A comprehensive CLI tool that audits codebases for production readiness across 13 categories with 70+ checks.
| Category | Checks | Inspired By |
|---|---|---|
| Security | Hardcoded secrets, dependency lockfiles, .env exposure |
security review |
| Reliability | Health endpoints, graceful shutdown, retry logic, error handling | SRE best practices |
| Observability | Structured logging, metrics, distributed tracing, alerting | monitoring & ops |
| Testing | Test files, CI pipelines, coverage config, e2e tests | QA |
| Documentation | README quality, API docs, ADRs, changelog, contributing guide | technical writing |
| Operations | Dockerfiles, K8s manifests, IaC, dockerignore | DevOps |
| Code Quality | File size, function length, TODO debt, SQL injection, duplication, nesting depth | code review & simplification |
| Release | Versioning, changelog, release automation, lockfiles, CODEOWNERS | shipping workflows |
| Architecture | ADRs, layered structure, circular imports, config management, DB migrations, API versioning, DI | engineering planning |
| Accessibility | Alt text, form labels, ARIA landmarks, focus styles, responsive design, a11y testing tools | browser QA & WCAG |
| API Design | OpenAPI specs, rate limiting, auth, error formats, input validation, CORS, pagination | API development |
| Developer Experience | Linting, formatting, pre-commit hooks, editor config, task runners, contributing guide, dev containers | DX & onboarding |
| Process | CI completeness (test/lint/security/deploy steps), PR templates, issue templates, Dependabot, CODEOWNERS, scheduled jobs | engineering process & retros |
# Install
pip install -e .
# Analyze current directory (all 13 categories)
production-readiness-analyzer .
# JSON output for CI pipelines
production-readiness-analyzer ./my-project --format json
# Only run specific categories
production-readiness-analyzer . --categories security,testing,api_design
# List all available categories
production-readiness-analyzer . --list-categories
# Set a minimum score threshold (exit code 1 if below)
production-readiness-analyzer . --threshold 80╭──────────── Production Readiness Report: my-project ─────────────╮
│ Overall Score: 68/100 [█████████████░░░░░░░] NEEDS WORK │
╰──────────────────────────────────────────────────────────────────╯
Security 85/100 █████████████████░░░
Reliability 60/100 ████████████░░░░░░░░
Observability 55/100 ███████████░░░░░░░░░
Testing 90/100 ██████████████████░░
Documentation 70/100 ██████████████░░░░░░
Operations 72/100 ██████████████░░░░░░
Code Quality 78/100 ████████████████░░░░
Release 65/100 █████████████░░░░░░░
Architecture 60/100 ████████████░░░░░░░░
Accessibility 100/100 ████████████████████
API Design 45/100 █████████░░░░░░░░░░░
Developer Experience 72/100 ██████████████░░░░░░
Process 55/100 ███████████░░░░░░░░░
Critical Issues (3):
[SEC-001] Possible hardcoded API key in src/config.py:23
[API-003] No authentication/authorization patterns detected
[PRC-003] No CI/CD pipeline
Warnings (8):
[OBS-002] No metrics library or endpoint detected
[CQ-001] src/monolith.py has 847 lines — consider splitting
[DX-001] No linting configuration found
...
Create a .readiness.yml in your project root to customize:
# Exclude paths from scanning
exclude:
- vendor/
- node_modules/
- "*.test.*"
# Adjust severity thresholds
thresholds:
overall: 80
security: 90
testing: 75
# Disable specific checks
disabled_checks:
- OPS-004 # skip k8s manifest check
- A11Y-000 # skip accessibility (no frontend)
- API-000 # skip API design (not an API)Click to expand full check reference
SEC-001Hardcoded secrets (API keys, passwords, tokens)SEC-002Missing dependency lockfileSEC-003.envnot in.gitignoreSEC-004.envfile committed to repo
REL-001No health check endpointREL-002No graceful shutdown handlingREL-003No retry / circuit breaker logicREL-004No error handling patterns
OBS-001No structured loggingOBS-002No metrics endpoint/libraryOBS-003No distributed tracingOBS-004No alerting configuration
TST-001Missing or insufficient test filesTST-002No CI/CD pipelineTST-003No coverage configurationTST-004No e2e/integration tests
DOC-001Missing or sparse READMEDOC-002No CHANGELOGDOC-003No API documentationDOC-004No ADRsDOC-005No CONTRIBUTING guide
OPS-001No container configurationOPS-002No K8s/Helm manifestsOPS-003No Infrastructure as CodeOPS-004Missing .dockerignoreOPS-005No environment-specific configs
CQ-001Oversized files (>500 lines)CQ-002Long functions (>80 lines)CQ-003TODO/FIXME/HACK markersCQ-004SQL injection risk (string concatenation)CQ-005Debug print statements left in codeCQ-006Deeply nested code (4+ levels)CQ-007Duplicated code patterns
SHP-001No version declarationSHP-002No/sparse CHANGELOGSHP-003No release automationSHP-004No release/tag configurationSHP-005Manifest without lockfileSHP-006No CODEOWNERS
ARC-001No ADRsARC-002No layered architectureARC-003Circular importsARC-004No config management / missing .env.exampleARC-005Database without migrationsARC-006API without versioningARC-007No dependency injection (large codebases)
A11Y-001Images without alt textA11Y-002Form inputs without labelsA11Y-003No ARIA landmarksA11Y-004No focus stylesA11Y-005No responsive designA11Y-006No a11y testing toolsA11Y-007No skip-to-content linkA11Y-008Missing lang attribute on HTML
API-001No OpenAPI/Swagger specAPI-002No rate limitingAPI-003No authentication/authorizationAPI-004No standardized error responsesAPI-005No input validationAPI-006No CORS configurationAPI-007No pagination
DX-001No linting configurationDX-002No code formatterDX-003No pre-commit hooksDX-004No editor/IDE settingsDX-005No task runnerDX-006No CONTRIBUTING guideDX-007No dev containerDX-008README lacks setup instructions
PRC-001No PR templatePRC-002No issue templatesPRC-003No CI pipeline / missing test stepPRC-004CI missing lint stepPRC-005CI missing security scanningPRC-006CI missing deploy stepPRC-007No Dependabot/RenovatePRC-008No scheduled CI jobsPRC-009No CODEOWNERS
git clone https://github.com/Pcecil21/production-readiness-analyzer.git
cd production-readiness-analyzer
pip install -e ".[dev]"
pytestMIT