Why tugtug?
Most code-quality tools measure complexity. tugtug also measures churn — and combines both into a practical risk signal for small teams and solo developers.
What you can't get from a code host alone
A code host stores and versions your code. tugtug analyzes it. Here's what the gap looks like in practice.
| What your code host shows you | What tugtug adds on top |
|---|---|
| The files in your repository. | Which files are the most dangerous based on complexity × churn combined. |
| Who changed a file and when (git blame). | How often each file has changed in the last 90 days — a churn score per file. |
| Commit history — a list of changes over time. | A health score trend chart showing whether the codebase is getting better or worse. |
| Diff views showing what changed between two commits. | An AST-based complexity score for every file — how many decision paths exist. |
| Secret scanning for plaintext credentials (paid, enterprise tier). | Security scanning of live code for 16 vulnerability patterns: XSS, command injection, prototype pollution, weak hashing, and more. |
| Code search — find a string or file name. | Duplication detection — copy-pasted blocks across files, with a percentage per file. |
| Nothing about which files change together. | File coupling graph — pairs of files that always change together, surfacing hidden architectural dependencies. |
| Nothing about exports that are unused. | Dead code detection — exports that nothing in the project actually imports or uses. |
| Nothing about cognitive readability of code. | Cognitive complexity score — how hard is this code for a human to read? |
| No automated weekly summary emails about code health. | Weekly email digest: health scores, new alerts, and regressions. Every Monday. |
| No cross-analysis risk alerting. | Automatic risk alerts when files cross the hotspot threshold or worsen significantly. |
What tugtug focuses on
✓available · –not available · ■ partial — often available with extra setup, enterprise tooling, or a different workflow
| Feature | tugtug | Typical code-quality tools |
|---|---|---|
| Hotspot map combining complexity and churn | ✓ | ■ |
| File coupling analysis from commit history | ✓ | ■ |
| Cyclomatic complexity | ✓ | ✓ |
| Cognitive complexity | ✓ | ✓ |
| Code duplication detection | ✓ | ✓ |
| Security scanning for risky code patterns | ✓ | ✓ |
| Secret / credential scanning | ■ | ✓ |
| Dead code / unused exports | ✓ | ■ |
| Health score trend over time | ✓ | ✓ |
| Automatic risk alerts | ✓ | ✓ |
| Shared workspace and audit log | ✓ | ✓ |
| Shareable read-only report links | ✓ | ■ |
| No server setup required | ✓ | ■ |
| Private repository analysis for signed-in users | ✓ | ✓ |
This is a product-focus comparison, not a claim that no other tool can produce similar data. Enterprise platforms can cover many of these areas; tugtug packages the hotspot and coupling workflow for a lightweight GitHub-first setup.
The two things tugtug is built around
The Hotspot Map
Other tools can tell you a file is complex. They can flag that it has issues. But the useful question is which complex files are also changing the most — and that combination is what predicts real-world bug risk.
The bubble chart lets you see your entire codebase at once and immediately spot the dangerous clusters. This visualization is based on research by Adam Tornhill (Your Code as a Crime Scene) and is uncommon in lightweight code-quality dashboards.
File Coupling Analysis
When two files always appear in the same commit, they're secretly connected — a change to one almost always requires a change to the other. This hidden dependency is a major source of bugs: developers who touch file A may not realize they need to touch file B.
tugtug surfaces these pairs automatically by analyzing commit history. Most lightweight tools stop at the file in front of you; tugtug shows the relationships that history keeps revealing.
See it on any codebase — no account needed.
Paste any public GitHub repo on the home page and get a full hotspot report in under a minute.