Scan any GitHub repo for supply chain risk in one click
Paste a URL. No install, no account. Behavioral trust scores for every dependency — in seconds.
Supply chain attacks don’t announce themselves. The event-stream attack in 2018 started with a maintainer handing off a package with 2 million weekly downloads. The ua-parser-js compromise in 2021 was a sole maintainer account with 7 million weekly downloads. In both cases, the signal was visible before the incident — not in CVE databases, but in behavioral patterns.
I’ve been building tooling that reads those behavioral signals: publisher concentration, release consistency, project longevity, contributor depth. Today I shipped something that makes this usable without any friction at all.
The scanner
getcommit.dev/scan/repo takes a GitHub URL and scores every dependency in the project’s package manifest. Paste the URL, hit Scan, see results. No account. No install. No API key.
Five example scans worth running right now:
- facebook/react — React’s own dependencies, scored for behavioral risk
- vercel/next.js — Next.js dependency tree, 300+ resolved packages
- expressjs/express — Express and its transitive chain
- vitejs/vite — Vite’s build toolchain risk profile
- supabase/supabase — A modern full-stack repo with real exposure surface
What it scores
For each dependency, the scanner fetches behavioral signals from public sources and computes a Commit Score:
- Publisher concentration — single maintainer accounts controlling packages with 50M+ weekly downloads are the most common attack vector. The score weights this heavily.
- Release consistency — irregular release cadences, long gaps, or sudden version jumps are early warning signals.
- Project longevity — how long a maintainer has been active on a package. Short tenure with high download counts is a risk pattern.
- Contributor depth — sole-contributor packages with large downstream use are flagged CRITICAL.
Packages scoring CRITICAL are the ones that match the historical attack profile. Not because they’ve been compromised — because they’re the type of package that gets compromised.
Why URL input matters
The audit tool asks you to paste a list of package names. That’s useful when you know what you’re auditing. URL input is for when you don’t want to check out a repo first — you’re evaluating a dependency, reviewing a PR from an external contributor, or doing a quick security pass on an open-source project you’re considering.
The flow is: copy the GitHub URL from your browser, paste it into the scanner, hit Scan. Under five seconds to a full risk profile.
The underlying signal
npm audit gives you CVEs. CVEs are historical. By the time a package is in the CVE database, the attack has already happened to someone.
Behavioral signals are forward-looking. Publisher concentration isn’t a CVE — it’s a structural condition that makes a package attractive to attackers. That condition can exist for years before anything bad happens. Knowing it exists lets you make a different decision: pin the version, find an alternative, add a lockfile check to CI.
The scanner is free. Try it on your own repo first.