12-Factor App Compliance Analysis
Reference: The Twelve-Factor App
Overview
The 12-Factor App methodology is a set of best practices for building Software-as-a-Service applications that are:
-
Portable across execution environments
-
Scalable without architectural changes
-
Suitable for continuous deployment
-
Maintainable with minimal friction
Input Parameters
Parameter Description Required
codebase_path
Root path of the codebase to analyze Required
Analysis Framework
Factor I: Codebase
Principle: One codebase tracked in revision control, many deploys.
Search Patterns:
Check for version control
ls -la .git 2>/dev/null || ls -la .hg 2>/dev/null
Check for multiple apps sharing codebase
find . -name "package.json" -o -name "pyproject.toml" -o -name "setup.py" | head -20
Check for environment-specific code branches
grep -r "if.production|if.development|if.staging" --include=".py" --include=".js" --include=".ts"
File Patterns: .git/ , package.json , pyproject.toml , deployment configs
Compliance Criteria:
Level Criteria
Strong Single Git repo, same codebase for all environments, no env-specific code branches
Partial Single repo but some environment-specific code paths
Weak Multiple repos for same app or significant code duplication across environments
Anti-patterns:
-
Multiple Git repositories for the same application
-
Environment-specific code branches (if production: ... )
-
Different source files for dev vs prod
-
Shared code not extracted to libraries
Factor II: Dependencies
Principle: Explicitly declare and isolate dependencies.
Search Patterns:
Python dependency files
find . -name "requirements.txt" -o -name "pyproject.toml" -o -name "setup.py" -o -name "Pipfile" -o -name "uv.lock"
JavaScript/TypeScript dependency files
find . -name "package.json" -o -name "package-lock.json" -o -name "yarn.lock" -o -name "pnpm-lock.yaml"
Check for system tool assumptions
grep -r "subprocess.*curl|subprocess.*wget|os.system.ffmpeg|shutil.which" --include=".py" grep -r "exec.curl|child_process.curl" --include=".js" --include=".ts"
Docker/container isolation
find . -name "Dockerfile" -o -name "docker-compose*.yml"
File Patterns: /requirements.txt , **/package.json , **/.lock , **/Dockerfile
Compliance Criteria:
Level Criteria
Strong Lock files present, dependency isolation (venv/Docker), no implicit system tools
Partial Dependencies declared but no lock files or isolation
Weak Dependencies in documentation only, relies on system-installed packages
Anti-patterns:
-
Missing lock files (non-deterministic builds)
-
Assuming system tools (curl, ImageMagick, ffmpeg) are available
-
Different dependency managers in dev vs production
-
No virtual environment or container isolation
Factor III: Config
Principle: Store config in the environment.
Search Patterns:
Environment variable usage
grep -r "os.environ|os.getenv|process.env|ENV[" --include=".py" --include=".js" --include=".ts" --include=".rb"
Hardcoded credentials (anti-pattern)
grep -r "password.=.['"]" --include=".py" --include=".js" --include=".ts" | grep -v "test|spec|example" grep -r "api_key.=.['"]" --include=".py" --include=".js" --include=".ts" | grep -v "test|spec|example" grep -r "secret.=.['"]" --include=".py" --include=".js" --include="*.ts" | grep -v "test|spec|example"
Environment-specific config files (anti-pattern)
find . -name "config.dev." -o -name "config.prod." -o -name "settings.development." -o -name "settings.production."
Database URLs in code
grep -r "postgresql://|mysql://|mongodb://|redis://" --include=".py" --include=".js" --include="*.ts" | grep -v ".env|test|example"
File Patterns: /.env , **/config/.py , **/settings.py , environment files
Compliance Criteria:
Level Criteria
Strong All config via environment variables, no hardcoded secrets, could open-source without leaks
Partial Most config externalized but some hardcoded defaults
Weak Hardcoded credentials, environment-specific config files
Anti-patterns:
-
Hardcoded database URLs, API keys, passwords in source
-
Config files like config/production.yml vs config/development.yml
-
Environment grouping (if ENV == 'production': ... )
-
Secrets committed to version control
Factor IV: Backing Services
Principle: Treat backing services as attached resources.
