The security code review records archive contains the documentation from each manual security code review. Each record identifies the component reviewed, the review date, the reviewer identity, the checklist used, the findings (including severity and affected code locations), and the remediation status.

The archive demonstrates that security-critical components (authentication logic, model serving code, data validation, logging implementation, cryptographic implementations) receive human review beyond automated scanning. The review cadence (annually and on modification) is evidenced by the record dates.

Findings from manual reviews are tracked in the vulnerability management register alongside automated findings, ensuring a single tracking mechanism with consistent severity classification and remediation SLAs. The archive is retained for the ten-year period.

Key outputs

• Per-review documentation (component, reviewer, checklist, findings)
• Coverage evidence for security-critical components
• Findings tracked in the vulnerability management register
• Module 9 AISDP evidence