Scheduled audits, owned by the team. Not a gate — a rhythm.
Watchdog is the independent codebase-assurance surveyor, on your calendar — a survey you run, never a gate that blocks you. A scheduled audit you can trend — catch the drift between sprints before it compounds; the team owns it, it never blocks a PR. Weekly, every sprint, monthly or quarterly: the Codebase Assurance Index (CAI) climb, the slop vs brilliant composition, where architecture and security are drifting, and a prioritized fix list for your AI assistant — then the next scan proves the number moved.
From €135 / mo · scales with lines scanned · pricing →
Self-serve · No credit card · C#/.NET native · The first full report on any repo is free — public or private.
The trend line your retro puts on the wall — better or worse since last sprint, with receipts.
Where the drift is — and where to point the team.
Where the drift is — from real surveys
The actual in-app surfaces, live from published reports: the file-quality mix trended scan-by-scan, and the cross-signal conclusions to point the team at. The same components you work in.
Loading real published surveys…
Real published surveys, selected for this audience — each widget shows only when the repo has that signal. Browse every published survey →
On a schedule you own. Never a PR gate.
Calendar-driven audits catch what PR-only scanning can't: CVEs, bus-factor risk, and rot that compounds when nobody commits. Your retro trends it; your security watch surfaces regressions the day they appear.
On a schedule
Weekly, every sprint, monthly or quarterly — the audit runs even in quiet months, when CVEs and bus-factor risk accrue with zero commits.
In the retro
A trend line per lens you can put on the wall — better or worse since last sprint, with receipts. Slop falling is a team win you can see. And every survey ships a changelog — CAI & per-lens deltas, findings closed vs opened, the features & fixes that landed by area — so the sprint retro writes itself.
Watched daily
The security watch surfaces new CVEs, leaked secrets and score regressions the day they appear — between full scans.
Before the big moments
Scan on demand before a release, a handover or a due-diligence — the report is the evidence, the trend is the story.
How much of your codebase is slop — and how much is brilliant?
Every scan scores the composition of the whole repo: the share that is genuinely brilliant and worth protecting, the fine middle ground, and the slop — duplication, dead scaffolding, unreviewed generated code. The split is on every report card, and the trend shows it falling.
What the CAI sees that a linter doesn't.
A linter scores files one rule at a time and is blind to the architecture, ownership, and composition of the system. Watchdog scores the whole repo.
- Blind to architecture, ownership and composition
- Blind to what rots between commits — CVEs, bus factor, obsolescence
- Code health — complexity, duplication, dead code, IL method bloat (read from the emitted bytecode), test quality
- Architecture — cycles, layer violations, DDD alignment — and, for bounded-context systems, a clickable C4 map of your contexts coloured by health with the coupling drawn in red
- Security & compliance — CVEs (SCA for NuGet & npm), secrets, SAST, posture — CWE-tagged, with a CycloneDX SBOM every scan
- Maturity & readiness — tests, observability, ADRs, deploy
- Behavioral analysis — hotspots (churn × complexity), key-person / bus-factor risk, knowledge freshness, and change coupling, mined from your git history
- Plus rebuild cost (€) and the slop-vs-brilliant split
The behavioral signals a dedicated behavioral-analysis tool gives you — hotspots, ownership, change coupling — are here too, mined from the same git history. The difference: ours roll into one neutral, reproducible number you can trend, they're handed to your AI assistant to act on, and we never touch your code to produce them.
Why not just ask an LLM?
An LLM opinion changes every time you ask it. A measurement you can trend — and stake a decision on — requires reproducible scoring.
A different answer every run — nothing you can trend or stake a decision on. Only sees the slice that fits its context window. Can't tell you whether you're getting better or worse.
Reproducible — the same CAI every time, across the whole codebase. Trended — every scan appends; regressions surface with the next scan. A fix oracle — hand the prioritized findings to Claude Code or Cursor, then re-scan to prove the number moved.
The CAI is an open, reproducible standard — the algorithm, the lenses and the rubric are public, and the reference scorer is open source. So the number you trend isn't a vendor's say-so: when you put it in front of a board, a stakeholder or a client, they can re-run the open scorer over the evidence and get the same number themselves. The CAI standard → cai.canine.dev · Reproduce it →
We never touch your code.
Watchdog measures; it never modifies. We hand the intelligence to you and your AI — then you make the change. scan → you (or your AI) fix → we prove.
Hands you — and your coding agent over MCP — the finding, the rule that fired, the rationale, the file and line, and the score-impact of fixing it. You apply the change in your own environment; the next scan proves it landed. We never commit, never push, never open a fix-PR.
Some tools edit your code for you — apply refactorings, commit suggestions, open fix-PRs. A measurer that also rewrites the thing it grades can't stay neutral, and you lose chain-of-custody on the change. We stay the independent instrument: the hand on your code is always yours.
How it works.
Install the App on the org you want watched. GitHub access ⇒ Watchdog access.
First scan runs immediately — a baseline CAI and full report in minutes. The first full report is free.
Weekly, every sprint, monthly or quarterly — plus the daily security watch. Trends accrue on their own.
- EU data residency Processed only on hardware we own in Denmark — no cloud provider in the path.
- No third-party AI The language model is self-hosted; your code is never sent to OpenAI, Anthropic or Google.
- Source never persisted Each scan clones, analyses, then deletes the working copy — and we never train on your code.
- Read-only by doctrine We measure and advise; we never commit, push, or edit your code.
Put a number on your codebase.
First full report per repo free — public & private · see pricing · what we measure