Engineering analytics tools face a trust test before a feature test: will this vendor store our source code? For many teams — regulated industries, security-conscious startups, open-source heavy orgs — the answer has to be no.
DevInsights is built metadata-first. We learn how you ship from the events around code, not the code itself.
What we ingest
We connect with read-only OAuth to your VCS. From there we ingest PR titles, labels, reviewers, commit timestamps, branch names, and deploy events — the signals teams already generate without extra instrumentation.
That is enough to compute cycle time, review latency, deploy frequency, and change failure rate. It is also enough to power stale-PR detection and team load signals without reading a single line of application logic.
- PR and commit metadata (titles, labels, reviewers, timestamps)
- Deploy and environment events from your existing CI/CD hooks
- Optional Slack delivery — digests, not file attachments
What we skip
No file blobs. No AST parsing. No training models on your intellectual property. No 'helpful' code search that becomes a security review blocker.
Baselines still work because delivery health lives in metadata: who reviewed, how long it waited, when it shipped, whether it came back. The story of shipping is in the graph of events, not in the diff.
What to tell security
When procurement asks 'where does our code go?' the answer is short: it does not. Share the OAuth scope list, the data flow diagram, and a link to a digest — proof without a philosophical debate.
Teams that cannot use code-scanning analytics still need delivery visibility. Metadata-only is not a compromise version of the product — it is the architecture we would choose again.
Key takeaways
- Cycle time, DORA, and review health work from metadata alone.
- No source storage means simpler security reviews and broader adoption.
- The shipping story lives in events — PRs, reviews, deploys — not file contents.
