App Modernization architecture cloud native containers news open source

Introducing the Open Source Application Portfolio Auditor

Today we are thrilled to unveil the open source release of the Application Portfolio Auditor, designed to help organizations automatically analyze and make sense of their most complex application portfolios. The tool can help you save precious time by harnessing the collective intelligence of 15 application analysis tools and making the results easy to digest and export. The Application Portfolio Auditor is the result of more than four years of development by VMware Tanzu Labs with more than 50 releases and 1,000 commits for the benefit of dozens of customer projects around the globe.

The challenge of large portfolios

So you’ve been tasked to build a modernization or containerization roadmap? Chances are you might be struggling to craft an accurate inventory and are facing heterogeneity, scale, and consistency issues.

Enterprise application portfolios are vast and varied, encompassing internally/externally developed and purchased software. All major programming languages are likely used, forming a constantly growing and barely documented base of hundreds or even thousands of apps. If you have an official inventory consolidated into a configuration management database (CMDB), it would be surprising if its data is consistent and up to date.

On the other hand, harvesting insights to make data-driven decisions for your modernization can be a time-consuming and tedious process. Working only at a source code level cannot be an option, as it means retrieving dozens of code repositories in very specific versions for each application.

These challenges hinder quick and comprehensive assessments of the application’s technical state (cloud readiness, technologies, architecture, dependencies) and alignment with the business outcomes you want to achieve. In the end, you just need enough information (see The Legacy Trap ebook) to figure out where to start, how far you should transform your apps, as well as where they should land.

How Application Portfolio Auditor helps

The Application Portfolio Auditor is a tool designed to help consistently assess cloud readiness, quality, and security of large sets of apps. It gathers and aggregates the insights of up to 15 software analyzers.

Cloud readiness

Cloud Suitability Analyzer
Windup
WebSphere Application Migration Toolkit

Security

OWASP Dependency Check
Find Security Bugs
ShiftLeft SAST Scan
Insider SAST
Grype
Syft
Trivy

Structure and quality

GitHub Linguist
Count Lines of Code
Microsoft Application Inspector
nexB ScanCode
PMD Source Code Analyzer

Like Google, Meta, and other large tech companies, you will be able to approach software analysis by including multiple tools to catch their largely non-overlapping patterns. 

The Application Portfolio Auditor is a comprehensive command line interface (CLI) implementing best practices for at-scale software analysis. It processes binary applications as well as plain source code and intelligently selects appropriate analyzers based on your applications’ characteristics. There is no need to spend hours retrieving source code repositories. After an orchestrated execution of the selected analyzers, the tool extracts various scores and insights. It generates heat map reports that visually summarize cloud readiness, security, quality insights, and language distribution across your portfolio. To easily browse and share your findings with your colleagues, all reports can be automatically packaged as a zip file, Kubernetes, or Cloud Foundry deployment.

Turning insights into roadmaps

The generated reports with the Application Portfolio Auditor lay the foundation for the data-driven modernization roadmaps we craft for large companies. The overview page is the starting point to access all findings.

Application Portfolio Auditor reports overview

Example of an overview report generated with Application Portfolio Auditor

In the image below, the blue, green, and red heat maps of the respective cloud readiness, quality, and security pages enable you to compare and rank your applications at one glance. The darker the cell, the worse the rating for security, cloud readiness, or simplicity. Each cell can be clicked to deep-dive into the corresponding reports and learn more about the strengths and weaknesses of the analyzed factors.

Application Portfolio Auditor cloud readiness reports

Example of cloud readiness heat map reports (blue) generated with Application Portfolio Auditor

Application Portfolio Auditor security reports

Example of security (blue) reports (red) generated with Application Portfolio Auditor
 

A separate page visualizing the languages used in each application is a great help in recognizing similarly structured applications and grouping them.

Application Portfolio Auditor report showing distribution of languages used in applications

Example of a language distribution visualization generated with Application Portfolio Auditor
 

Each of the 15 analyzers instrumented by the Application Portfolio Auditor has its own sets of detectable patterns and formatted reports. With some practice, you will be able to quickly get a 360-degree understanding of any application by identifying its architecture, anti-patterns, technologies, security concerns, performance bottlenecks, and development model.

The consolidated application scores can be downloaded as a CSV file and imported into your preferred spreadsheet editor. This makes it easy to start drafting an impact-effort matrix and prioritize your application transformation efforts against the value you will get out of the modernization. The quadrant with high technical feasibility and high business impact comprises the top candidates for your modernization initiative.

Matrix showing technical feasibility and business impact of app modernization

Illustration of an impact-effort matrix classifying applications based on their technical and business scores

Get started

The Application Portfolio Auditor instruments 15 software analyzers and structure findings, enabling you to better understand your application portfolios. Auditor is open source and can be downloaded on GitHub.

Curious to see how your apps are doing? Follow the instructions to get started with the Application Portfolio Auditor. We also welcome all contributions and feedback!