Skip to main content

Project Structure within a Repository

An onboarded repo with separate projects discovered. Note: "Other resources" is a special project, described in more detail below.

A project is a logical component inside a repository — a deployable service, an app, a shared library, an infrastructure package — that Dam Secure has discovered as part of onboarding.

How is a Repository Subdivided into Projects?

Our Project Structure analysis engine has been finely tuned as follows:

  • Runs during onboarding and periodically thereafter.
  • Will actively explore your repo to determine how it is structured using a variety of search tools.
  • Is polyglot and can allow different languages within the same repo.
  • Errs on the side of treating a repo as a single project rather than splitting it into multiple projects.
  • Typically identifies each project by a single directory path (e.g. packages/frontend), but a project may span multiple paths.
  • Gravitates toward folders containing manifest files (e.g. package.json, requirements.txt, pom.xml, go.mod, Cargo.toml, Dockerfile).
  • Tightly coupled folders typically collapse into one project. For example, the src/, tests/, docs/ triad is normally a single project.

If a monorepo is detected, it gets subdivided into projects. In that case, an "Other resources" project is always created alongside the explicitly identified projects, capturing every file not assigned elsewhere: root configs, dot-folders, CI/CD workflows, docs, tooling, and so on.

Each project has:

  • Its own language and framework profile, so we know what kinds of issues to look for.
  • Its own applied rules — only the rules that are relevant to that project run against it.
  • Its own excluded files, so analysis stays focused on security-relevant code.