I built a CLI that scans codebases — stack detection, dependency mapping, convention analysis, security checks. One command, no config, nothing leaves your machine. I ran it against 8 well-known open source projects to see what it picks up.
TypeScript · Next.js · Prisma → MySQL (80 models) · 12 packages
Auth: NextAuth | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Playwright | UI: Tailwind CSS
Deploy: Vercel · GitHub Actions
⚠ 185/464 API routes have no validation imports
80 Prisma models. That's a big schema. And nearly 40% of API routes have no validation imports — not necessarily bugs, but surface area nobody's checked.
TypeScript · Next.js · Prisma → PostgreSQL (65 models) · 7 packages
Auth: NextAuth | Payments: Stripe
Testing: Vitest, Playwright, Testing Library
UI: shadcn/ui (Tailwind)
Services: AWS S3 · Sentry · PostHog · tRPC (+6 more)
Deploy: Docker · GitHub Actions
⚠ 75/93 API routes have no validation imports
65 Prisma models and a rich service layer. The validation gap is common across these projects — more on that below.
TypeScript · Next.js · Prisma → PostgreSQL (43 models)
Auth: NextAuth | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Testing Library, Playwright
UI: shadcn/ui (Tailwind)
Services: AWS S3 · Sentry · PostHog · i18next (+5 more)
Deploy: Docker · GitHub Actions
⚠ 76/97 API routes have no validation imports
43 models, clean stack detection. The scanner picks up that Formbricks uses Vercel AI SDK — not obvious from a surface read of the repo.
TypeScript · Remix · Prisma → PostgreSQL (76 models) · 56 packages
Auth: JWT | AI: Vercel AI
Testing: Vitest, Supertest, Playwright
UI: shadcn/ui (Tailwind)
Services: AWS S3 · Resend · PostHog · OpenAI (+7 more)
Deploy: Docker · GitHub Actions
⚠ Hardcoded PostHog project key
56 packages in the monorepo. Remix detected (not Next.js — the scanner distinguishes). 76 Prisma models is one of the largest schemas in this set.
TypeScript · Next.js · Prisma → PostgreSQL (63 models)
Auth: Better Auth | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Playwright, Testing Library
UI: shadcn/ui (Tailwind)
Services: Resend · Sentry · PostHog (+9 more)
Deploy: Cloudflare Workers · GitHub Actions
⚠ 108/168 API routes have no validation imports
The scanner detected Better Auth — not just NextAuth. 63 models. 3 surfaces (web, api, cli). 108 out of 168 routes without validation is the second-highest ratio in this set.
TypeScript · Next.js · Drizzle → PostgreSQL (50 models)
Auth: Supabase Auth | AI: Vercel AI | Payments: Stripe
Testing: Vitest
Services: Resend · Sentry · tRPC · React Email (+6 more)
Deploy: Docker · GitHub Actions
Workspace: Turborepo (bun)
⚠ 8/10 API routes have no validation imports
The only project using Drizzle instead of Prisma. Also the only bun workspace in the set. 5 surfaces detected (api, dashboard, website, worker, +1). Shows the scanner isn't just a Prisma counter.
TypeScript · Express · Supabase · 66 packages
Auth: JWT | AI: Vercel AI
Testing: Vitest, Playwright, Testing Library, Supertest, Jest
Services: AWS S3 · Sentry · OpenAI · Anthropic (+13 more)
Deploy: Docker · GitHub Actions
⚠ Hardcoded PostHog project key
66 packages. Five test frameworks. The largest monorepo in this set. Express, not Next.js — shows the scanner handles non-Next stacks. The service detection picked up both OpenAI and Anthropic SDKs directly.
TypeScript · React Router · Prisma → PostgreSQL (47 models)
Auth: JWT | AI: Vercel AI | Payments: Stripe
Testing: Vitest, Playwright
UI: Tailwind CSS
Services: AWS S3 · Resend · PostHog · tRPC (+5 more)
Deploy: Docker · GitHub Actions
✓ Clean — no secrets, .gitignore covers .env
The only clean scan in the set. No findings. This matters — a scanner that flags everything isn't useful. Documenso has its .env handled correctly and the scanner confirms it.
Validation gaps are everywhere. 6 of 8 projects had API routes with no validation imports detected. The numbers ranged from 8/10 (Midday) to 185/464 (Dub). These aren't necessarily bugs — many routes handle validation elsewhere (middleware, tRPC, shared libraries). But the scan surfaces which routes have no visible validation at the file level. That's the kind of thing a new team member would want to know.
Stack detection goes deeper than dependencies. Prisma model counts, auth provider identification (NextAuth vs Better Auth vs Supabase Auth vs JWT), ORM detection (Prisma vs Drizzle vs TypeORM vs MikroORM), workspace tooling (pnpm vs yarn vs bun), surface detection (web vs api vs cli vs worker). The scan reads the project, not just the package.json.
PostHog keys are common and intentionally public. Two projects had PostHog project keys detected. These are designed to be client-side and public — not a security risk. The scanner flags them as a low-severity notice, not a critical finding.
Clean scans matter. Documenso came back clean. A tool that cries wolf on every repo isn't useful. The fact that one project out of eight had zero findings builds trust in the findings on the other seven.
npx anatomia-cli scan .
One command. 3-8 seconds. No install. No account. No data leaves your machine. MIT licensed.
GitHub: github.com/anatomia-dev/anatomia
Curious what it finds on your project.