Know the risks before you deploy software.
RepoRisk helps you decide whether software is safe to deploy in a business environment by analyzing either the code itself or the security and compliance documentation around it.
What RepoRisk does
RepoRisk gives you a structured way to review software before deployment. It can do this by either analyzing code directly or reviewing vendor security and compliance documentation.
Analyze repositories, packages, and extensions
Paste a Git repository, browser extension, or package and RepoRisk analyzes the code for security risks, suspicious behavior, credential exposure, and licensing issues.
Review security documentation
Upload SOC 2 reports, pentests, or vendor security documents and RepoRisk highlights relevant controls, risks, and gaps to support your evaluation.
Get a report you can act on
Receive a structured report with a risk score, findings, and summary so you can decide whether software is appropriate to deploy.
Why RepoRisk exists
When you evaluate commercial software, you can request SOC 2 reports, security questionnaires, and supporting documentation. With open source software and browser extensions, none of that usually exists. And even when documentation does exist, it is often time-consuming to review. RepoRisk bridges both gaps by analyzing code directly or helping you review vendor security documentation more efficiently.
Clear scoring and findings
Get an overall grade, a risk score, and findings you can use as part of an internal software approval process.
See why something was flagged
Findings are grouped by severity and tied back to the files, behaviors, or documents contributing to risk.
Document due diligence
Export HTML/PDF reports with executive summaries, findings, licensing status, and evidence you can save with a client or change record.
How it works
RepoRisk performs a structured review of either code or security documentation, then returns a report designed to support implementation decisions.
Two ways to use RepoRisk
Code analysis: Paste a repo, package, or extension → analyze code → get a risk report.
Vendor review: Upload security docs → identify controls and gaps → get a structured summary.
Designed for implementation decisions
Your team still has to decide what software is safe enough to deploy. RepoRisk helps by reviewing the code directly when it is available, or by reviewing the vendor’s security and compliance documentation when it is not.
How teams use it
Evaluate open source projects, browser extensions, packages, and commercial software before deployment. Document third-party risk decisions, standardize reviews across clients, and re-scan projects periodically to catch meaningful changes.
What you get
A single report with grade & score, licensing status, findings by severity, executive summary, top risk drivers, and vendor control observations where applicable.
What it checks
RepoRisk looks for practical indicators that help you decide whether software is appropriate to deploy in a business environment.
Supply chain injection
Indicators in CI workflows, dependency handling, release processes, and extension packaging that increase the likelihood of supply-chain compromise.
Credential exposure
Hardcoded secrets, unsafe credential handling, token misuse, and extension messaging patterns that could expose authentication data.
Suspicious patterns
Obfuscation, injected scripts, unusual execution paths, extension content and background script behavior, and patterns that warrant deeper review.
Security vulnerabilities
Common vulnerability signals surfaced as findings with severity, impacted files, and risk factors.
License compliance
Licensing identification and whether it grants business use, plus notable restrictions like attribution requirements.
Vendor controls & gaps
AI-assisted review of SOC 2 reports, pentests, and vendor security documentation to identify mentioned controls, missing information, and potential concerns.
Pricing
Choose fully-inclusive processing or Bring Your Own Key (BYOK) using your own Anthropic Claude API key. Both options use the same AI-powered batch pipeline and produce the same report format.
Tier 1
For small teams getting consistent about approvals.
- 10 repo assessments / month
- 2 vendor reviews / month
- Repo size cap (200k LOC*)
- Standard risk configuration
- Standard reporting (HTML + PDF)
Tier 2
For MSPs standardizing due diligence across multiple projects.
- 30 repo assessments / month
- 10 vendor reviews / month
- Higher size cap (500k–750k LOC*)
- Scheduled scans (rescan for changes automatically)
- Standardized scoring across projects
- Co-branded reports
Tier 3
For MSP-style multi-client use and larger volume.
- 100 repo assessments / month
- 50 vendor reviews / month
- No practical repo size limit (2M LOC*)
- Multi-client organization support
- Fully white-label reports
- API access
Overages
Additional repo assessments or vendor reviews (billed per assessment/review):
- Tier 1–2: $10
- Tier 3: $8
*Very large repos (LOC = lines of code)
Surcharges apply when a repository substantially exceeds your plan’s LOC (lines of code) cap:
- 200k–500k LOC: $15
- 500k–1M LOC: $35
- 1M–2M LOC: $75
- >2M LOC: contact us
Tier 1
For teams that want control over usage and spend.
- 10 repo assessments / month
- 2 vendor reviews / month
- Higher size cap (500k–750k LOC*)
- Standard risk configuration
- Standard reporting (HTML + PDF)
- Must use your own Anthropic API keys
Tier 2
For MSPs and IT teams scaling standardized reviews.
- 30 repo assessments / month
- 10 vendor reviews / month
- No practical repo size limit (2M LOC*)
- Scheduled scans (rescan for changes automatically)
- Standardized scoring across projects
- Co-branded reports
- Must use your own Anthropic API keys
Tier 3
For multi-client MSP use with API access.
- 100 repo assessments / month
- 50 vendor reviews / month
- No repo size limit (fair use applies)
- Scheduled scans (rescan for changes automatically)
- Multi-client organization support
- Fully white-label reports
- API access
- Must use your own Anthropic API keys
Overages
Additional repo assessments or vendor reviews (billed per assessment/review):
- Tier 1–2: $5
- Tier 3: $2
*Very large repos (LOC = lines of code)
Surcharges apply when a repository substantially exceeds your plan’s LOC (lines of code) cap:
- 500k–1M LOC: $10
- 1M–2M LOC: $25
- 2M–4M LOC: $60
- >4M LOC: contact us
Fair use is meant to keep the service healthy for everyone. If you consistently scan very large repos or run heavy scheduled scans across many clients, we’ll help you pick the right plan.
Vendor reviews are counted per vendor (not per document). Multiple files can be included in a single review. Re-reviews count toward usage.
FAQ
Quick answers for MSPs and IT teams evaluating whether software is appropriate to deploy.
What does RepoRisk actually do?
RepoRisk analyzes either source code (repositories, extensions, packages) or vendor security documentation (SOC 2 reports, pentests, and similar materials) and generates a report showing risk findings, licensing status, severity counts, and an overall score to support your deployment decision.
Is this a replacement for SOC 2 reports or compliance platforms?
No. RepoRisk helps you review and interpret those materials more efficiently. It is designed to support decision-making, not replace full compliance or audit platforms.
Can RepoRisk prove that software will never exfiltrate data?
No tool can prove that. RepoRisk identifies risk signals and evidence so you can make a more informed decision and apply appropriate controls.
What does Bring Your Own Key mean?
Bring Your Own Key (BYOK) means you provide your own Anthropic Claude API key. You keep control of usage and spend while still getting the same workflow, scoring, and report output.
Request early access
If you’re an MSP or IT team that wants a repeatable way to review software before deployment (whether that means analyzing code or reviewing vendor security documentation) we’d love to onboard you. Early access is limited so feedback turns into product updates quickly.