I scanned 8 popular open source repos with one command. Here's what I found.

Ryan Smith — Tue, 26 May 2026 04:37:31 +0000

I built a CLI that scans codebases — stack detection, dependency mapping, convention analysis, security checks. One command, no config, nothing leaves your machine. I ran it against 8 well-known open source projects to see what it picks up.

1. Dub (dub.co) — YC-backed link management

TypeScript · Next.js · Prisma → MySQL (80 models) · 12 packages
Auth: NextAuth | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Playwright | UI: Tailwind CSS
Deploy: Vercel · GitHub Actions

⚠ 185/464 API routes have no validation imports

80 Prisma models. That's a big schema. And nearly 40% of API routes have no validation imports — not necessarily bugs, but surface area nobody's checked.

2. Langfuse — LLM observability platform

TypeScript · Next.js · Prisma → PostgreSQL (65 models) · 7 packages
Auth: NextAuth | Payments: Stripe
Testing: Vitest, Playwright, Testing Library
UI: shadcn/ui (Tailwind)
Services: AWS S3 · Sentry · PostHog · tRPC (+6 more)
Deploy: Docker · GitHub Actions

⚠ 75/93 API routes have no validation imports

65 Prisma models and a rich service layer. The validation gap is common across these projects — more on that below.

3. Formbricks — open source survey platform

TypeScript · Next.js · Prisma → PostgreSQL (43 models)
Auth: NextAuth | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Testing Library, Playwright
UI: shadcn/ui (Tailwind)
Services: AWS S3 · Sentry · PostHog · i18next (+5 more)
Deploy: Docker · GitHub Actions

⚠ 76/97 API routes have no validation imports

43 models, clean stack detection. The scanner picks up that Formbricks uses Vercel AI SDK — not obvious from a surface read of the repo.

4. Trigger.dev — background job platform

TypeScript · Remix · Prisma → PostgreSQL (76 models) · 56 packages
Auth: JWT | AI: Vercel AI
Testing: Vitest, Supertest, Playwright
UI: shadcn/ui (Tailwind)
Services: AWS S3 · Resend · PostHog · OpenAI (+7 more)
Deploy: Docker · GitHub Actions

⚠ Hardcoded PostHog project key

56 packages in the monorepo. Remix detected (not Next.js — the scanner distinguishes). 76 Prisma models is one of the largest schemas in this set.

5. Inbox Zero — AI email client

TypeScript · Next.js · Prisma → PostgreSQL (63 models)
Auth: Better Auth | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Playwright, Testing Library
UI: shadcn/ui (Tailwind)
Services: Resend · Sentry · PostHog (+9 more)
Deploy: Cloudflare Workers · GitHub Actions

⚠ 108/168 API routes have no validation imports

The scanner detected Better Auth — not just NextAuth. 63 models. 3 surfaces (web, api, cli). 108 out of 168 routes without validation is the second-highest ratio in this set.

6. Midday — open source finance

TypeScript · Next.js · Drizzle → PostgreSQL (50 models)
Auth: Supabase Auth | AI: Vercel AI | Payments: Stripe
Testing: Vitest
Services: Resend · Sentry · tRPC · React Email (+6 more)
Deploy: Docker · GitHub Actions
Workspace: Turborepo (bun)

⚠ 8/10 API routes have no validation imports

The only project using Drizzle instead of Prisma. Also the only bun workspace in the set. 5 surfaces detected (api, dashboard, website, worker, +1). Shows the scanner isn't just a Prisma counter.

7. n8n — workflow automation

TypeScript · Express · Supabase · 66 packages
Auth: JWT | AI: Vercel AI
Testing: Vitest, Playwright, Testing Library, Supertest, Jest
Services: AWS S3 · Sentry · OpenAI · Anthropic (+13 more)
Deploy: Docker · GitHub Actions

⚠ Hardcoded PostHog project key

66 packages. Five test frameworks. The largest monorepo in this set. Express, not Next.js — shows the scanner handles non-Next stacks. The service detection picked up both OpenAI and Anthropic SDKs directly.

8. Documenso — open source document signing

TypeScript · React Router · Prisma → PostgreSQL (47 models)
Auth: JWT | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Playwright
UI: Tailwind CSS
Services: AWS S3 · Resend · PostHog · tRPC (+5 more)
Deploy: Docker · GitHub Actions

✓ Clean — no secrets, .gitignore covers .env

The only clean scan in the set. No findings. This matters — a scanner that flags everything isn't useful. Documenso has its .env handled correctly and the scanner confirms it.

What patterns showed up

Validation gaps are everywhere. 6 of 8 projects had API routes with no validation imports detected. The numbers ranged from 8/10 (Midday) to 185/464 (Dub). These aren't necessarily bugs — many routes handle validation elsewhere (middleware, tRPC, shared libraries). But the scan surfaces which routes have no visible validation at the file level. That's the kind of thing a new team member would want to know.

Stack detection goes deeper than dependencies. Prisma model counts, auth provider identification (NextAuth vs Better Auth vs Supabase Auth vs JWT), ORM detection (Prisma vs Drizzle vs TypeORM vs MikroORM), workspace tooling (pnpm vs yarn vs bun), surface detection (web vs api vs cli vs worker). The scan reads the project, not just the package.json.

PostHog keys are common and intentionally public. Two projects had PostHog project keys detected. These are designed to be client-side and public — not a security risk. The scanner flags them as a low-severity notice, not a critical finding.

Clean scans matter. Documenso came back clean. A tool that cries wolf on every repo isn't useful. The fact that one project out of eight had zero findings builds trust in the findings on the other seven.

Try it

npx anatomia-cli scan .

One command. 3-8 seconds. No install. No account. No data leaves your machine. MIT licensed.

GitHub: github.com/anatomia-dev/anatomia

Curious what it finds on your project.

DEV Community: Ryan Smith