AI-driven batch assessments that reverse engineer human-readable code into approval-grade reports.

Make open source procurement feel like vendor procurement.

Commercial software often comes with SOC 2 reports, security questionnaires, and a point of contact. Open source projects and browser extensions rarely do. RepoRisk uses AI to reverse engineer human-readable code, analyze behavior, and surface organizational risk before adoption. You get a defensible grade, documented findings, and a structured report you can attach to a change record.

Request early access → See how it works

Built for MSPs & IT teams AI-powered code reverse engineering Bring your own key option

Security Analysis Report

repo: github.com/example/project · commit: 9c2a…f41b

Share · Print

Overall grade

Risk score

8.7

out of 100

License

Allowed

grants business use

Total findings

security issues

Critical

High

Medium

Low

Top risk drivers files that contribute most

.github/workflows/ci.yml Risk 62high

Unpinned GitHub Actions versions; publish step uses tokens with broad scope

nodes/Example/node.ts Risk 42medium

Credential handling in API requests; insufficient input validation; verbose error output

Why RepoRisk exists

When you buy commercial software, you can request a SOC 2 report, ask about security controls, and get a dedicated contact to cooperate with reviews. With open source (or any “free” Git-accessible project) or browser extensions, you typically can’t. But, you can access the code yourself and make your own determination. RepoRisk gives MSPs and IT teams a repeatable way to assess risk and document due diligence before adoption.

Decision-ready output

Approval-grade scoring

Get an overall grade, a risk score, and a clear recommendation you can file with the change ticket.

Explainable findings

Not just alerts

Findings are grouped by severity and category, with top risk drivers and file-level evidence.

MSP-friendly artifacts

Client-ready reports

Export HTML/PDF reports with licensing status, executive summary, and a consistent format across projects.

How it works

Drop a Git URL. RepoRisk inventories the project, prioritizes the files that drive organizational risk, and produces a structured report.

1) Inventory Identify languages, high-impact configuration, browser extension manifests, background and content scripts, CI workflows, and the files most likely to introduce organizational risk.

2) Batch analysis Use AI to reverse engineer and analyze code, then consolidate findings into structured categories and severities.

3) Score & report Produce an executive summary, licensing status, top risk drivers, and a grade you can standardize across clients.

Designed for implementation decisions

Your team can ask vendors for attestations and documentation. With open source and browser extensions, you often can’t. RepoRisk helps you evaluate whether a project is suitable for business use and maintain a record of why that decision was made.

How teams use it

Evaluate open source projects and browser extensions before deployment, document third-party risk decisions, standardize reviews across clients, and re-scan projects periodically to catch meaningful changes.

What you get

A single report with grade & score, licensing status, findings by severity, executive summary, and top risk drivers.

What it checks

A practical set of AI-derived signals mapped directly to what the report displays today.

Supply chain injection

Indicators in CI workflows, dependency handling, release processes, and extension packaging that increase the likelihood of supply-chain compromise.

Credential exposure

Hardcoded secrets, unsafe credential handling, token misuse, and extension messaging patterns that could expose authentication data.

Suspicious patterns

Obfuscation, injected scripts, unusual execution paths, extension content and background script behavior, and patterns that warrant deeper review.

Security vulnerabilities

Common vulnerability signals surfaced as findings with severity, impacted files, and risk factors.

License compliance

Licensing identification and whether it grants business use, plus notable restrictions (like attribution).

Code quality & cryptographic issues

Weak cryptographic implementations, insecure randomness, unsafe defaults, and quality issues that increase operational and security risk.

Pricing

Choose fully-inclusive processing or Bring Your Own Key (BYOK) using your own Anthropic Claude API key. Both options use the same AI-powered batch pipeline (Anthropic Claude) and produce the same report format.

Tier 1

$99 / month

For small teams getting consistent about approvals.

10 repo assessments / month
Repo size cap (200k LOC*)
Standard risk configuration
Standard reporting (HTML + PDF)

Request access

Tier 2

$299 / month

For MSPs standardizing due diligence across multiple projects.

30 repo assessments / month
Higher size cap (500k–750k LOC*)
Scheduled scans (rescan for changes automatically)
Standardized scoring across projects
Co-branded reports

Request access

Tier 3

$799 / month

For MSP-style multi-client use and larger volume.

100 repo assessments / month
No practical repo size limit (2M LOC*)
Multi-client organization support (coming soon)
Fully white-label reports
API access (coming soon)

Request access

Overages

Additional repo assessments (billed per assessment):

Tier 1–2: $10
Tier 3: $8

*Very large repos (LOC = lines of code)

Surcharges apply when a repository substantially exceeds your plan’s LOC (lines of code) cap:

200k–500k LOC: $15
500k–1M LOC: $35
1M–2M LOC: $75
>2M LOC: contact us

Tier 1

$50 / month

For teams that want control over usage and spend.

10 repo assessments / month
Higher size cap (500k–750k LOC*)
Standard risk configuration
Standard reporting (HTML + PDF)
Must use your own Anthropic API keys

Request access

Tier 2

$150 / month

For MSPs and IT teams scaling standardized reviews.

30 repo assessments / month
No practical repo size limit (2M LOC*)
Scheduled scans (rescan for changes automatically)
Standardized scoring across projects
Co-branded reports
Must use your own Anthropic API keys

Request access

Tier 3

$400 / month

For multi-client MSP use with API access.

100 repo assessments / month
No repo size limit (fair use applies)
Scheduled scans (rescan for changes automatically)
Multi-client organization support (coming soon)
Fully white-label reports
API access (coming soon)
Must use your own Anthropic API keys

Request access

Overages

Additional repo assessments (billed per assessment):

Tier 1–2: $5
Tier 3: $2

*Very large repos (LOC = lines of code)

Surcharges apply when a repository substantially exceeds your plan’s LOC (lines of code) cap:

500k–1M LOC: $10
1M–2M LOC: $25
2M–4M LOC: $60
>4M LOC: contact us

Fair use is meant to keep the service healthy for everyone. If you consistently scan very large repos or run heavy scheduled scans across many clients, we’ll help you pick the right plan.

FAQ

Quick answers for MSPs and IT teams evaluating a standardized approval workflow.

Is this a replacement for SOC 2 reports and vendor questionnaires?

No. RepoRisk fills the gap when those materials don’t exist (which is common for open source and free Git-accessible projects). It helps you produce an internal, repeatable assessment when there’s no vendor to cooperate with a formal review.

Can RepoRisk prove that software will never exfiltrate data?

No tool can prove that. RepoRisk identifies risk signals and evidence so you can make a defensible decision and apply appropriate controls.

What does Bring Your Own Key mean?

Bring Your Own Key (BYOK) means you provide your own Anthropic Claude API key. You keep control of usage and spend while still getting the same workflow, scoring, and report output.

Request early access

If you’re an MSP or IT team that wants a repeatable way to evaluate open source and “free” Git-accessible projects, we’d love to onboard you. Early access is limited so feedback turns into product updates quickly.

Request Early Access → Review pricing