Documentation

Everything you need to get started with Repobility

Contents

Getting Started

  1. Create an account — Sign up with your email or connected account. The free tier includes 3 repositories and 5 analyses per month.
  2. Add a repository — Paste a Git URL or connect a provider account to import private repositories directly.
  3. Wait for analysis — Our engine runs a multi-layer pipeline against your code. This typically takes 1-5 minutes depending on repository size.
  4. Review findings — Browse your dashboard to see quality scores, security vulnerabilities, tech debt estimates, and more.
  5. Use AI prompts — Copy the generated fix prompts into your AI coding assistant (Claude, ChatGPT, Copilot) to automatically fix issues.

Connecting Repositories

Provider Accounts

Connect Gitea, Forgejo, GitHub, GitLab, Bitbucket, Azure DevOps, or a generic Git host from settings. Tokens are encrypted at rest and matched by host when private repositories are cloned or checked.

Git URL

Paste any public Git URL (HTTPS) to analyze repositories from any provider. For private repositories, provide authentication via the settings panel.

Supported Providers
  • Gitea / Forgejo, including private self-hosted instances
  • GitHub and GitHub Enterprise
  • GitLab and self-hosted GitLab
  • Bitbucket, Azure DevOps, Gerrit, and generic Git-compatible hosts

Understanding Results

After analysis completes, your repository dashboard shows:

  • Quality Score (A-E): Overall health grade based on 8 dimensions
  • Security Score: Vulnerability and secret exposure rating
  • Tech Debt: Estimated remediation effort in hours
  • Findings: Individual issues categorized by type and severity
  • Languages & Frameworks: Detected tech stack
  • DORA Metrics: Deployment and operational health indicators

Finding Lifecycle

Each finding has a stable fingerprint and lifecycle state. Rescans show what is new, reopened, unchanged, fixed, suppressed, or marked false positive instead of creating duplicate rows.

  • Open: still actionable and visible in the default issue queue.
  • Confirmed: reviewed and accepted as a real issue.
  • False Positive / Accepted Risk / Suppressed: auditable but removed from open issue counts.
  • Fixed: no longer detected by a scanner that completed in the latest scan.

.repobilityignore

Add a small ignore file at the repository root to suppress known generated files, sample credentials, or reviewed exceptions.

SEC020 app/logging.py reason="redacted metadata only" expires=2026-12-31
gitleaks:* docs/** reason="documented sample credentials"
* generated/** reason="generated vendor output"

AI Fix Prompts

Each finding includes a tailored prompt designed for AI coding assistants. These prompts include:

  • Exact file path and line number
  • Current problematic code
  • Suggested fix approach
  • CWE/OWASP reference for security issues
  • Best practice explanation

Simply copy the prompt and paste it into Claude, ChatGPT, GitHub Copilot, or any AI assistant to get an immediate fix.

Quality Scores

Quality is measured across 8 dimensions:

DimensionWhat It Measures
StructureFile organization, module boundaries, naming conventions
Code QualityComplexity, duplication, code smells
DocumentationREADME, inline docs, API documentation coverage
TestingTest file presence, coverage indicators, test patterns
Best PracticesLinting config, CI/CD, containerization, .gitignore
SecurityVulnerability count, secret exposure, OWASP compliance
DependenciesOutdated packages, vulnerability exposure, license risk
MaintainabilityCognitive complexity, tech debt ratio, change risk

Security Findings

Security findings are classified by severity:

  • Critical: Actively exploitable vulnerabilities, leaked production credentials
  • High: SQL injection, XSS, known CVEs in dependencies
  • Medium: Insecure configurations, missing security headers
  • Low: Informational findings, deprecated practices

Exports

Analysis results can be exported in multiple formats:

  • JSON: Full structured data for programmatic consumption
  • CSV: Tabular data for spreadsheets and data analysis
  • PDF: Formatted report for stakeholders and audits
  • SARIF: Static Analysis Results Interchange Format for IDE integration
  • SBOM (CycloneDX): Software Bill of Materials in CycloneDX format
  • SBOM (SPDX): Software Bill of Materials in SPDX format

Open findings can be exported from the issue board or through /api/v2/repos/<id>/sarif/?state=open. SARIF from other scanners can be imported through /api/v2/repos/<id>/import_sarif/.

API Reference

The REST API supports repository results, findings, check runs, provider connections, and scoped service keys for CI/CD. Use service keys for pipelines and restrict each key to the minimum scopes and repositories needed.

  • checks:write submits CI check results.
  • checks:read reads check history and gate results.
  • repos:read reads repository scores and findings.
# Example: List your repositories
curl -H "Authorization: Bearer REPOBILITY_API_KEY" \
  https://repobility.com/api/v2/repos/

# Example: Get analysis findings
curl -H "Authorization: Bearer REPOBILITY_API_KEY" \
  https://repobility.com/api/v2/repos/123/findings/