About Kospex

Why Kospex exists

Kospex started with a question that kept coming up on security and code reviews: if no one here knows this code, how would we fix it?

Walk into an organisation with a few hundred repositories and you can usually get a vulnerability report within a day. What is much harder to answer is who understands the code well enough to act on it. Which repositories have no active contributors left. Which systems depend on one person who is about to change teams or resign. Which dependencies have drifted so far behind that a “just bump the version” fix turns into weeks of work.

Finding problems is the easy part. Fixing them depends on people and knowledge, and almost nothing in the standard tooling stack measures that.

What it does

Kospex reads the history already sitting in your git repositories and answers the questions that history can answer:

It is built for the situation that motivated it: hundreds or thousands of repositories, where nobody can hold the whole picture in their head.

How we think about it

Two ideas run through the tool.

The first is that source code is only part of the deliverable. A repository you still have but no longer understand is not really an asset. The discussions, the dead ends, the reasons a thing was built the way it was — that context leaves with people, and the code alone does not carry it.

The second is predictive maintenance. Most code problems are visible well before they become incidents: activity trails off, contributors leave, versions slip. If you can see that early, you can act deliberately instead of discovering it during an outage or an audit.

Open source

The core of Kospex is free and open source. You can install it, point it at your own repositories, and see what it finds — no sales conversation required.

Kospex is built and maintained by Kospex Pty Ltd.

If you are wrestling with any of this in your own organisation, get in touch — we are always interested in how other teams are approaching it.