Spartacus, scanned.
ngcompass analysed SAP Spartacus — 7,583 files, 31,590 checks, in 16.1 seconds on a single workstation. Here's what it found.
Production-scale.
Multi-team.
Real.
SAP's open-source Angular storefront for SAP Commerce Cloud — a large, multi-team monorepo of core, feature, and storefront libraries. Spartacus is a useful real-world benchmark because it spans every Angular pattern ngcompass cares about: large component trees, RxJS-heavy state, in-progress signal migration, SSR, complex template bindings, and security-sensitive content rendering. The numbers below are exactly what the CLI reported — no curation, no filtering.
7,583
Files discovered
1,215 scanned · 7,089 clean
16.1s
Wall-clock duration
471/s files · 1,962/s checks
31,590
Checks executed
10 of 27 rules fired
1,426
Findings reported
1,012 errors · 414 warnings
Run it. Get a report.
No configuration, no preset selection, no allowlists. The default recommended preset, against the unmodifiedmainbranch of SAP Spartacus.
❯ Writing report...
❯ 7,583 files · 31,590 checks · 16.1s
❯ 7,089 files no issues · ✗ 494 files with violations
× 1,426 violations (1,012 errors, 414 warnings) FAILED
Fast enough to run on every PR.
Single-process, single-machine. No clustering, no remote workers, no warm cache.
16.1s
Total time
471
Files / second
1,962
Checks / second
Intel Core i7-10750H (6 cores · 12 threads @ 2.6 GHz), 16 GB DDR4 · 2933 MT/s. No CI fleet, no cluster, no GPU, no warm cache.
Where the violations live.
10 rules triggered out of 27 active. Two patterns — method calls in templates and legacy @Input() decorators — account for 86% of all findings.
- 01
template-no-call-expression846Method calls in template bindings re-run on every change detection pass.
- 02
signal-prefer-input-signal384@Input() that could migrate to the new input() signal API.
- 03
prefer-on-push-component-change-detection164Components using default change detection instead of OnPush.
- 04
rxjs-no-nested-subscribe11Nested subscribe() chains that fragment stream lifetimes.
- 05
toSignal-require-initialValue6toSignal() calls without an explicit first-value strategy.
- 06
template-prefer-control-flow5Legacy *ngIf / *ngFor that could use @if / @for.
- 07
no-bypass-sanitization4DomSanitizer bypass calls that can expose unsafe content.
- 08
template-no-object-literal-binding2Object literals in bindings create new references each cycle.
- 09
signal-effect-must-be-destroy-scoped2effect() inside a method lacking an explicit lifecycle owner.
- 10
signal-prefer-model2Input/Output pairs that could migrate to model().
How the findings break down.
1,426
total findings
1,012
71% of findings · fail the build
414
29% of findings · advisory
93.5%
clean
7,089
93.5% of files
494
6.5% of files
4 signals from one run.
Performance dominates
1,012 of 1,426 violations are performance-related — call expressions in templates and missing OnPush account for 99% of error-severity findings. Targeted refactors here have outsized rendering impact.
Signals migration is the next step
384 occurrences of @Input() and 6 toSignal() patterns suggest Spartacus is mid-migration to the modern signal API. ngcompass can codify that direction as a CI gate.
Security posture is strong
Only 4 sanitizer-bypass findings across 1,215 TypeScript files — a strong baseline that's worth keeping enforced.
Ready for CI
A 16-second wall-clock run on 7,583 files comfortably fits a pre-merge GitHub Action. SARIF output surfaces every finding as an inline review comment on the diff.
Reproduce this run in 30 seconds.
Clone SAP Spartacus, install ngcompass, and run the same command. No config, no telemetry, no upload — the same report ends up next to the source.