The latest articles on DEV Community by Santosh Jha (@infosec_jha). https://dev.to/infosec_jha https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3959113%2F376ab820-4332-40ff-a0d0-7d02767327a7.jpg https://dev.to/infosec_jha en Santosh Jha Fri, 29 May 2026 21:15:54 +0000 https://dev.to/infosec_jha/i-built-an-open-code-health-benchmark-for-any-github-repo-1jpi https://dev.to/infosec_jha/i-built-an-open-code-health-benchmark-for-any-github-repo-1jpi <p>We have Lighthouse for websites. SSL Labs for TLS. PageSpeed for performance.</p> <p>We have nothing equivalent for code.</p> <p>I built a small open-source thing in that gap — stackhealth.dev. This post is the thinking behind it. Looking for pushback on the weights.</p> <h2> The gap </h2> <p>Every other software domain has a free, public, machine-readable benchmark. Code has had nothing in that shape. The closest existing pieces each cover one slice — OpenSSF Scorecard is excellent but repo-scoped and primarily security hygiene; SecurityScorecard grades the outside of organisations, not the code; SOC 2 has become a procurement checkbox; EU CRA's CE marking is coming in 2027 as pass/fail compliance, not quality.<br> None of these is the Lighthouse-shaped artifact — free, open formula, machine-readable, consumer-grade.</p> <h2> What I built </h2> <p>StackHealth — paste any public GitHub URL, get a 0–100 score and A+ to F grade. The composite weights four dimensions: 30% security, 25% quality, 25% hygiene, 20% community.</p> <ul> <li> <strong>Security</strong> — OpenSSF Scorecard, Semgrep, Trivy</li> <li> <strong>Quality</strong> — cyclomatic complexity (lizard), lint density (ruff / eslint / golangci), code duplication (jscpd), test signal, file size</li> <li> <strong>Hygiene</strong> — README, LICENSE, CONTRIBUTING, SECURITY.md, CI config</li> <li> <strong>Community</strong> — recent commits, contributors, popularity (capped at 4% of overall), median time-to-first-response</li> </ul> <p>Every weight is documented at <a href="//stackhealth.dev/methodology">stackhealth.dev/methodology</a>. The formula spec lives at <a href="//github.com/santosh3743/stackhealth">github.com/santosh3743/stackhealth</a>. <br> Each scan stores the formula version, tool versions, exact commit SHA, and raw JSON outputs — if the published formula does not reproduce the score, that is a bug.</p> <p>I tested it on fastapi/fastapi. Result: A-, 86/100. The tool does not grade-inflate just because a project is loved. That was the credibility test I cared about most.</p> <h2> What it does NOT do </h2> <ul> <li>Score closed-source software</li> <li>Rescore continuously on every commit</li> <li>Replace your SCA / SAST stack — it aggregates them</li> <li>Tell you whether a specific deployment is safe</li> </ul> <p>Popularity is capped at 4% of overall because stars are not health.<br> Looking for feedback<br> Scan a repo you know. Tell me where the weights are wrong. Tell me the failure mode I have not caught.<br> Issues and PRs welcome at the <a href="https://github.com/santosh3743/stackhealth" rel="noopener noreferrer">repo</a>.</p> opensource security devops codequality