Application Context Mapping
No other scanner builds a model of your application.
Traditional scanners read files one by one. codelake builds a living, interconnected model of your entire application — understanding how code, APIs, databases, and services connect, communicate, and depend on each other.
The result is not a flat list of findings, but a deep understanding of your application's architecture. Every vulnerability is enriched with context: where data flows, which services are affected, and what the real-world blast radius looks like.
▸ Application Context Model
Services discovered: 12
API endpoints: 147
Data flows mapped: 89
Auth boundaries: 6
Trust zones: 4
── Dependency Graph ──
api-gateway
↳ user-service (3 unprotected routes)
↳ payment-service (all routes protected)
↳ notification-service
↳ email-provider (external)
↳ admin-panel (no auth middleware)
✓ Context model built · 4 risk narratives generated
█What It Maps
Five dimensions of application understanding.
codelake doesn't just scan code — it builds a comprehensive model that understands your application from five distinct perspectives.
Data Flow Mapping
Track every piece of user input from the moment it enters your application to where it's stored, processed, or forwarded.
Learn more →Auth Flow Visualization
Map every authentication and authorization flow. See which routes are protected, which aren't, and where permission checks are missing.
Learn more →API Endpoint Inventory
Automatic discovery of every API endpoint from code. Each endpoint gets a security profile: auth status, input validation, rate limiting, data exposure.
Learn more →Database Schema Understanding
codelake understands your data model. It identifies PII columns, foreign key relationships, and which services have direct database access.
Service Dependency Graph
Map all internal and external service dependencies. Understand trust boundaries and calculate the blast radius if any service is compromised.
Learn more →Everything Connected
These five dimensions aren't isolated views — they're interconnected. A data flow finding links to the auth boundary it crosses and the services it touches.
The Difference
Context transforms every finding.
The same vulnerability means something completely different when you understand the full picture. Here's what context adds to a simple SQL injection finding.
Without context (traditional scanner)
Finding
"SQL Injection in line 42 of UserController.php"
Impact
Unknown. Could be critical, could be harmless. You have to investigate manually.
Affected Data
Unknown. Which tables? Which columns? PII? No idea.
Attack Path
Unknown. Is this endpoint public? Authenticated? Rate-limited?
One finding. Zero context. Hours of manual investigation.
With Application Context (codelake)
CRITICAL Unfiltered user input reaches database via 3 service layers
Data Flow: User input from the registration form (/api/register) passes through api-gateway → user-service → db-writer without sanitization at any layer.
Affected Data: Users table with PII — email, phone, address. 12,400 records currently stored.
Attack Surface: Endpoint is public (no auth required), no rate limiting, accepts POST with JSON body.
Blast Radius: 3 services affected. Same database credentials shared with reporting-service.
Full context. Clear priority. Immediate action plan.
How It Works
Deep analysis, not pattern matching.
codelake performs multi-pass analysis across your entire codebase to build the application context model. Here's what happens during a scan.
Repository Ingestion
codelake clones your repository into a rootless, sandboxed Docker container with no network access. Every file is indexed: source code, configuration, infrastructure-as-code, dependency manifests, and environment definitions.
Framework Detection & Parsing
The engine detects your tech stack — Laravel, Express, Django, Spring, Next.js, and more. It understands framework-specific conventions: route definitions, middleware pipelines, ORM models, and configuration patterns.
Cross-Reference Graph Construction
codelake builds a directed graph of all relationships: function calls, service communications, data transformations, and dependency injections. This graph connects code across file and service boundaries.
Security Overlay & Narrative Generation
Security findings from all scanners (SAST, SCA, secrets, IaC) are projected onto the context graph. Isolated findings that share data flows, services, or trust boundaries are correlated into risk narratives with calculated blast radius.
Correlated Risk Narratives
Isolated findings become connected stories.
A missing auth check on one route. An unfiltered input on another. A shared database credential across services. Individually, they're medium-severity findings. Together, they're a critical attack chain. codelake connects the dots automatically.
NARRATIVE PII Exposure via Chained Vulnerabilities
Three individually medium-severity findings combine into a critical attack path.
NARRATIVE Lateral Movement via Shared Credentials
A single compromised secret grants access across production and staging environments.
NARRATIVE Privilege Escalation via Auth Boundary Gap
An admin panel accessible without authentication exposes internal admin operations.
See the connections traditional scanners miss.
Start a free scan and experience Application Context Mapping firsthand. Understand your application the way codelake does — not as isolated files, but as a living system.