Example Scans
Real scans of well-maintained open-source libraries, generated using AnalysisEngine.analyzeProject() directly (with check_dependencies run via the real tool handler). Each entry pins a specific commit so the numbers are reproducible.
| Repo | Language | Issues | Critical | High | SQALE |
|---|---|---|---|---|---|
| google/gson | Java | 602 | 0 | 60 | A |
| serilog/serilog | C# | 198 | 0 | 46 | A |
| slimphp/Slim | PHP | 79 | 0 | 19 | A |
What this is — and isn't
- Reproducible. Every page pins a commit SHA. Clone at that SHA, run
tech-debt-mcp, get the same numbers. - Not a verdict. "High" severity is a heuristic priority, not a bug. Many findings on healthy codebases are intentional trade-offs (test idioms, language-specific patterns).
- Not a security audit. The
securitycategory catches surface patterns; treat as a starting point, not an authoritative review. - Repository authors are not responsible for these findings. False positives are tracked on the tech-debt-mcp issue tracker and improve over time.
Want a different repo featured?
Open an issue with the repo URL and why it would be a useful showcase.