Skip to content

Analysis Dimensions

Use this checklist to ensure systematic coverage when comparing a codebase against a target state. Not every dimension applies to every analysis — scope to the relevant surfaces.

Prioritisation Rule

Assess dimensions in this order unless the user narrows scope:

  1. Deployment and infrastructure (can it run in production?)
  2. Security and authentication (is it safe to expose?)
  3. Observability (can we see what it's doing?)
  4. CI/CD and testing (can we ship changes safely?)
  5. Architecture and code quality (is it maintainable?)
  6. Documentation and operational readiness (can someone else run it?)

Technology Stack

  • Language and runtime version (alignment with team standard)
  • API / web framework
  • Frontend framework (if applicable)
  • Package manager and lockfile strategy
  • Source control platform and branching model
  • Monorepo vs multi-repo structure

Architecture & Design

  • Domain boundaries (clean separation vs mixed concerns)
  • Data access patterns (ORM, direct SQL, API calls)
  • State management (mutable rows, event sourcing, CQRS)
  • Type safety (type checker, typed IDs, schema contracts)
  • Schema versioning and API evolution strategy
  • Configuration management (env vars, config files, feature flags)

CI/CD & Build

  • Pipeline platform (GitHub Actions, Azure DevOps, Jenkins, etc.)
  • Build stages (lint, typecheck, test, build, push, deploy)
  • Coverage thresholds (overall and diff)
  • Linting strictness (rule sets, suppressions)
  • Branch policies (reviewers, CI pass, comments resolved)
  • PR templates and conventional commits
  • Deployment stages (dev → pre-production → production) with approval gates
  • Rollback mechanism
  • Container build validation in CI

Containerisation & Infrastructure

  • Dockerfile(s) — existence, base image, multi-stage, size
  • Container registry integration (ACR, ECR, GCR, Docker Hub)
  • Infrastructure-as-code (Terraform, Bicep, CloudFormation)
  • Environment provisioning (pre-production/production parity)
  • Port conventions and health endpoints
  • Container topology (single, sidecar, multi-container)

Observability

  • Telemetry SDK (OpenTelemetry, vendor-specific)
  • Distributed tracing (spans on key operations)
  • Structured logging (JSON, correlation IDs, log levels)
  • Custom metrics (business KPIs, throughput, latency)
  • Dashboards and alerting rules
  • Log remediation (print statements vs logging framework)

Authentication & Authorisation

  • Auth mechanism (OAuth/OIDC, API keys, service-to-service)
  • Identity provider integration (Entra ID, Okta, Auth0)
  • Role model (RBAC, ABAC, custom)
  • Token validation (JWT verification, session management)
  • Secrets management (Key Vault, Secrets Manager, env vars)

Security

  • Secret scanning (detect-secrets, gitleaks, trufflehog)
  • Dependency auditing (pip-audit, npm audit, OSSF scorecard)
  • SAST (bandit, semgrep, CodeQL)
  • CORS configuration
  • Network security (VNet, private endpoints, firewalls)
  • Security headers (CSP, HSTS, X-Frame-Options)
  • Input validation (at boundaries, against injection)
  • Supply-chain controls (pinned actions, lockfile integrity)

Testing

  • Test framework and runner
  • Coverage thresholds (overall, diff, per-module)
  • Test categorisation (unit, integration, e2e, smoke, golden)
  • Test quality tooling (structural quality, not just coverage)
  • E2E / browser test capability
  • Load / performance testing
  • Pre-commit / pre-push test gates

Documentation

  • Architecture Decision Records (ADRs)
  • Developer setup guides (README, CONTRIBUTING)
  • API documentation (OpenAPI specs, generated vs hand-maintained)
  • Operational runbooks (startup, recovery, incident)
  • Deployment documentation
  • Documentation site (VitePress, MkDocs, Docusaurus)
  • Copilot customisation (instructions, agents, skills, prompts)

Operational Readiness

  • Runbooks (startup/shutdown, recovery, incident response)
  • Change management integration (ServiceNow, Jira, etc.)
  • Rollback strategy (documented, tested)
  • Release communication (Teams, Slack, email notifications)
  • Handover documentation (for team transitions)
  • On-call / escalation procedures

Reporting Rule

For each dimension assessed, produce one of:

  • ✅ Aligned — meets or matches the target standard
  • ⚠️ Different — alternative approach that achieves the goal (note trade-offs)
  • ❌ Gap — missing relative to target (include effort estimate)
  • 🟢 Ahead — exceeds the target (note as cross-pollination opportunity)
  • ⬜ Out of scope — explicitly excluded with rationale