DEV Community

Cover image for I built repolens — X-ray any GitHub repo into one interactive HTML file
The AI producer
The AI producer

Posted on • Originally published at lens.bigwinner.work

I built repolens — X-ray any GitHub repo into one interactive HTML file

TL;DR: paste any public GitHub repo into lens.bigwinner.work and get an interactive architecture map — dependency graph, blast radius, health grade, security scan. Or run uvx repolens-kit owner/repo locally. Open source, MIT.

repolens dependency graph of pallets/flask with blast radius inspector

The problem

Every time I open an unfamiliar codebase I ask the same four questions:

  • Where does the mass of this thing live?
  • Which files are the load-bearing walls?
  • If I change this file, what breaks?
  • Is there anything scary committed in here?

You can answer all of these by reading code for a week. I wanted them answered in five seconds.

What repolens does

One command — repolens owner/repo — produces a single self-contained HTML file (D3 inlined, zero external requests, safe to attach to a PR):

  • 🕸️ Interactive dependency graph — every file is a node, sized by lines of code. Color by folder, layer, git churn, or blast radius. Collision-aware labels keep it readable at 1,000+ nodes.
  • 💥 Blast radius — click any file and see exactly how many files transitively depend on it, with a severity meter. flask/__init__.py ripples to 42% of the codebase; now you know to test hard.
  • 🏥 Health grade (A–F) — cycles, coupling, oversized files, security findings. The penalty breakdown is shown, so it's never a black-box number.
  • 🔐 Security scan — committed keys/tokens, SQL built by string-glue, eval/exec, disabled TLS verification. Findings in test paths are auto-demoted.
  • 🔥 Hotspots & ownership — per-file commit churn and top contributors mined from git history.

It resolves imports to files inside the repo to build a real graph — Python, JS/TS, Java, Kotlin, Go, Rust, C/C++, C#, PHP, Ruby, Elixir and ~30 more. Fully-qualified imports (com.acme.core.Engine) resolve by path-suffix matching with language-family guards, so a Java import never creates a fake edge to a Python file.

Zero-clone analysis

The hosted version never writes a repo to disk: it streams GitHub's tarball through tarfile in stream mode, filtering and size-capping files as the bytes arrive. A 100-file repo analyzes in about a second.

Try it

Honest limitations: import-based analysis can't see same-package Java references (no import statement to parse), and the hosted tier caps repos at 3,000 files — the CLI has no limits.

Feedback and issues very welcome. What would you want an architecture X-ray to show?

Top comments (0)