Analyze open source software before you deploy it.
Paste a Git repository or browser extension source code. RepoRisk automatically analyzes the code for security risks, credential exposure, suspicious behavior, and licensing issues, then generates a structured report to help you decide whether it is suitable for business use.
What RepoRisk does
Think of RepoRisk as a security review for open source software and browser extensions. It helps you review code before deployment when there is no vendor security package to rely on.
Paste a repository or extension source
Submit a Git repository or browser extension source for analysis. RepoRisk pulls apart the codebase and prepares it for review.
Review code for security and business risk
RepoRisk analyzes the code for suspicious behavior, credential exposure, supply chain concerns, licensing issues, and other risk indicators.
Receive a report you can act on
Get a structured report with a score, findings by severity, top risk drivers, and licensing status to support your deployment decision.
Why RepoRisk exists
When you evaluate commercial software, you can usually request SOC 2 reports, security questionnaires, architecture documentation, and a security contact. With open source software or browser extensions, that usually does not exist. But the code is available, which means you can review it yourself. RepoRisk automates that review so MSPs and IT teams can evaluate software before deploying it.
Clear scoring and findings
Get an overall grade, a risk score, and findings you can use as part of an internal software approval process.
See why something was flagged
Findings are grouped by severity and tied back to the files and behaviors contributing to risk.
Document due diligence
Export HTML/PDF reports with licensing status, executive summary, and evidence you can save with a client or change record.
How it works
RepoRisk performs a structured code review in three stages, then returns a report designed to support implementation decisions.
Designed for implementation decisions
Your team can ask vendors for attestations and documentation. With open source and browser extensions, you often cannot. RepoRisk helps you evaluate whether a project is suitable for business use and maintain a record of why that decision was made.
How teams use it
Evaluate open source projects and browser extensions before deployment, document third-party risk decisions, standardize reviews across clients, and re-scan projects periodically to catch meaningful changes.
What you get
A single report with grade & score, licensing status, findings by severity, executive summary, and top risk drivers.
What it checks
RepoRisk looks for practical indicators that help you decide whether software is appropriate to deploy in a business environment.
Supply chain injection
Indicators in CI workflows, dependency handling, release processes, and extension packaging that increase the likelihood of supply-chain compromise.
Credential exposure
Hardcoded secrets, unsafe credential handling, token misuse, and extension messaging patterns that could expose authentication data.
Suspicious patterns
Obfuscation, injected scripts, unusual execution paths, extension content and background script behavior, and patterns that warrant deeper review.
Security vulnerabilities
Common vulnerability signals surfaced as findings with severity, impacted files, and risk factors.
License compliance
Licensing identification and whether it grants business use, plus notable restrictions like attribution requirements.
Code quality & cryptographic issues
Weak cryptographic implementations, insecure randomness, unsafe defaults, and quality issues that increase operational and security risk.
Pricing
Choose fully-inclusive processing or Bring Your Own Key (BYOK) using your own Anthropic Claude API key. Both options use the same AI-powered batch pipeline and produce the same report format.
Tier 1
For small teams getting consistent about approvals.
- 10 repo assessments / month
- Repo size cap (200k LOC*)
- Standard risk configuration
- Standard reporting (HTML + PDF)
Tier 2
For MSPs standardizing due diligence across multiple projects.
- 30 repo assessments / month
- Higher size cap (500k–750k LOC*)
- Scheduled scans (rescan for changes automatically)
- Standardized scoring across projects
- Co-branded reports
Tier 3
For MSP-style multi-client use and larger volume.
- 100 repo assessments / month
- No practical repo size limit (2M LOC*)
- Multi-client organization support (coming soon)
- Fully white-label reports
- API access (coming soon)
Overages
Additional repo assessments (billed per assessment):
- Tier 1–2: $10
- Tier 3: $8
*Very large repos (LOC = lines of code)
Surcharges apply when a repository substantially exceeds your plan’s LOC (lines of code) cap:
- 200k–500k LOC: $15
- 500k–1M LOC: $35
- 1M–2M LOC: $75
- >2M LOC: contact us
Tier 1
For teams that want control over usage and spend.
- 10 repo assessments / month
- Higher size cap (500k–750k LOC*)
- Standard risk configuration
- Standard reporting (HTML + PDF)
- Must use your own Anthropic API keys
Tier 2
For MSPs and IT teams scaling standardized reviews.
- 30 repo assessments / month
- No practical repo size limit (2M LOC*)
- Scheduled scans (rescan for changes automatically)
- Standardized scoring across projects
- Co-branded reports
- Must use your own Anthropic API keys
Tier 3
For multi-client MSP use with API access.
- 100 repo assessments / month
- No repo size limit (fair use applies)
- Scheduled scans (rescan for changes automatically)
- Multi-client organization support (coming soon)
- Fully white-label reports
- API access (coming soon)
- Must use your own Anthropic API keys
Overages
Additional repo assessments (billed per assessment):
- Tier 1–2: $5
- Tier 3: $2
*Very large repos (LOC = lines of code)
Surcharges apply when a repository substantially exceeds your plan’s LOC (lines of code) cap:
- 500k–1M LOC: $10
- 1M–2M LOC: $25
- 2M–4M LOC: $60
- >4M LOC: contact us
Fair use is meant to keep the service healthy for everyone. If you consistently scan very large repos or run heavy scheduled scans across many clients, we’ll help you pick the right plan.
FAQ
Quick answers for MSPs and IT teams evaluating whether software is appropriate to deploy.
What does RepoRisk actually do?
RepoRisk analyzes a Git repository or browser extension source code and generates a report showing risk findings, licensing status, severity counts, and an overall score to support your deployment decision.
Is this a replacement for SOC 2 reports and vendor questionnaires?
No. RepoRisk fills the gap when those materials do not exist, which is common for open source and free Git-accessible projects. It helps you perform your own review when there is no vendor security package to rely on.
Can RepoRisk prove that software will never exfiltrate data?
No tool can prove that. RepoRisk identifies risk signals and evidence so you can make a more informed decision and apply appropriate controls.
What does Bring Your Own Key mean?
Bring Your Own Key (BYOK) means you provide your own Anthropic Claude API key. You keep control of usage and spend while still getting the same workflow, scoring, and report output.
Request early access
If you’re an MSP or IT team that wants a repeatable way to review open source software and browser extensions before deployment, we’d love to onboard you. Early access is limited so feedback turns into product updates quickly.