Get the software surveyed before you trust it with the business.
You'd never buy a house on the seller's word — you'd commission your own survey. Watchdog is the independent surveyor for C#/.NET: one reproducible 0–100 Codebase Assurance Index, in a report both sides of a deal can trust. A measurement, not an opinion.
Point us at your repo — nothing to install, no CI step, no SDK, no lock-in. Read-only clone, public or private — your first survey is ready in minutes.
Sign in with GitHub · No card · C#/.NET · The first full report on any repo is €0 — depth is never gated.
Signed, and pinned to a commit + frozen rubric — the same inputs always reproduce this score.
-
Not a CI scanner or linterNever scores a line or blocks a merge.
-
Not a SAST / dataflow engineReads their signal; doesn't out-depth one.
-
Not a coding agentNever edits, commits, pushes or opens a PR.
-
Not a certifierRecords the evidence; a named human signs.
-
An independent surveyorOne altitude above your scanners.
-
One reproducible CAISigned, commit-pinned — re-runs to the same number.
-
A read-only oracleServes every finding to your agent over MCP.
-
A whole-system surveyArchitecture, maturity, compliance & risk in one report.
Graded by the open CAI standard — across ten lenses.
Five are always on; five light up with your architecture. We don't just score them — we locate every finding to file:line, trend each lens scan over scan, and hand you what to fix. The standard is open: each lens links to its exact dimensions on cai.canine.dev.
Always on
Light up with your architecture
The full vocabulary — every dimension, its evaluator and rubric version — lives on the open standard. Browse the catalog →
Start where you stand. I'm a…
Pick the hat you're wearing — each opens the survey framed for your situation, the same framing the app then carries inside.
…looking to prove my code to a client who can't read it — an independent score for the proposal and the hand-over. Single seat.
Buyer or procurement →…looking to verify software I can't read. Write "Supplier shall deliver a CAI ≥ 80" into the tender and check it at delivery.
Provider or consultancy →…looking to prove my quality and win the bid — an independent number no slide deck can match.
Engineering team →…looking to catch the drift between sprints — a scheduled audit I can trend before it compounds.
Acquirer, investor or insurer →…looking to appraise the asset: data-room due diligence and software-as-collateral for the balance sheet.
Compliance or regulatory officer →…looking to prove it's audit-defensible: measured, gated conformance across NIS2, DORA, GDPR and more, in a signed pack.
Business owner or decision-maker →…looking to know the condition of the asset I own: how good it is, what it's worth, and what to raise with my team — in plain language.
Or come in by role: Builders · Leads · Decision-makers · Compliance — each lands on the survey framed for your situation.
The CAI plus the deductions — what's wrong, what it means for you, what to do.
A survey isn't a dashboard you log into. It's the number and the reading — tailored to your role and handed over as artifacts a deal can stand on.
The CAI and every finding in a content-addressed PDF + JSON, pinned to a commit and a frozen rubric hash — re-runnable by either side.
Bind agreed criteria — "CAI ≥ 80, no critical CVEs" — into the deal, and verify them at delivery as a signed attestation. For providers →
Every finding is a briefed task — the rule that fired, the file and line, and the score-impact — served to your coding agent over Watchdog's Model Context Protocol server, ranked by impact ÷ effort. Your agent opens the PR in your own repo; the next survey proves the number moved.
Weekly full surveys plus a daily security watch, on a calendar — your portfolio trended, not a one-off snapshot. Your code rots even when nobody commits; the quiet months are watched, not skipped. For teams →
What moved since last time — CAI & per-lens deltas, the findings resolved vs raised, the features & fixes that landed, and any added or removed API endpoints. A sprint-ready record, derived facts only (never your source).
A C4 architecture map, a CycloneDX SBOM + licence inventory, and ADR-conformance — derived from the code on every survey, current by construction. The hand-over, audit and onboarding doc, never maintained by hand.
Commissioned by one side. Trusted by both — because the method is open.
A survey is only worth something because the surveyor is independent and paid the same either way, and because you can check the work. Watchdog is structurally neutral — and the way we measure isn't ours to keep.
The same versioned rubric scores you whoever pays; pin it frozen for a contract. Watchdog builds nobody's software and never touches yours — and there are no success fees. We're paid to measure, never to make the number go up.
We don't score by a private formula. We measure by the CAI — an open, reproducible standard: the algorithm, the lenses and the rubric are public, and the reference scorer is open source. The CAI standard → cai.canine.dev
We publish the evidence behind a score. Take a survey, run the open scorer over its evidence, and you get the same number — or you've found a discrepancy. Reproduce a survey →
Real reports, fully open — not a logo wall.
Every tile is a real repository whose owner chose to publish, with its entire survey open to read — every lens, every finding, and the exact rule each was scored by. No cherry-picked mock-ups. Audit how each number was reached; then run the same measurement on your own code.
- EU data residency Processed only on hardware we own in Denmark — no cloud provider in the path.
- No third-party AI The language model is self-hosted; your code is never sent to OpenAI, Anthropic or Google.
- Source never persisted Each scan clones, analyses, then deletes the working copy — and we never train on your code.
- Read-only by doctrine We measure and advise; we never commit, push, or edit your code.
Read-only by doctrine. Your code never leaves your control.
Compliance evidence with a gate you can't quietly pass.
A catalog of ten frameworks (WCAG, NIS2, DORA, SSDF, SLSA, OWASP ASVS and more). We measure the automatable slice and gate it: a control we caught failing can't be silently passed — overriding it is recorded, in full, in the artifact. You declare the rest, and a named person signs. We measure; you declare; we never certify.
Run the whole survey inside your own network.
For regulated and security-sensitive teams, Watchdog deploys self-hosted: your code never leaves your perimeter, the language model runs on your hardware, and the SOC 2 / data-residency question goes away. EU data residency, no third-party AI, source never persisted — on infrastructure you control.
Software is the only seven-figure asset you run without an appraisal. Get one.
Sign in with GitHub · no card · C#/.NET native.