Codebase Auditor
Comprehensive codebase audits using modern software engineering standards with actionable remediation plans.
When to Use
- •Audit codebase for quality, security, maintainability
- •Assess technical debt and estimate remediation
- •Prepare production readiness report
- •Evaluate legacy codebase for modernization
- •Set up quality gates for CI/CD pipelines
- •Configure incremental audits for large codebases (>100k LOC)
- •Track audit history and trends over time
Trigger Phrases
- •"Audit this codebase" / "Run a code audit"
- •"Security scan" / "Check for vulnerabilities"
- •"Assess technical debt" / "How much tech debt?"
- •"Production readiness review"
- •"Set up quality gates"
- •"DORA metrics" / "Deployment health"
Audit Phases
Phase 1: Initial Assessment
- •Project discovery (tech stack, frameworks, tools)
- •Quick health check (LOC, docs, git practices)
- •Red flag detection (secrets, massive files)
Phase 2: Deep Analysis
Load on demand based on Phase 1 findings.
Phase 3: Report Generation
Comprehensive report with scores and priorities.
Phase 4: Remediation Planning
Prioritized action plan with effort estimates.
Analysis Categories
| Category | Key Checks |
|---|---|
| Code Quality | Complexity, duplication, code smells |
| Testing | Coverage (80% min), trophy distribution, quality |
| Security | OWASP Top 10, dependencies, secrets |
| Architecture | SOLID, patterns, modularity |
| Performance | Build time, bundle size, runtime |
| Documentation | JSDoc, README, ADRs |
| DevOps | CI/CD maturity, DORA metrics |
| Accessibility | WCAG 2.1 AA compliance |
Technical Debt Rating (SQALE)
| Grade | Remediation Effort |
|---|---|
| A | <= 5% of dev time |
| B | 6-10% |
| C | 11-20% |
| D | 21-50% |
| E | > 50% |
Usage Examples
code
# Basic audit Audit this codebase using the codebase-auditor skill. # Security focused Run a security-focused audit on this codebase. # Quick health check Give me a quick health check (Phase 1 only). # Custom scope Audit focusing on test coverage and security.
Output Formats
- •Markdown Report - Human-readable for PR comments
- •JSON Report - Machine-readable for CI/CD
- •HTML Dashboard - Interactive visualization
- •Remediation Plan - Prioritized action items
Priority Levels
| Priority | Examples | Timeline |
|---|---|---|
| P1 Critical | Security vulns, data loss risks | Immediate |
| P2 High | Coverage gaps, performance issues | This sprint |
| P3 Medium | Code smells, doc gaps | Next quarter |
| P4 Low | Stylistic, minor optimizations | Backlog |
Best Practices
- •Run incrementally for large codebases
- •Focus on critical paths first
- •Baseline before major releases
- •Track metrics over time
- •Integrate with CI/CD
Integrations
Complements: SonarQube, ESLint, Jest/Vitest, npm audit, Lighthouse, GitHub Actions
Limitations
- •Static analysis only (no runtime profiling)
- •Requires source code access
- •Internet needed for CVE data
- •Large codebases need chunked analysis
Additional Resources
| Resource | Path | Description |
|---|---|---|
| Audit Criteria | reference/audit_criteria.md | Complete checklist (200+ items) |
| Severity Matrix | reference/severity_matrix.md | Scoring rubric |
| Best Practices | reference/best_practices_2025.md | SDLC standards |
| CI Integration | reference/ci-integration.md | GitHub Actions workflows |
| Incremental Audit | workflow/incremental-audit.md | Large codebase strategies |
| History Schema | templates/audit-history-schema.sql | SQLite tracking |
| Custom Rules | data/custom-rules.yaml | Rule template |