Search Patterns:
Database connection via config
grep -r "DATABASE_URL|DB_HOST|REDIS_URL|CACHE_URL" --include=".py" --include=".js" --include="*.ts"
Service initialization
grep -r "create_engine|MongoClient|Redis|Celery|boto3" --include=".py" grep -r "createPool|createClient|new Redis|S3Client" --include=".js" --include="*.ts"
Hardcoded service locations (anti-pattern)
grep -r "localhost:5432|localhost:6379|localhost:27017|127.0.0.1" --include=".py" --include=".js" --include="*.ts" | grep -v "test|spec|example|default"
File Patterns: **/database/.py , **/services/.py , **/db.py , connection configurations
Compliance Criteria:
Level Criteria
Strong All services via URL/connection string in config, swappable without code changes
Partial Most services configurable but some hardcoded defaults
Weak Hardcoded service locations, different code paths per environment
Anti-patterns:
-
Hardcoded localhost for services in production code
-
Conditional logic for local vs cloud services (if USE_S3: ... else: local_storage )
-
Service-specific code paths based on environment
-
Different drivers for dev vs prod
Factor V: Build, Release, Run
Principle: Strictly separate build and run stages.
Search Patterns:
Build/deploy configuration
find . -name "Dockerfile" -o -name "Makefile" -o -name "build.sh" -o -name "deploy.sh" find . -name ".github/workflows/*.yml" -o -name ".gitlab-ci.yml" -o -name "Jenkinsfile"
Build scripts in package.json
grep -A5 '"scripts"' package.json 2>/dev/null | grep -E "build|start|deploy"
Check for runtime compilation (anti-pattern)
grep -r "compile|transpile|webpack" --include="*.py" | grep -v "test|build"
File Patterns: **/Dockerfile , **/Makefile , /.github/workflows/ , CI/CD configs
Compliance Criteria:
Level Criteria
Strong Immutable releases, clear build/release/run stages, unique release IDs
Partial Build and run separated but release not immutable
Weak Runtime code modifications, asset compilation at startup
Anti-patterns:
-
Runtime code modifications
-
Asset compilation during application startup
-
Configuration baked into build artifacts
-
No release versioning
Factor VI: Processes
Principle: Execute the app as one or more stateless processes.
Search Patterns:
Session storage patterns
grep -r "session|Session" --include=".py" --include=".js" --include="*.ts" | head -20
In-process state (anti-pattern)
grep -r "global.cache|process_local|instance_cache" --include=".py" grep -r "global..=|module.exports.cache" --include=".js" --include="*.ts"
External session stores (good pattern)
grep -r "redis.session|memcached.session|session.redis" --include=".py" --include=".js" --include=".ts"
Sticky session configuration (anti-pattern)
grep -r "sticky.session|session.affinity" --include=".yml" --include=".yaml" --include="*.json"
File Patterns: **/middleware/.py , **/session/.py , server configurations
Compliance Criteria:
Level Criteria
Strong Stateless processes, all state in external datastores (Redis, DB)
Partial Mostly stateless but some in-process caching
Weak Sticky sessions, in-process session storage, shared memory state
Anti-patterns:
-
In-process session storage (user_sessions = {} )
-
Sticky sessions or session affinity
-
File-based caching between requests
-
Global mutable state shared across requests
Factor VII: Port Binding
Principle: Export services via port binding.
Search Patterns:
Self-contained port binding
grep -r "app.run|server.listen|serve|uvicorn" --include=".py" grep -r "app.listen|server.listen|createServer" --include=".js" --include="*.ts"
PORT environment variable
grep -r "PORT|port" --include=".py" --include=".js" --include="*.ts" | grep -i "environ|process.env"
Webserver as dependency
grep -r "uvicorn|gunicorn|flask|fastapi|express|koa|hapi" package.json pyproject.toml requirements.txt 2>/dev/null
File Patterns: **/main.py , **/server.py , **/app.py , **/index.js
Compliance Criteria:
Level Criteria
Strong Self-contained app binds to PORT, webserver is a dependency
Partial Port binding but not configurable via environment
Weak Relies on external webserver container (Apache, Nginx) to provide HTTP
Anti-patterns:
-
Relying on Apache/Nginx/Tomcat to inject webserver functionality
-
Hardcoded port numbers
-
No PORT environment variable support
-
CGI scripts or server modules
Factor VIII: Concurrency
Principle: Scale out via the process model.
