Why Kospex exists
Kospex started with a question that kept coming up on security and code reviews: if no one here knows this code, how would we fix it?
Walk into an organisation with a few hundred repositories and you can usually get a vulnerability report within a day. What is much harder to answer is who understands the code well enough to act on it. Which repositories have no active contributors left. Which systems depend on one person who is about to change teams or resign. Which dependencies have drifted so far behind that a “just bump the version” fix turns into weeks of work.
Finding problems is the easy part. Fixing them depends on people and knowledge, and almost nothing in the standard tooling stack measures that.
What it does
Kospex reads the history already sitting in your git repositories and answers the questions that history can answer:
- Orphaned repositories — code where nobody who contributed still works here.
- Key person risk — where knowledge is concentrated in one or two people.
- Knowledge mapping — who actually knows which parts of the codebase.
- Dependency health — how far behind your open source libraries have drifted, and what is known-vulnerable.
- Technology landscape — what languages and frameworks you really run, and whether you have people who know them.
It is built for the situation that motivated it: hundreds or thousands of repositories, where nobody can hold the whole picture in their head.
How we think about it
Two ideas run through the tool.
The first is that source code is only part of the deliverable. A repository you still have but no longer understand is not really an asset. The discussions, the dead ends, the reasons a thing was built the way it was — that context leaves with people, and the code alone does not carry it.
The second is predictive maintenance. Most code problems are visible well before they become incidents: activity trails off, contributors leave, versions slip. If you can see that early, you can act deliberately instead of discovering it during an outage or an audit.
Open source
The core of Kospex is free and open source. You can install it, point it at your own repositories, and see what it finds — no sales conversation required.
Kospex is built and maintained by Kospex Pty Ltd.
If you are wrestling with any of this in your own organisation, get in touch — we are always interested in how other teams are approaching it.