H Helios Banking · Enterprise
CT cto@helios-banking.example · Owner

Welcome back, Helios Banking

Latest scan finished 4 minutes ago across 7 connected repositories. Score is up 3 points from last week.

Score: A-, 87 of 100

Org-wide score · trailing 7 days

You're in the top 18% of fintechs your size.

Strong coverage on PCI-DSS, SOC 2, and MiCA. Two critical findings are blocking a higher grade — both have AI-generated patches ready to review.

A−
Letter grade
87/100
Numeric score
+3 pts
Week-over-week
Repositories7connected
Critical findings2−1 this week
High findings5−2
Frameworks covered12 / 33+2 (DORA, MAS TRM)

Score · trailing 90 days

+11 pts
90 75 60
Feb 4Mar 4Apr 4May 4

Top critical findings

CRITICAL P-103 Money idempotencypayments-api · transfer endpoint missing dedup
CRITICAL P-712 Refund authorizationhtlc-bridge · refund() lacks msg.sender check
View all 26 findings →

Framework coverage

Detailed view →

PCI-DSS v4.0

92% controls passing34 / 37

SOC 2 (TSC 2017)

88% controls passing52 / 59

MiCA (EU 2024)

76% controls passing13 / 17

OWASP API Top 10 2023

90% controls passing9 / 10

Repositories

7 repositories connected. Each ran its latest scan via the GitHub Action; click a repo for findings, history, and trend.

RepositoryLanguageScoreCriticalHighLast scan30d trend
payments-apihelios-banking/payments-api TypeScript A− 2 3 4m ago
core-ledgerhelios-banking/core-ledger Java A 0 1 4m ago
htlc-bridgehelios-banking/htlc-bridge Solidity B+ 1 2 4m ago
aml-screeninghelios-banking/aml-screening Python A− 0 2 5m ago
wallet-svchelios-banking/wallet-svc Go B 1 3 5m ago
customer-portalhelios-banking/customer-portal TypeScript A 0 1 6m ago
analytics-batchhelios-banking/analytics-batch Python B+ 0 2 6m ago

Findings

26 active findings across 7 repos. AI assessment + suggested patch shown for each. Mark as accepted-risk or false-positive — feedback flows back into the AI training set.

CRITICAL P-103 Money idempotencypayments-api · src/transfer.ts:142 · OWASP-API4 · PCI-DSS 6.5.5
src/transfer.ts:142: app.post('/transfer', async (req, res) => { const { amount, to } = req.body; ...
AI assessment confidence: 0.94 · real vulnerability
The /transfer endpoint accepts client-supplied amount and recipient with no idempotency key — a network retry or accidental double-click will execute the transfer twice. The fix is a server-side dedup window keyed on (caller_id, request_id, amount_hash) with a TTL ≥ the client retry budget.
- app.post('/transfer', async (req, res) => { + app.post('/transfer', requireIdempotencyKey, async (req, res) => { + const dedupHit = await redis.set(`dedup:${req.idempotencyKey}`, '1', 'EX', 300, 'NX'); + if (!dedupHit) return res.status(200).json(await getStoredResult(req.idempotencyKey)); const { amount, to } = req.body;
CRITICAL P-712 Refund / claim authorization missinghtlc-bridge · contracts/HTLCEscrow.sol:228 · OWASP-SC02 · CWE-284
contracts/HTLCEscrow.sol:228: function refund(bytes32 htlcId) external nonReentrant whenNotPaused { ...
AI assessment confidence: 0.91 · real vulnerability
refund() doesn't enforce that the caller is the original sender. Funds still go to the original sender, but anyone can grief the swap by triggering refunds before the legitimate counterparty claims. This breaks atomic-swap semantics. Pattern matches the digital_escrow SC-C1 finding — see P-712 for the canonical fix.
function refund(bytes32 htlcId) external nonReentrant whenNotPaused { HTLC storage htlc = htlcs[htlcId]; if (htlc.sender == address(0)) revert HTLCNotFound(); + if (msg.sender != htlc.sender) revert UnauthorizedRefund(); if (htlc.claimed) revert AlreadyClaimed();
HIGH P-308 Bridge replay protectionhtlc-bridge · contracts/Relayer.sol:84 · CCSS:9.0:Level2
contracts/Relayer.sol:84: function relay(bytes calldata message, bytes calldata sig) external { ...
AI assessment confidence: 0.86 · real vulnerability
The relay() function accepts a signed cross-chain message but does not bind block.chainid into the signed payload. An attacker who captures a message on chain A can replay it on chain B at the same contract address. Wormhole lost $320M to a structurally similar bug in February 2022.
HIGH P-12 Balance validationwallet-svc · internal/withdraw.go:67 · OWASP-API3
internal/withdraw.go:67: func (s *Service) Withdraw(ctx context.Context, accountID string, amount decimal.Decimal) error {
AI assessment confidence: 0.78 · needs review
Withdraw() reads balance and decrements without a SELECT FOR UPDATE or advisory lock. Under concurrent withdrawals from the same account, the balance check can succeed twice before either decrement persists. Add a row-level lock or atomic UPDATE-WHERE for safety.