Search Patterns:
Process definitions
find . -name "Procfile" -o -name "process.yml" -o -name ".foreman"
Multiple entry points
find . -name "worker.py" -o -name "scheduler.py" -o -name "web.py"
Background job systems
grep -r "celery|rq|sidekiq|bull|agenda" --include=".py" --include=".js" --include=".ts" grep -r "Celery|Worker|BackgroundJob" --include=".py" --include=".js" --include=".ts"
File Patterns: **/Procfile , **/worker.py , **/scheduler.py , queue configurations
Compliance Criteria:
Level Criteria
Strong Explicit process types (web, worker, scheduler), horizontal scaling
Partial Multiple process types but not easily scalable
Weak Single monolithic process, no separation of concerns
Anti-patterns:
-
Single process handling all workloads
-
Hard-coded worker counts in code
-
No separation between web and background processes
-
Vertical scaling only (bigger server, not more processes)
Factor IX: Disposability
Principle: Maximize robustness with fast startup and graceful shutdown.
Search Patterns:
Signal handlers
grep -r "signal.signal|SIGTERM|SIGINT|atexit" --include="*.py" grep -r "process.on.SIGTERM|process.on.SIGINT" --include=".js" --include=".ts"
Graceful shutdown
grep -r "graceful.shutdown|shutdown_handler|cleanup" --include=".py" --include=".js" --include=".ts"
Startup time
grep -r "startup|initialize|bootstrap" --include=".py" --include=".js" --include="*.ts" | head -20
File Patterns: **/main.py , **/server.py , lifecycle management code
Compliance Criteria:
Level Criteria
Strong Fast startup (<10s), SIGTERM handling, graceful shutdown, jobs returnable to queue
Partial Graceful shutdown but slow startup
Weak No signal handling, jobs lost on process death, slow startup
Anti-patterns:
-
No SIGTERM/SIGINT handlers
-
Slow startup (>30 seconds)
-
Jobs lost if process crashes
-
No cleanup on shutdown
Factor X: Dev/Prod Parity
Principle: Keep development, staging, and production as similar as possible.
Search Patterns:
Different services per environment (anti-pattern)
grep -r "if.development.sqlite|if.production.postgres" --include=".py" --include=".js" --include=".ts" grep -r "development.SQLite|production.PostgreSQL" --include=".py" --include=".js" --include=".ts"
Docker for parity
find . -name "docker-compose*.yml" -o -name "Dockerfile"
Environment-specific backends
grep -r "USE_LOCAL_|LOCAL_STORAGE|MOCK_" --include=".py" --include=".js" --include="*.ts"
File Patterns: */docker-compose.yml , environment configurations
Compliance Criteria:
Level Criteria
Strong Same services everywhere (PostgreSQL in dev and prod), containerized
Partial Mostly same but some lightweight dev alternatives
Weak SQLite in dev, PostgreSQL in prod; different backing services
Anti-patterns:
-
SQLite for development, PostgreSQL for production
-
In-memory cache in dev, Redis in prod
-
Different service versions across environments
-
"It works on my machine" issues
Factor XI: Logs
Principle: Treat logs as event streams.
