Developers can't easily distinguish legitimate repos from malicious ones because trust signals like stars, forks, and commit history are cheaply faked. Typosquatting and fake setup instructions trick people into running malware.
Analyzes repos in real-time: cross-references star/fork patterns for bot activity, checks contributor authenticity, flags typosquatted package names, compares against known-good registries, and scores overall trust. Integrates as a browser extension overlay on GitHub pages and a CLI pre-install hook for npm/pip/cargo.
Freemium: free browser extension with basic trust scores, paid tiers ($10-30/mo individual, $50-200/mo team) for CI/CD integration, dependency scanning across entire projects, and alerts on newly suspicious repos in your dependency tree
The pain is real and validated by high-profile attacks (xz-utils, event-stream). The Reddit thread with 490 upvotes confirms developer frustration. However, most developers don't think about this daily — it's an acute pain when it happens, not a constant burn. DevSecOps teams feel it more intensely. Score would be 9 for enterprise security teams, 5 for individual devs.
TAM: ~30M active GitHub developers, plus enterprise engineering orgs. SAM: ~5M developers who actively manage dependencies and care about security. SOM: ~500K developers reachable in year 1 through GitHub ecosystem marketing. At $10-30/mo individual, $50-200/mo team — realistic year 3 ARR target of $5-15M. Not a billion-dollar standalone market, but strong acquisition target territory for GitHub/Snyk/Socket.
Individual developers are notoriously reluctant to pay for security tooling — they expect it to be free or bundled. The browser extension will face a 'why pay when I can just check manually?' objection. Enterprise is where the money is, but selling to enterprise requires SOC2, sales team, and long cycles. Socket.dev and Snyk have proven enterprises will pay for supply chain security, but they sell broader platforms, not point solutions. The free-to-paid conversion for a trust scoring tool will be low (<2%).
A solo dev can build an MVP browser extension in 4-6 weeks using GitHub's API for stars/forks/contributors data. Fake star detection algorithms exist in published research (Dagster's work). Typosquatting detection is well-documented (Levenshtein distance against known registries). However: rate limits on GitHub API are a real constraint, building accurate bot detection requires training data and iteration, and scaling real-time analysis across millions of repos needs backend infrastructure. MVP is very feasible; production-grade accuracy is harder.
This is the strongest dimension. No existing product combines fake star detection + contributor authenticity + typosquatting + unified trust score in a browser extension overlay on GitHub. Socket is closest but focuses on packages, not repos. Scorecard measures hygiene, not legitimacy. Trusty is conceptually similar but limited and early. The specific 'pre-clone trust assessment on GitHub pages' use case is genuinely unserved. The gap is clear and validated.
The browser extension itself is hard to monetize recurringly — trust scores feel like a one-time check. Recurring value comes from: (1) dependency tree monitoring with alerts when a dep becomes suspicious, (2) CI/CD integration scanning every build, (3) continuously updated threat intelligence. The CI/CD and monitoring angles justify subscription, but the core browser extension experience is more 'check and forget.' Need to build the monitoring/alerting layer to justify ongoing payment.
- +Clear, validated market gap — no product does unified repo trust scoring with fake star detection as a browser extension on GitHub
- +Strong problem validation from multiple high-profile supply chain attacks and organic developer complaints (490 upvotes on the source thread)
- +Low barrier to MVP — browser extension + GitHub API is a proven, fast development path
- +Natural enterprise expansion path — individual devs adopt free tool, bring it to their team, team wants CI/CD integration
- +Potential acquisition target for GitHub, Snyk, Socket, or Datadog within 2-3 years if you build a quality dataset
- !GitHub itself could build native trust indicators (they've already started removing fake stars and adding attestations) — platform risk is existential
- !Individual developer willingness to pay is historically low for security tools — you may build a popular free tool that doesn't convert to revenue
- !Accuracy is critical: false positives (flagging legitimate repos as suspicious) will destroy trust fast; false negatives (missing actual threats) undermine the value prop
- !Socket.dev, Snyk, or Phylum could add repo trust scoring as a feature in a quarter, commoditizing your differentiation
- !GitHub API rate limits constrain real-time analysis at scale — may need expensive infrastructure or GitHub partnership
Supply chain security platform that performs deep package inspection on npm/PyPI/Go dependencies. Analyzes package behavior
Open-source tool by the Open Source Security Foundation that automatically assesses security practices of GitHub repos. Produces a 0-10 score across ~18 checks: branch protection, code review, CI/CD, signed releases, dependency pinning, fuzzing, SAST usage, etc.
Free tool providing trust scores for open-source packages
Software supply chain security platform analyzing packages for malicious code, vulnerabilities, author risk, and engineering risk. Five-dimension risk scoring. CLI, CI/CD integration, and browser extension.
Free service by Google providing dependency metadata, security advisories, license info, and OpenSSF Scorecard data for packages across npm, PyPI, Go, Maven, Cargo, NuGet. Visualizes dependency trees and surfaces known vulnerabilities.
Chrome/Firefox browser extension that overlays a trust badge (green/yellow/red) on GitHub repository pages. MVP checks: (1) star velocity anomaly detection (sudden spikes from low-activity accounts), (2) contributor diversity score (ratio of outside contributors to total), (3) typosquatting alert against top 5000 npm/pip packages using edit distance, (4) repo age vs. popularity ratio. Store precomputed scores for popular repos, compute on-demand for others. Skip CLI initially — the browser extension is the viral hook.
Free browser extension with basic trust scores → build audience to 50K+ users → add 'RepoGuard for Teams' dashboard showing trust scores across all project dependencies ($50/mo) → add CI/CD GitHub Action that blocks PRs introducing low-trust dependencies ($15/dev/mo) → add continuous monitoring with Slack/email alerts when dependency trust scores drop ($200/mo team) → enterprise tier with custom policies, SSO, audit logs ($500+/mo)
3-4 months to first dollar. Month 1-2: ship free browser extension MVP, seed with HN/Reddit launch. Month 3: hit 10K+ installs, launch Pro tier with expanded analysis. Month 4: first paying users from power users and small teams. Month 6-8: first enterprise pilot. Expect <$1K MRR at month 4, $5-10K MRR by month 8 if execution is strong.
- “you can literally buy 500 github stars for $50 and suddenly your repo looks legit”
- “stars, forks, commit history, all of it can be faked for cheap”
- “someone misspells a dependency name in their requirements.txt and now theyre running someone elses code”
- “i started checking contributor history and actual issue discussions before pulling anything new”
- “if a repo has 2k stars but zero real issues or PRs from outside contributors thats a huge red flag”