Companies accidentally ship source maps, debug symbols, and internal source code in their published packages without realizing it, leading to IP leaks and security exposure.
A pre-publish CI step that scans build artifacts for source maps, embedded secrets, internal paths, debug code, and other unintended inclusions, blocking the publish and alerting the team.
Freemium - free for open source/small teams, paid tiers for enterprise with policy controls, Slack alerts, and audit logs
The pain is real but episodic. When it happens (like the Claude Code leak), it is catastrophic — PR damage, IP exposure, potential security breaches. But most teams don't think about it until after an incident. The 1447 upvotes and 216 comments show strong emotional resonance. The challenge: this is a 'fire insurance' problem — hard to sell before the fire. Score docked because many teams ship packages without ever checking and never get burned.
TAM is narrower than it first appears. Primary buyers: companies publishing packages to public registries (npm, PyPI, Docker Hub). This is a subset of all dev teams — many companies only deploy internally. Estimated addressable: ~50K-200K organizations publishing packages regularly. At $50-200/month average, that is $30M-$480M TAM. Decent for a bootstrapped business, small for VC scale. Docker scanning broadens it significantly if you include internal registries.
This is the weakest link. Security tooling WTP is high in enterprise but low in startups/mid-market. Open-source alternatives for secret scanning exist (even if they do not solve this exact problem, buyers lump them together). Many teams will say 'we will just add .npmignore rules' or 'we will review manually.' Enterprise buyers with compliance requirements will pay, but sales cycles are long. The freemium-to-paid conversion will likely be low (<3%) unless you nail the enterprise policy/audit angle.
Very buildable by a solo dev in 4-6 weeks. Core logic: unpack artifact (tarball/wheel/Docker layers), scan for patterns (source maps, .env files, internal paths, high-entropy strings, debug flags). Package as GitHub Action + GitLab CI template + CLI. No ML needed, no complex infrastructure. The hard part is reducing false positives to near-zero — a noisy scanner gets disabled immediately. Docker layer scanning adds complexity but is well-documented territory.
This is the strongest signal. No existing tool scans the FINAL PUBLISHED ARTIFACT specifically for accidental inclusions. GitGuardian/TruffleHog scan source repos. Snyk scans for CVEs. npm-packlist shows files but does not analyze content. The gap is clear: nobody is the pre-publish gate that says 'your npm package contains a source map with your entire proprietary codebase embedded in it, publish blocked.' This is a genuine whitespace.
Natural subscription fit. Runs on every CI pipeline execution. Policy updates, new detection rules, and registry support create ongoing value. Enterprise features (audit logs, Slack alerts, policy-as-code, SBOM integration) justify recurring payment. Usage-based pricing (per scan or per package) also viable. Once integrated into CI, switching costs are moderate — teams do not rip out security gates easily.
- +Clear whitespace — no direct competitor scans build artifacts for accidental IP/source leakage before publish
- +Highly topical — Claude Code incident is a perfect case study that practically sells itself
- +Technically simple MVP — pattern matching on unpacked artifacts, no ML or complex infra needed
- +Natural CI/CD integration point with high switching costs once adopted
- +Compliance and audit trail features create a clear enterprise upsell path
- !Fire insurance problem — hard to sell prevention before an incident; demand may be spiky around news events then fade
- !GitGuardian or Snyk could add artifact scanning as a feature in weeks, turning your entire product into a checkbox on their platform
- !False positives will kill adoption — if you block a legitimate publish, teams will disable the tool immediately and never come back
- !Open-source risk — someone could build a good-enough OSS version quickly since the core logic is straightforward pattern matching
- !Long enterprise sales cycles for a bootstrapped founder; SMBs may not pay enough to sustain the business
Scans git repositories, commits, and CI pipelines for hardcoded secrets and credentials. Primarily focused on source code and git history, not build artifacts.
Open-source secret scanner that scans git repos, S3 buckets, filesystems, and container images for leaked credentials using entropy analysis and regex patterns.
Broad application security platform covering dependency vulnerabilities
Open-source tool by Yelp for detecting secrets in codebases using a plugin-based architecture with entropy checks and keyword matching.
Ecosystem-specific open-source tools that preview or lint what gets included in an npm package. publint checks package quality; arethetypeswrong checks TypeScript exports.
GitHub Action + CLI that runs `npm pack --dry-run` or equivalent, unpacks the artifact, and scans for: (1) .map files and inline source maps, (2) .env / secret patterns, (3) internal file paths and hostnames, (4) debug/development-only code markers. Outputs a clear report and optionally blocks the CI pipeline. Support npm first, PyPI second, Docker third. Ship with a sensible default ruleset and allow .artifactscanrc overrides. No dashboard needed for MVP — just CI output and optional GitHub PR comments.
Free CLI + GitHub Action for open source and small teams (up to 3 packages) → Pro at $29/month for unlimited packages, custom rules, Slack/webhook alerts → Team at $99/month for shared policies, audit logs, and multi-repo dashboards → Enterprise at $500+/month for SSO, RBAC, compliance reports, and on-prem/private registry support. First revenue target: Pro tier conversions from teams that had a scare or have compliance requirements.
4-6 weeks to MVP, 8-12 weeks to first paying customer. The Claude Code incident gives you an immediate marketing hook — write the launch blog post referencing it. First revenue likely comes from a security-conscious startup that just had a scare, found you on Hacker News or Reddit, and needs the Pro tier for custom rules. Enterprise deals will take 3-6 months.
- “Claude Code's source leaked via a map file in their NPM registry”
- “What a week it's been. First Axios library vulnerability report and now this”