Tools & Automation for Tech Debt

The industry standard for continuous code quality. Detects bugs, code smells, vulnerabilities, and estimates technical debt in hours across 30+ languages. The Community Edition is free and covers most needs.

Cloud-based quality platform with a focus on maintainability scoring. Assigns letter grades (A-F) to files, tracks technical debt ratio over time, and integrates with GitHub PRs for automated review feedback.

The standard linter for JavaScript and TypeScript. Catches common bugs, enforces code style, and supports custom rules. With the right plugin ecosystem (eslint-plugin-sonarjs, etc.), it becomes a powerful debt detector.

Comprehensive Python linter that checks for errors, enforces coding standards, and detects code smells like excessive complexity, too many arguments, and duplicate code. Pairs well with mypy for type checking.

JetBrains' Visual Studio extension for .NET developers. Real-time code analysis, automated refactoring, and code smell detection. Identifies unused code, complexity hotspots, and naming inconsistencies as you type.

Microsoft's official .NET code analyzers built into the compiler platform. Catch API misuse, performance pitfalls, and security issues at build time. Unlike ReSharper, they run in CI/CD without a license.

Scans dependencies, containers, and infrastructure-as-code for vulnerabilities. Provides fix PRs with minimal version bumps. The free tier covers open source projects and small teams with up to 200 tests per month.

GitHub's built-in dependency updater. Automatically opens PRs for outdated or vulnerable packages. Configurable update schedules, version strategies, and grouping. Zero setup cost for GitHub repositories.

The most configurable dependency update bot. Works with GitHub, GitLab, Bitbucket, and Azure DevOps. Supports monorepos, group updates, custom versioning strategies, and auto-merge for patch updates.

Built into npm itself. Scans your node_modules for known vulnerabilities and suggests fixes. Run npm audit fix to auto-patch where possible. Simple but limited to the npm advisory database.

Open source tool that identifies known vulnerabilities in project dependencies by checking against the National Vulnerability Database (NVD). Supports Java, .NET, Python, Ruby, Node.js, and more.

Enterprise-grade open source security and license compliance. Tracks every dependency in your codebase, flags vulnerabilities, and enforces license policies. Particularly strong in regulated industries.

The gold standard for .NET architecture analysis. Visualizes dependency graphs, calculates technical debt in time units, and lets you write custom code rules using CQLinq. Integrates with Visual Studio and CI pipelines.

Visualizes and controls the architecture of Java, C#, and C/C++ codebases. Shows dependency tangles, enforces layering rules, and tracks architecture debt over time. Ideal for large codebases where structure has eroded.

Write architecture rules as unit tests for Java and .NET. Enforce layering ("controllers must not access repositories directly"), naming conventions, and dependency rules. Runs in your existing test suite.

Uses Dependency Structure Matrices (DSMs) to visualize and manage architecture. Supports Java, C/C++, .NET, and database schemas. DSM views make circular dependencies and layering violations immediately visible.

Lightweight Java package dependency analyzer. Measures abstractness, instability, and distance from the "main sequence." Identifies packages that are too concrete or too abstract, signaling architecture debt.

The most popular JavaScript testing framework. Zero-config setup, built-in mocking, snapshot testing, and code coverage. Fast parallel execution with intelligent test ordering. Works with React, Vue, Node.js, and more.

Microsoft's end-to-end testing framework. Tests across Chromium, Firefox, and WebKit with a single API. Auto-wait, network interception, and mobile emulation. Generates tests from browser interactions with codegen.

Developer-friendly E2E testing with time-travel debugging and real-time reloading. Runs inside the browser for faster execution. The paid Cloud tier adds parallelization, analytics, and flaky test detection.

The standard JavaScript code coverage tool. Measures line, branch, function, and statement coverage. Generates HTML reports showing exactly which lines are untested. Built into Jest; standalone via nyc for other runners.

Mutation testing for JavaScript, TypeScript, C#, and Scala. Modifies your code and checks if tests catch the change. If they do not, your tests have gaps. The best way to measure real test quality beyond line coverage.

SonarQube imports coverage data from your test runner and combines it with its own analysis. You get coverage trends, quality gate enforcement (e.g., "no merge if new code coverage drops below 80%"), and per-PR feedback.

Native CI/CD for GitHub repositories. Massive marketplace of pre-built actions for linting, testing, security scanning, and deployment. Free for public repos, generous free tier for private repos. YAML-based configuration.

Built-in CI/CD with GitLab's DevOps platform. Auto DevOps can detect your stack and configure pipelines automatically. Includes SAST, DAST, dependency scanning, and container scanning in the Ultimate tier.

The original open source CI/CD server. Thousands of plugins, complete flexibility, and self-hosted control. Requires more maintenance than cloud alternatives but offers unmatched customization for complex build pipelines.

Microsoft's CI/CD platform with deep .NET and Azure integration. YAML or visual designer for pipelines. Free tier includes 1 parallel job with 1800 minutes per month. Strong integration with Azure cloud services.

Cloud-native CI/CD known for speed and caching. Orbs (reusable config packages) simplify setup. Test splitting distributes tests across containers for faster feedback. SSH debugging for investigating failures.

Anthropic's CLI-based coding agent. Understands entire codebases, executes multi-step refactoring tasks, runs and fixes tests, and generates documentation. Excels at large-scale refactoring where context across many files matters.

AI-first code editor built on VS Code. Chat with your codebase, apply AI edits inline, and use Cmd+K for targeted refactoring. The Composer feature handles multi-file changes with diff previews before applying.

The most widely adopted AI coding assistant. Inline suggestions, chat panel, and Copilot Workspace for multi-file tasks. Deep GitHub integration for PR summaries, code review, and documentation generation.

AWS's AI coding assistant with a unique focus on code transformations. Automates Java version upgrades, .NET framework migrations, and mainframe modernization. The free tier includes code suggestions and security scanning.

AI assistant backed by Sourcegraph's code search. Understands your entire codebase -- even massive monorepos -- because it indexes everything. Ask questions about code, generate context-aware edits, and find patterns across repositories.

Privacy-focused AI code completion that can run on-premises. Trains on your codebase to match your team's patterns and conventions. Strong choice for enterprises with strict data residency requirements.