Search Patterns:
Stdout logging
grep -r "print(|logging.info|logger.info|console.log" --include=".py" --include=".js" --include="*.ts" | head -20
File-based logging (anti-pattern)
grep -r "FileHandler|open..log|writeFile.log|fs.appendFile.log" --include=".py" --include=".js" --include=".ts" grep -r "/var/log|/tmp/..log|logs/" --include=".py" --include=".js" --include=".ts" | grep -v "test|example"
Structured logging
grep -r "structlog|json_logger|pino|winston" --include=".py" --include=".js" --include="*.ts"
File Patterns: **/logging.py , **/logger.py , logging configurations
Compliance Criteria:
Level Criteria
Strong Unbuffered stdout only, structured logging (JSON), no file management
Partial Stdout logging but with some file handlers
Weak Application writes to log files, manages rotation
Anti-patterns:
-
Writing logs to files (FileHandler , open('/var/log/app.log') )
-
Log rotation logic in application code
-
Log archival managed by application
-
Buffered logging
Factor XII: Admin Processes
Principle: Run admin/management tasks as one-off processes.
Search Patterns:
Management commands
find . -name "manage.py" -o -name "Rakefile" -o -name "artisan" grep -r "@cli.command|@click.command|typer.command" --include="*.py"
Migration scripts
find . -name "migrations" -type d find . -name "migration.py" -o -name "migrate.py"
Admin scripts with proper isolation
grep -r "bundle exec|source.venv|uv run" --include=".sh" --include="Makefile"
File Patterns: **/manage.py , **/cli.py , /migrations/ , admin scripts
Compliance Criteria:
Level Criteria
Strong Admin tasks use same dependencies/config, proper isolation, idempotent
Partial Admin tasks exist but different setup from app
Weak Manual database manipulation, scripts without isolation
Anti-patterns:
-
Admin scripts not using app's dependency manager
-
Direct SQL manipulation outside of migrations
-
Admin scripts with hardcoded credentials
-
Non-idempotent migrations
Output Format
Executive Summary Table
| Factor | Status | Notes |
|---|---|---|
| I. Codebase | Strong/Partial/Weak | [Key finding] |
| II. Dependencies | Strong/Partial/Weak | [Key finding] |
| III. Config | Strong/Partial/Weak | [Key finding] |
| IV. Backing Services | Strong/Partial/Weak | [Key finding] |
| V. Build/Release/Run | Strong/Partial/Weak | [Key finding] |
| VI. Processes | Strong/Partial/Weak | [Key finding] |
| VII. Port Binding | Strong/Partial/Weak | [Key finding] |
| VIII. Concurrency | Strong/Partial/Weak | [Key finding] |
| IX. Disposability | Strong/Partial/Weak | [Key finding] |
| X. Dev/Prod Parity | Strong/Partial/Weak | [Key finding] |
| XI. Logs | Strong/Partial/Weak | [Key finding] |
| XII. Admin Processes | Strong/Partial/Weak | [Key finding] |
Overall: X Strong, Y Partial, Z Weak
Per-Factor Analysis
For each factor, provide:
Current Implementation
-
Evidence with file:line references
-
Code snippets showing patterns
Compliance Level
-
Strong/Partial/Weak with justification
Gaps
-
What's missing vs. 12-Factor ideal
Recommendations
- Actionable improvements with code examples
Analysis Workflow
Initial Scan
-
Run search patterns for all factors
-
Identify key files for each factor
-
Note any existing compliance documentation
Deep Dive (per factor)
-
Read identified files
-
Evaluate against compliance criteria
-
Document evidence with file paths
Gap Analysis
-
Compare current vs. 12-Factor ideal
-
Identify anti-patterns present
-
Prioritize by impact
Recommendations
-
Provide actionable improvements
-
Include before/after code examples
-
Reference best practices
Summary
-
Compile executive summary table
-
Highlight strengths and critical gaps
-
Suggest priority order for improvements
Quick Reference: Compliance Scoring
Score Meaning Action
Strong Fully implements principle Maintain, minor optimizations
Partial Some implementation, significant gaps Planned improvements
Weak Minimal or no implementation High priority for roadmap
When to Use This Skill
-
Evaluating new SaaS applications
-
Reviewing cloud-native architecture decisions
-
Auditing production applications for scalability
-
Planning migration to cloud platforms
-
Comparing application architectures
-
Preparing for containerization/Kubernetes deployment