I scanned 8 popular open source repos with one command. Here's what I found.

A developer built a CLI tool that scans codebases for stack detection, dependency mapping, convention analysis, and security checks with a single command and no external data transmission. Running it against eight popular open-source projects revealed that six out of eight had API routes with no validation imports, with one project showing 185 out of 464 routes lacking validation. The scanner also detected hardcoded secrets in two projects and successfully distinguished between different frameworks like Next.js, Remix, and Express.

I built a CLI that scans codebases — stack detection, dependency mapping, convention analysis, security checks. One command, no config, nothing leaves your machine. I ran it against 8 well-known open source projects to see what it picks up. TypeScript · Next.js · Prisma → MySQL 80 models · 12 packages Auth: NextAuth | AI: Vercel AI | Payments: Stripe Testing: Vitest, Playwright | UI: Tailwind CSS Deploy: Vercel · GitHub Actions ⚠ 185/464 API routes have no validation imports 80 Prisma models. That's a big schema. And nearly 40% of API routes have no validation imports — not necessarily bugs, but surface area nobody's checked. TypeScript · Next.js · Prisma → PostgreSQL 65 models · 7 packages Auth: NextAuth | Payments: Stripe Testing: Vitest, Playwright, Testing Library UI: shadcn/ui Tailwind Services: AWS S3 · Sentry · PostHog · tRPC +6 more Deploy: Docker · GitHub Actions ⚠ 75/93 API routes have no validation imports 65 Prisma models and a rich service layer. The validation gap is common across these projects — more on that below. TypeScript · Next.js · Prisma → PostgreSQL 43 models Auth: NextAuth | AI: Vercel AI | Payments: Stripe Testing: Vitest, Testing Library, Playwright UI: shadcn/ui Tailwind Services: AWS S3 · Sentry · PostHog · i18next +5 more Deploy: Docker · GitHub Actions ⚠ 76/97 API routes have no validation imports 43 models, clean stack detection. The scanner picks up that Formbricks uses Vercel AI SDK — not obvious from a surface read of the repo. TypeScript · Remix · Prisma → PostgreSQL 76 models · 56 packages Auth: JWT | AI: Vercel AI Testing: Vitest, Supertest, Playwright UI: shadcn/ui Tailwind Services: AWS S3 · Resend · PostHog · OpenAI +7 more Deploy: Docker · GitHub Actions ⚠ Hardcoded PostHog project key 56 packages in the monorepo. Remix detected not Next.js — the scanner distinguishes . 76 Prisma models is one of the largest schemas in this set. TypeScript · Next.js · Prisma → PostgreSQL 63 models Auth: Better Auth | AI: Vercel AI | Payments: Stripe Testing: Vitest, Playwright, Testing Library UI: shadcn/ui Tailwind Services: Resend · Sentry · PostHog +9 more Deploy: Cloudflare Workers · GitHub Actions ⚠ 108/168 API routes have no validation imports The scanner detected Better Auth — not just NextAuth. 63 models. 3 surfaces web, api, cli . 108 out of 168 routes without validation is the second-highest ratio in this set. TypeScript · Next.js · Drizzle → PostgreSQL 50 models Auth: Supabase Auth | AI: Vercel AI | Payments: Stripe Testing: Vitest Services: Resend · Sentry · tRPC · React Email +6 more Deploy: Docker · GitHub Actions Workspace: Turborepo bun ⚠ 8/10 API routes have no validation imports The only project using Drizzle instead of Prisma. Also the only bun workspace in the set. 5 surfaces detected api, dashboard, website, worker, +1 . Shows the scanner isn't just a Prisma counter. TypeScript · Express · Supabase · 66 packages Auth: JWT | AI: Vercel AI Testing: Vitest, Playwright, Testing Library, Supertest, Jest Services: AWS S3 · Sentry · OpenAI · Anthropic +13 more Deploy: Docker · GitHub Actions ⚠ Hardcoded PostHog project key 66 packages. Five test frameworks. The largest monorepo in this set. Express, not Next.js — shows the scanner handles non-Next stacks. The service detection picked up both OpenAI and Anthropic SDKs directly. TypeScript · React Router · Prisma → PostgreSQL 47 models Auth: JWT | AI: Vercel AI | Payments: Stripe Testing: Vitest, Playwright UI: Tailwind CSS Services: AWS S3 · Resend · PostHog · tRPC +5 more Deploy: Docker · GitHub Actions ✓ Clean — no secrets, .gitignore covers .env The only clean scan in the set. No findings. This matters — a scanner that flags everything isn't useful. Documenso has its .env handled correctly and the scanner confirms it. Validation gaps are everywhere. 6 of 8 projects had API routes with no validation imports detected. The numbers ranged from 8/10 Midday to 185/464 Dub . These aren't necessarily bugs — many routes handle validation elsewhere middleware, tRPC, shared libraries . But the scan surfaces which routes have no visible validation at the file level. That's the kind of thing a new team member would want to know. Stack detection goes deeper than dependencies. Prisma model counts, auth provider identification NextAuth vs Better Auth vs Supabase Auth vs JWT , ORM detection Prisma vs Drizzle vs TypeORM vs MikroORM , workspace tooling pnpm vs yarn vs bun , surface detection web vs api vs cli vs worker . The scan reads the project, not just the package.json. PostHog keys are common and intentionally public. Two projects had PostHog project keys detected. These are designed to be client-side and public — not a security risk. The scanner flags them as a low-severity notice, not a critical finding. Clean scans matter. Documenso came back clean. A tool that cries wolf on every repo isn't useful. The fact that one project out of eight had zero findings builds trust in the findings on the other seven. npx anatomia-cli scan . One command. 3-8 seconds. No install. No account. No data leaves your machine. MIT licensed. GitHub: github.com/anatomia-dev/anatomia https://github.com/anatomia-dev/anatomia Curious what it finds on your project.