Teams manually cobble together scripts using GitHub APIs and other data sources to assess dependency health, which is time-consuming to build and maintain.
A plug-and-play service that ingests your dependency manifests, pulls health signals (commit activity, maintainer count, CVEs, EOL timelines) from GitHub and package registries, and generates scheduled risk reports with recommended actions.
Freemium — free weekly reports for small teams, paid plans for real-time alerts, Slack/Jira integration, and compliance export.
The pain is real but moderate. Teams that track dependency health already built custom scripts and find them 'pretty sweet once set up.' This means the pain of the initial build is high, but ongoing maintenance pain is lower. The xz utils incident (lone burned-out maintainer socially engineered) made this viscerally real, but most teams only care after an incident. It's a 'should do' not a 'hair on fire' problem for most orgs.
TAM is large — any company with 10+ microservices and open-source dependencies (hundreds of thousands of companies). The broader SCA market is $5-7B. However, the specific 'dependency health' slice is a niche within that — realistically a $200M-500M addressable segment. Enough for a very successful startup, but you're selling to a subset of security/engineering teams who are proactive about supply chain risk.
This is the weakest link. Free alternatives exist (OpenSSF Scorecard, deps.dev, Libraries.io). Engineering teams can and do build this themselves with GitHub APIs. The Reddit signal literally says 'it's pretty sweet once you have it set up' — meaning DIY is viable. Paid conversion requires significant value beyond what free tools offer: portfolio-level dashboards, EOL alerts, compliance exports, Jira/Slack integration. Willingness to pay improves dramatically in regulated industries (finance, healthcare) where compliance exports justify budget.
Highly buildable by a solo dev in 4-8 weeks. GitHub API, package registry APIs, endoflife.date API, and NVD/OSV feeds are all well-documented and freely available. Parse manifests (package.json, requirements.txt, go.mod), pull signals, compute scores, generate reports. No ML required for MVP — simple heuristics work (commits in last 6 months, maintainer count, open issues ratio). The hard part is making the reports actually actionable, not the data pipeline.
Clear whitespace. No existing tool comprehensively monitors maintainer activity, bus factor, EOL status, and abandonment trajectories as its primary value proposition. Endor Labs nibbles at the edge but leads with security. Libraries.io has stale, shallow data. Everyone else is CVE-focused. The gap is real and validated by the fact that teams build custom scripts to fill it. However, incumbents (Snyk, Endor Labs) could add these features relatively easily if the market proves out.
Natural subscription model. Dependencies change constantly, new risks emerge, EOL dates approach, maintainers leave. Weekly/monthly reports, real-time alerts on health degradation, and compliance exports for audits all justify ongoing payment. The data is perishable — a one-time report is far less valuable than continuous monitoring.
- +Clear competitive whitespace — no one owns 'dependency health' as primary positioning despite a $5B+ adjacent market
- +Technically simple MVP — public APIs, well-defined data sources, no ML needed, solo dev can ship in 4-6 weeks
- +Strong regulatory tailwinds — SBOM mandates, supply chain security requirements creating budget and urgency
- +The xz utils incident is a perfect case study that sells itself — bus factor monitoring would have caught it
- +Natural wedge into larger SCA budgets — start with health, expand into security and compliance
- !Willingness to pay is uncertain — free tools (Scorecard, deps.dev) cover part of the need, and DIY is viable for motivated teams
- !Incumbents (Snyk, Endor Labs) could add health features as a checkbox, crushing your differentiation overnight
- !The target buyer (engineering leads at 10+ microservice companies) is hard to reach without enterprise sales — long sales cycles, POC requirements
- !Risk of being a 'nice to have' not a 'must have' — teams only care after an incident, making acquisition spiky and unpredictable
- !GitHub API rate limits and data quality issues (many projects don't follow conventional signals) could limit accuracy
Dependency lifecycle management platform that scores packages on maintainability, popularity, and security with reachability analysis to determine if vulnerabilities actually affect your code paths.
SCA platform that finds and auto-fixes vulnerabilities in open-source dependencies, containers, and IaC. Best-in-class developer experience with IDE/CI/CD integration.
Supply chain security platform focused on detecting malicious packages via behavioral analysis — catches typosquatting, dependency confusion, and suspicious install scripts that CVE databases miss.
Open-source project tracking 5M+ packages with a 'SourceRank' score based on contributor count, release frequency, stars, and age. Tidelift
Google's open-source dependency intelligence service providing dependency graphs, security advisories, and OpenSSF Scorecard integration that checks for signed releases, branch protection, CI, and fuzzing practices.
CLI tool + hosted dashboard. User connects GitHub org or uploads manifest files (package.json, requirements.txt, go.mod, pom.xml). System pulls health signals from GitHub API, endoflife.date, OSV, and package registries. Generates a weekly email report with a traffic-light risk score per dependency: green (healthy), yellow (declining), red (abandoned/EOL/critical). Include 3 actionable items per report ('Consider migrating from X — last commit 18 months ago, 1 maintainer'). No Slack/Jira integration in MVP — just email reports and a simple web dashboard.
Free: weekly email report for up to 3 repos, basic health scores. Paid ($29-49/team/month): unlimited repos, real-time Slack/email alerts on health degradation, historical trend charts, team dashboard. Enterprise ($199-499/month): compliance exports (SOC2, FedRAMP evidence), Jira ticket creation, SBOM integration, SSO, portfolio-level risk scoring across all services. Scale: API access for platform teams to embed health scores in internal developer portals (Backstage plugins).
8-12 weeks. Weeks 1-4: build MVP (manifest parser, GitHub API integration, scoring engine, email reports). Weeks 5-6: dogfood on your own projects, recruit 10-20 beta users from DevOps/security communities (Reddit r/devops, HackerNews, DevSecOps Slack groups). Weeks 7-8: iterate on report quality based on feedback. Weeks 9-12: launch paid tier. First paying customers likely from teams already building this themselves who want to stop maintaining custom scripts.
- “We keep track of all dependencies used and then use the github api and a couple of other data sources to generate reports”
- “It's pretty sweet once you have it set up”
- “this is also where something like runable could help tie signals together instead of checking multiple tools manually”