How It Works

Set up a CTO workspace. Let AI discover your projects and run 252+ checks across 42 sections, right inside your Claude Code. When it needs your judgment, it asks. Here's what that looks like in practice.

1

Create your audit workspace

The checklist lives as a git submodule inside your own workspace. Your org config, project definitions, and audit results stay separate from the checklist itself. 

mkdir my-company-audits && cd my-company-audits
git init
git submodule add https://github.com/rodricCTO/ultimate-cto-checklist checklist

Then launch Claude Code and run the interactive setup. It asks about your cloud providers, source control, CI/CD, monitoring stack, and secrets management, then generates everything. 

claude
> /audit-init

Creates org.yaml, STATUS.md, and docs/ with your org context. ~5 minutes.

2

Register your projects

Add each codebase you want to audit. The system auto-detects your tech stack from the repo and creates a project config with environments, URLs, and scope. 

> /audit-add-project

What gets generated:

projects/my-api.yaml
├── name: my-api
├── repo: acme-corp/my-api
├── type: backend
├── stack: [node, typescript, postgres]
├── environments: [dev, staging, prod]
└── urls:
    ├── production: https://api.acme.com
    └── health: https://api.acme.com/health
3

Run the audit

Start an audit and pick a flow. The system clones your repo, spins up parallel agents, and auto-checks every item it can: file structure, git config, CI status, GitHub API, HTTP headers, DNS records. You only review what needs human judgment. 

> /audit-start my-api

Sequential

Sections 1 through 42 in order. Best for your first audit.

Priority

All critical items first, then recommended. Quick wins.

Section

Pick one section at a time. Focused deep-dives.

Free-form

Jump around freely. The system tracks progress.

What happens during auto-check:

  • Clones repo from project config
  • Parallel agents check all 42 sections simultaneously
  • Runs file checks, git analysis, GitHub API calls
  • Items marked pass, fail, partial, or needs-review
  • You review only the ~5-10% that need judgment
4

Review results

Every item produces a structured markdown file with evidence, pass/fail status, and actionable recommendations. Results live in your workspace as dated snapshots you can diff over time.

Workspace after an audit:

my-company-audits/
├── org.yaml
├── projects/
│   └── my-api.yaml
├── checklist/              # submodule
├── audits/
│   └── my-api/
│       └── 2026-04-03/
│           ├── GIT-001.md  # pass
│           ├── GIT-002.md  # pass
│           ├── SEC-001.md  # fail
│           ├── SEC-003.md  # partial
│           └── ...
└── waivers/
    └── SEC-007.md          # item doesn't apply

Sample result file:

---
item_id: GIT-001
status: pass
severity: critical
section: 01-git-repo-setup
audited_at: 2026-04-03
---

## Summary
Repository clones cleanly and runs with
`pnpm install && pnpm dev`. All sandbox
env vars provided in .env.example.

## Evidence
- Clone: completed in 4.2s
- Install: pnpm install (no errors)
- Dev server: starts on port 3000
- .env.example: present with 12 variables

See it all in the dashboard

Browse results, track progress by section, and drill into individual items.

CTO Checklist Dashboard
187
Pass
23
Fail
14
Partial
28
Skipped
Git Repo Setup 18/20 pass
Infrastructure Security 5/7 pass
Secrets Management 3/8 pass
Access Control 0/3 pass
Recent findings
SEC-003 No HSTS header on production fail
ENV-002 Production env vars accessible to all developers partial
GIT-001 Clone and run in under 10 minutes pass
5

All audit commands

These are Claude Code slash commands. Type them after launching claude in your audit workspace. Grouped by workflow phase.

Setup

/audit-tutorial

Interactive first-time walkthrough. Detects your setup state and explains concepts before you start.

/audit-init

One-time org setup. Asks about cloud providers, tooling, and infrastructure, then generates org.yaml and supporting docs.

/audit-add-project

Register a project. Creates projects/name.yaml with repo URL, tech stack, environments, and audit scope.

Running audits

/audit-start

Begin a new audit. Pick a flow (sequential, priority, section, or free-form), then auto-check runs in parallel.

/audit-continue

Resume an interrupted audit. Recovers state from .audit-state.yaml and picks up where you left off.

/audit-status

Check progress at any time: items completed, pass rate, blockers, and what's remaining.

/audit-section

Focus on a specific section by number. Auto-checks all items in that section in parallel.

/audit-item

Jump to a specific item by ID (e.g. GIT-001). Re-audit a single item standalone or within an active audit.

Results & reporting

/audit-summary

Full report with overall score, section breakdown, action items, and regressions from the previous audit.

/audit-diff

Compare two audits side by side. Highlights improvements, regressions, and items still failing.

/audit-history

View all past audits for a project with dates, pass rates, and trends over time.

Managing findings

/audit-fix

Work through failed and partial items interactively. Gather better evidence, resolve findings, or create waivers.

/audit-skip

Skip an item with documented reasoning. Marked for later revisit, not permanently excluded.

/audit-waiver

Permanently exempt an item that doesn't apply. Stored in waivers/ with a review date, excluded from future audits.

Built for technical leaders

For CTOs

Run comprehensive audits across all 42 sections. Delegate to your team with clear pass/fail criteria. Track improvements over time with dated reports.

For Founders

Get CTO-level infrastructure review without hiring one yet. Identify critical gaps in security, monitoring, and deployment before they become incidents.

For Tech Leads

Systematic verification of your stack against industry best practices. Evidence-based, not opinion-based. Run it quarterly to catch drift.

Find your blind spots before they find you.

Three commands. Full audit. No excuses.

Start auditing See all commands