Neotecnica

WWG delivered the engagement across four parallel workstreams, structured to produce both immediate risk reduction and a clear roadmap for longer-term modernisation.

WWG ran a complete audit across all four repositories using a consistent multi-tool methodology. Each codebase was assessed for:

• Security vulnerabilities — npm audit and osv-scanner surfaced 19+ issues across the frontend and component library, including high-severity CVEs in core dependencies and a confirmed ReDoS vulnerability affecting three separate repositories

• Dependency health — npm-check and depcheck identified unused packages accumulating as dead weight and dozens of packages behind by one or more major versions
• Code quality — ESLint surfaced approximately 9,000 issues in the React frontend and over 4,000 in Component library, primarily no-undef violations, unused variables, and @typescript-eslint/no-explicit-any usage
• Java backend — SonarQube analysis of the codebase identified hardcoded credentials, catch-all exception blocks, manual SQL, commented-out code blocks, and large tightly-coupled classes as the primary maintainability risks.

Each audit was delivered as a structured report with a per-area severity classification and a prioritised remediation roadmap.

WWG conducted a full audit of Neotecnica’s Git workflow across all repositories, documenting the risks of the current approach — unprotected main branches, direct merges from long-lived feature branches, absence of PR-based code review, and no CI gate before production.

Two alternative branching strategies were evaluated in detail: GitHub Flow (optimised for frequent deployment cycles) and Trunk-Based Development (optimised for minimising merge conflicts via short-lived branches and feature flags). For the private React component library, the assessment specifically addressed the challenge of long-running beta branches, which don’t fit neatly into either standard model. A concrete implementation recommendation — including branch protection rules, PR templates, and CI integration checkpoints — was delivered alongside the audit findings.checkpoints — was delivered alongside the audit findings.

WWG restructured the Neotecnica Kubernetes clusters from the ground up for high availability and modern CI/CD support:

• HA with 3 control-plane nodes and dedicated worker node groups based on their workloads.
• Rancher installation and configuration as the cluster management UI, enabling workload visibility and operational control without the need of CLI knowledge.
• Jenkins installation with Kubernetes-native agents — pipelines run with ephemeral pods, eliminating the need for persistent agents on VMs.
• Nexus Artifact Repository deployed for hosting private NPM packages (replacing git submodules) and Maven build artifacts.

Each of the four codebases operated with a different configuration baseline — different ESLint rule sets, different package managers, different build systems. Standardising the audit methodology across all of them without modifying their existing configurations required careful tool selection and result interpretation. In particular, distinguishing ESLint issues that were configuration artifacts (e.g., rules flagging intentionally dynamic patterns) from genuine technical debt required code-level review alongside automated output.

The  component library repository had developed a branching pattern where a feature branch had effectively become a long-running beta version branch. Neither GitHub Flow nor Trunk-Based Development handles this pattern cleanly out of the box — GitHub Flow discourages branches lasting more than a week, and Trunk-Based Development requires feature flags for unfinished work. WWG’s Git audit addressed this specifically, providing a hybrid recommendation that acknowledged the library’s versioning needs without forcing a workflow that would create friction for the team.

Neotecnica’s three main repositories — a React application, a private NPM library, and a Java Maven backend — have meaningfully different CI/CD requirements. A React app requires a standardized workflow for quality checks and automated delivery. An NPM library needs automated versioning and secure artifact management for distribution. A Maven backend requires a complex build process, including containerization and deployment to a private registry. WWG designed example pipelines for all three types, using Jenkins Shared Libraries to extract reusable template logic — reducing duplication and ensuring the Neotecnica team had working references rather than abstract guidance.

Both the Keycloak server and the OpenVPN server were alive and in active use during the engagement. CIS Benchmark assessments and hardening required identifying which recommendations could be applied immediately and which required planned maintenance windows.