LET'S TALK
← All work
GitHub CODEOWNERSSOC2 CC8.1CIS Controls v8 §16OWASP A06Bus-FactorDeep Prototype

CodeOwnersAudit — Repo CODEOWNERS Coverage + Bus-Factor Map

22 repos audited. Per repo: CODEOWNERS coverage %, bus-factor (unique owner teams), former-employees still listed, files without an owner, branch-protection coverage, signed-commits enforcement. Surfaces 4 repos with bus-factor 1, 4 repos with stale former-employee owners, and 2 repos with no CODEOWNERS file at all.

CodeOwnersAudit — Repo CODEOWNERS Coverage + Bus-Factor Map preview
Open live →

What it is

The shape behind every healthy repo-governance program. Most teams set up CODEOWNERS once and never audit. Then someone leaves, the repo gets forked, the file goes stale, and a tier-0 repo ends up with a single former-employee as the only listed owner. CodeOwnersAudit prevents that.

What’s in it

  • 22 repos spanning the realistic SaaS surface — tier-0 (app-monolith, payments-worker, auth-svc, webhook-receiver, infra-terraform), tier-1 (search-svc, cart-svc, mobile-iOS / mobile-Android, SDKs), tier-2 (ml-recommendation, support-portal, admin-tools, reporting-svc, analytics-pipeline, legacy-mongo-svc).
  • Per-repo 8-check audit:
    1. CODEOWNERS file present
    2. Coverage % (owned files / total files)
    3. Bus-factor (≥2 ideal)
    4. Former employees as owners
    5. Branch protection on default branch
    6. Required reviews enforced
    7. Signed commits required
    8. Unowned files count
  • Worst-offender findings:
    • R12 support-portal — NO CODEOWNERS, NO branch protection, only ex-employee-2 contributor in 6mo
    • R22 legacy-mongo-svc — NO CODEOWNERS, last commit 14mo ago by ex-employee-4 (cross-references RetentionPolicy R035 + APITokenAudit AK55)
    • R08 notifications-svc — bus-factor 1 + ex-employee-1 still listed
    • R13 admin-tools — ex-employee-3 still on owners list
  • Per-repo CODEOWNERS preview — copy-pasteable file with strikethrough lines for ex-employee removal + suggested template for repos missing the file.

Why this shape

GitHub CODEOWNERS is the lowest-effort mechanism for ensuring every PR has a knowledgeable reviewer. SOC2 CC8.1 (change management) + CIS Controls v8 §16 (application security) + OWASP Top-10 A06 (vulnerable + outdated components) all converge on the same operational fact: knowing who owns each piece of code. The bus-factor-1 finding (single owner who could leave) is the highest-impact, lowest-cost gap to fix in any organization.

How it ships

Single HTML file, ~16KB. Zero dependencies. 22 repos × 8-check audit + per-repo CODEOWNERS preview generator in 200 lines of vanilla JavaScript.

Open the tool →