Skip to content

petrarca/tech-stack-analyzer

BranchesTags

Repository files navigation

Tech Stack Analyzer

A technology stack analyzer written in Go that automatically detects technologies, frameworks, databases, and tools used in codebases. Re-implements specfy/stack-analyser with improvements and extended technology support.

What It Does

The Tech Stack Analyzer scans a codebase and produces a structured JSON inventory of its technology stack. It identifies:

  • Programming Languages - Source code languages and versions
  • Package Dependencies - npm, pip, cargo, composer, nuget, maven, conan, and more
  • Frameworks - .NET, Spring Boot, Angular, React, Django, and others
  • Databases - PostgreSQL, MySQL, MongoDB, Redis, Oracle, SQL Server
  • Infrastructure - Docker, Kubernetes, Terraform, CI/CD pipelines
  • DevOps Tools - Monitoring, deployment, and build tools

Detection is powered by 800+ technology rules across 48 categories, using file names, extensions, package manifests, environment variables, and content pattern matching.

Key Features

  • Zero Dependencies - Single binary deployment, no runtime requirements
  • 800+ Technology Rules - Comprehensive detection across 48 categories
  • Lock File Support - Extracts exact resolved versions from package-lock.json, pnpm-lock.yaml, Cargo.lock, uv.lock, poetry.lock, etc., and records the originally declared range alongside the resolved version
  • Dependency Graph - Emits the package-to-package dependency graph (edges) across 19 ecosystems, off by default via --dependency-graph; optional online resolution (deps.dev) fills gaps for manifest-only ecosystems
  • CycloneDX SBOM - Emits a PURL-based SBOM consumable directly by vulnerability scanners such as Trivy
  • Code Statistics - Lines of code, complexity metrics, and language breakdown via SCC
  • Automatic .gitignore - Respects .gitignore files with full gitignore semantics (negation !, dir-only /, last-match-wins)
  • Hierarchical Output - Component-based analysis with parent-child relationships
  • Aggregated Views - Rollup summaries for quick technology stack overviews
  • Content-Based Detection - Validates technologies through regex pattern matching in file contents
  • Subsystem Statistics - Per-subsystem code metrics via depth-based splitting or named groups for large monorepos
  • Language Reclassification - Override go-enry's language detection per glob pattern to fix misclassified extensions or relabel proprietary file formats

Quick Start

Install

# Build from source
git clone https://github.com/petrarca/tech-stack-analyzer.git
cd tech-stack-analyzer
go build -o bin/stack-analyzer ./cmd/scanner

# Or use Task (recommended)
task build

# Or install directly
go install github.com/petrarca/tech-stack-analyzer/cmd/scanner@latest

Prerequisites: Go 1.19+

Scan a Project

# Scan current directory
./bin/stack-analyzer scan

# Scan a specific directory
./bin/stack-analyzer scan /path/to/project

# Save results to a custom file
./bin/stack-analyzer scan /path/to/project --output results.json

# Get an aggregated overview
./bin/stack-analyzer scan --aggregate all /path/to/project

# Full output + aggregate in one scan pass (e.g. for large codebases)
./bin/stack-analyzer scan /path/to/project --also-aggregate tech,techs,languages,dependencies,git

# Emit a CycloneDX SBOM (with PURLs) for vulnerability scanning
./bin/stack-analyzer scan /path/to/project --sbom -o sbom.cdx.json
# ...then scan it with Trivy:
#   trivy sbom sbom.cdx.json

# Full scan output + SBOM companion in one pass (out.json -> out.cdx.json)
./bin/stack-analyzer scan /path/to/project -o out.json --also-sbom

# Emit the package-to-package dependency graph (off by default)
./bin/stack-analyzer scan /path/to/project --dependency-graph full -o out.json

# Strip fields not needed by downstream consumers
./bin/stack-analyzer scan /path/to/project --omit-fields reason,edges

# Pipe to jq
./bin/stack-analyzer scan -o - /path/to/project | jq '.techs'

# List available technologies
./bin/stack-analyzer info techs

Quick Codebase Summary

# Human-readable summary instead of JSON
./bin/stack-analyzer summary /path/to/project

# With scan config
./bin/stack-analyzer summary --config scan-config.yml

Prints a concise text report with code statistics, languages, technologies, component tree, and observations (generated/vendored files, encoding issues). Useful for quick codebase introspection and onboarding.

Example Output

{
  "id": "a30339f5ba410aaa588e",
  "name": "my-project",
  "path": ["/"],
  "tech": ["nodejs"],
  "techs": ["nodejs", "react", "postgresql", "docker"],
  "languages": {"TypeScript": 89, "JavaScript": 45},
  "dependencies": [
    ["npm", "react", "18.2.0", "prod", true, {"source": "package-lock.json"}],
    ["npm", "express", "4.18.2", "prod", true, {"source": "package-lock.json"}]
  ],
  "children": [
    {
      "id": "f6b220e7ad1a4575fa38",
      "name": "backend",
      "path": ["/backend"],
      "tech": ["nodejs"],
      "techs": ["nodejs", "express", "postgresql"]
    }
  ],
  "metadata": {
    "timestamp": "2025-12-01T14:45:35Z",
    "duration_ms": 1173,
    "file_count": 523
  }
}

Use Cases

  • Technology Inventory - Generate comprehensive stack documentation
  • CI/CD Integration - Fast dependency detection in build pipelines
  • Portfolio Analysis - Scan hundreds of repositories in minutes
  • Migration Planning - Understand technology landscape before cloud or framework migrations
  • License Compliance - Feed dependency output into specialized license tools
  • Security Scanning - Provide dependency lists to vulnerability scanners

Documentation

For detailed documentation, see the docs/ folder:

Document Description
Usage Guide Commands, flags, verbose mode, code statistics, content-based detection
Configuration Project config, environment variables, scan config files, logging
Output Format Output structure, field reference, aggregated output, metadata
Extending Adding technology rules, component detectors, category configuration
Building Build instructions, project structure, architecture overview

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines on code style, testing, pre-commit hooks, pull requests, and development workflow.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

  • Original Project: Go re-implementation of specfy/stack-analyser by the original author
  • Industry Alignment: References Google's deps.dev for dependency data structure design
  • Language Detection: Uses go-enry (GitHub Linguist port) for language identification
  • Git Integration: Uses go-git for pure Go git operations

Built with Go - Single binary, zero dependencies, 800+ technology rules.

About

Go-based tech stack analyzer - single binary, zero-dependency deployment. Detects 700+ technologies across 32 categories.

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases 10

v0.6.0 Latest
Jun 9, 2026
+ 9 releases

Packages

 
 
 

Contributors

Languages