How Analysis Works
Understand how FinishKit analyzes your codebase, whether through a cloud scan or local analysis.
FinishKit offers two ways to analyze your code. Both produce the same structured findings.
Cloud scan (via dashboard)
When you start a cloud scan, FinishKit runs your code through a series of phases on secure remote infrastructure.
| Phase | What happens |
|---|---|
| clone | Your repo is cloned from GitHub using the FinishKit GitHub App |
| detect | Tech stack, frameworks, and languages are identified |
| analyze | Multi-pass LLM analysis across your codebase generates findings |
| patch | FinishKit generates diff-based patches for fixable issues |
| verify | Patches are validated where possible |
| finalize | Findings are ranked, your Finish Plan is assembled |
Local analysis (via MCP or SDK)
With local analysis, your code never leaves your machine.
| Step | What happens |
|---|---|
| Request | Your AI editor sends stack details (framework, language, integrations) to FinishKit |
| Pack delivery | FinishKit returns an Intelligence Pack with framework-specific rules, security advisories, and analysis prompts |
| Local analysis | Your AI editor uses the pack to analyze your code locally |
| Sync | Findings are synced back to your FinishKit dashboard |
Local analysis is ideal when you want to keep your code private or iterate faster. Cloud scans are best for comprehensive analysis with automated patching.
What FinishKit reads
Cloud scans
FinishKit reads your source code, configuration files, and dependencies. It does not:
- Execute your code
- Store your source files in the database (only metadata, findings, and diffs are retained)
- Access your environment variables or secrets at runtime
Local analysis
Only your stack metadata (framework, language, integrations, dependency versions) is sent to FinishKit. Your source code stays on your machine.
Never commit .env files or secrets to your repo. FinishKit will flag this as a critical security finding if it detects secrets in your committed code.
LLM analysis
FinishKit uses multi-pass LLM analysis. Each pass focuses on specific production readiness dimensions, running targeted prompts that evaluate your code against framework-specific best practices, known vulnerabilities, and deployment requirements.
Each finding includes:
- Category (blockers, security, deploy, stability, tests, ui)
- Dimension (security, error handling, logging, environment, database, performance, deployment, vibe code)
- Severity (critical, high, medium, low)
- File and line reference where applicable
- Explanation of what the issue is and why it matters
- Suggested fix: actionable steps you can take
Production Readiness Score
After analysis, FinishKit calculates a Production Readiness Score from 0 to 100. The score breaks down into eight dimension scores, giving you a clear picture of where your app stands and where to focus your effort.
Re-scanning
After you fix issues, run another analysis to verify your fixes and see your score improve. If you want continuous monitoring, set up FinishKit Watch to automatically re-analyze when you push changes.