Compliance

Framework-control rollups across all 7 repos. Click any framework for the per-control breakdown and a one-click evidence bundle for your auditor.

Frameworks evaluated12+2 this quarter
Total controls241across all frameworks
Passing214+11
Evidence bundles ready8+3

Frameworks

PCI-DSS v4.0

Card payments34 / 37

SOC 2 (TSC 2017)

Trust Services Criteria52 / 59

ISO 27001:2022

InfoSec management78 / 91

MiCA (EU 2024)

EU crypto-asset13 / 17

DORA (EU 2025)

Digital operational resilience22 / 27

NIST CSF 2.0

Govern · Identify · Protect20 / 22

Settings

Organization, team, billing, license, API tokens, notifications, data export.

Organization

Organization nameShown on branded reports.
LogoSVG or PNG, displayed on PDF cover pages and the customer portal.
Current: helios-banking.svg (140 × 36 px) · uploaded 2026-04-12
Primary colorUsed as the accent color on branded PDFs.
RegionWhere Preston-Check stores your scan history. Cannot be changed without re-issuing licenses.

Current plan

Plan
Free
No paid subscription · OSS exemption auto-grants Pro on OSS repos
Status
Active
Next renewal

Upgrade or change plan

Stripe Checkout opens in a new flow; once payment completes you're returned here automatically.

Pro · per repo

$999
/ repository / year
  • Branded PDF reports
  • Compliance evidence bundling
  • Multi-repo dashboard
  • Priority email support
Most popular

Pro · unlimited

$4,999
/ year · unlimited repos
  • Everything in Pro
  • Unlimited repositories
  • Best value for > 5 repos
  • Same compliance bundles

Enterprise

$29,999+
/ year · sales-led
  • Everything in Pro
  • SSO (SAML / OIDC)
  • White-label reports
  • Custom check authoring
  • SLA-backed support
Talk to sales

Annual billing · cancel anytime · prorated refund for downgrades

Invoice history

No invoices yet. Once you subscribe to a paid plan, invoices appear here within minutes of payment.
Team management lands in Q3 2026 — magic-link invite, role assignment (Owner/Admin/Auditor/Member), 2FA enforcement.
License keys lands in Q3 2026 — view current license, regenerate, revoke. Until then, license issuance is operator-side via tools/issue-license.sh.
API tokens lands in Q3 2026 — issue scoped tokens for the GitHub Action and CLI integrations.
Notifications lands in Q3 2026 — Slack webhook, email digest cadence, threshold alerts.
Data export lands in Q3 2026 — full org-wide JSON dump of every scan, finding, and audit-log entry.