple repos?

Pricing is based on total lines of code, not repo count. A 20K LOC app split across 2 repos costs the same as a 20K LOC monorepo.

What does the free scan include?

Full analysis with terminal output and a raw JSON file. Grades, metrics, and risk indicators — everything except the signed PDF and public verification link.

Can the seller see who viewed their report?

Sellers can see that their report has been viewed, but not the identity of the viewer. Buyer privacy is maintained.

Is my code safe during a deep scan?

Deep scans send code to Anthropic’s Claude API. Anthropic does not store your code after processing and does not use it for training. This only happens with the seller’s explicit approval.

How do I verify a report?

Every report includes a public verification link. Visit the link to confirm the report is genuine and unmodified. No VettCode account needed.

Ready to get started?

Download the free scanner and run your first scan in minutes.

Download Scanner See Pricing