Know Your Codebase Risk. Protect Your Engineering Investment.
2ndCTO analyzes GitHub repositories for security risks, bus factor (knowledge concentration), and technical debt. Get actionable insights to keep your codebase healthy and your team resilient.
- π Secret Detection - Find API keys, passwords, tokens in code
- π‘οΈ Vulnerability Scanning - SQL injection, XSS, unsafe eval detection
- π Risk Scoring - 0-100 score with severity breakdown
- π Knowledge Distribution - Identify single points of failure
- π₯ Team Insights - See who knows what in your codebase
β οΈ Risk Alerts - Get warned before knowledge walks out the door
- π Legacy Conversion - ES5 β ES2022, Python 2 β 3
- π Pattern Detection - Callbacks β async/await, var β const
- β Validation - Syntax check and test generation
- π€ Smart Recommendations - Prioritized action plans
- π‘ Fix Suggestions - Before/after code examples
- π Trend Analysis - Track improvements over time
- Node.js 18+ and npm
- PostgreSQL (Supabase recommended)
- Redis (Upstash recommended)
# Clone the repository
git clone https://github.com/nKOxxx/2ndCTO.git
cd 2ndCTO
# Install dependencies
npm install
# Set up environment variables
cp .env.example .env
# Edit .env with your credentials
# Run database migrations
# (See scripts/ folder for SQL files)
# Start the application
npm run dev# Server
PORT=3001
NODE_ENV=development
# Supabase
SUPABASE_URL=your_supabase_url
SUPABASE_SERVICE_KEY=your_service_key
# Redis
REDIS_URL=rediss://your_upstash_url
# GitHub
GITHUB_TOKEN=your_github_personal_access_token- Landing Page - http://localhost:3001
- Dashboard - http://localhost:3001/dashboard.html
- Analyze Repo - Enter GitHub URL and click "Analyze"
# Add repository
curl -X POST http://localhost:3001/api/repos \
-H "Content-Type: application/json" \
-d '{"owner":"facebook","name":"react"}'
# Get analysis report
curl http://localhost:3001/api/repos/{repo-id}/report
# Get AI insights
curl http://localhost:3001/api/repos/{repo-id}/insights
# Get bus factor
curl http://localhost:3001/api/repos/{repo-id}/bus-factor- Open Chrome β
chrome://extensions/ - Enable "Developer mode"
- Click "Load unpacked"
- Select the
chrome-extension/folder - Visit any GitHub repo and click "Analyze with 2ndCTO"
name: Security Analysis
on: [push, pull_request]
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: nKOxxx/2ndCTO/.github/actions/2ndcto-analyze@main
with:
server-url: 'http://your-2ndcto-server.com'
fail-on-critical: 'true'
create-issues: 'true'βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Chrome Ext β β Web Dashboard β β GitHub Action β
ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ
β β β
βββββββββββββββββββββββββΌββββββββββββββββββββββββ
β
βββββββββββββββΌββββββββββββββ
β Express API (3001) β
βββββββββββββββ¬ββββββββββββββ
β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββ
β β β
ββββββββββΌβββββββββ βββββββββββΌβββββββββββ ββββββββββΌβββββββββ
β PostgreSQL β β Redis (Bull) β β GitHub API β
β (Supabase) β β (Job Queue) β β β
βββββββββββββββββββ ββββββββββββββββββββββ βββββββββββββββββββ
- Backend: Node.js, Express.js
- Database: PostgreSQL (Supabase)
- Queue: Redis + Bull
- Parser: Tree-sitter (AST analysis)
- Frontend: Vanilla HTML/JS (no framework)
- Real-time: Socket.io
| Score | Grade | Meaning | Action |
|---|---|---|---|
| 0-30 | A | Excellent | Maintain practices |
| 30-50 | B | Good | Minor improvements |
| 50-70 | C | Fair | Review recommended |
| 70-90 | D | Poor | Address issues soon |
| 90-100 | F | Critical | Immediate action |
| Score | Status | Interpretation |
|---|---|---|
| 1-1.5 | π΄ Critical | Single point of failure |
| 1.5-2.5 | π‘ Warning | Limited knowledge spread |
| 2.5-4 | π’ Good | Decent distribution |
| 4+ | π’ Excellent | Healthy team resilience |
2ndCTO/
βββ src/
β βββ api/ # Express routes
β βββ analysis/ # Code analyzers
β βββ db/ # Database connection
β βββ ingestion/ # Repo cloning
β βββ queue/ # Bull job queue
β βββ index.js # Entry point
βββ public/ # Static files (UI)
βββ chrome-extension/ # Browser extension
βββ scripts/ # SQL migrations
βββ .github/ # GitHub Actions
npm testEdit src/analysis/security-scanner.js:
{
id: 'MY_NEW_RULE',
name: 'Descriptive Name',
pattern: /regex pattern/,
severity: 'high',
category: 'vulnerability'
}- Push to GitHub
- Connect Render to repo
- Set environment variables
- Deploy!
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY . .
EXPOSE 3001
CMD ["npm", "start"]docker build -t 2ndcto .
docker run -p 3001:3001 --env-file .env 2ndcto- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
MIT License - see LICENSE file for details.
- Tree-sitter for AST parsing
- Supabase for managed PostgreSQL
- Upstash for Redis hosting
- GitHub for the API
- GitHub Issues: github.com/nKOxxx/2ndCTO/issues
- Documentation: http://localhost:3001 (when running locally)
Built with β€οΈ by 2ndCTO Team