pricing · 49 live checks · tier-gated by depth, not safety
Free for the basics.
Paid for the depth.
Every scan includes the same risk scoring engine. Higher tiers unlock deeper analysis — sandbox tracing, git-history scans, policy engines — not better safety.
Free
32 checks$0forever
Solid for indie builders. The basic safety layer — always-on for public repos.
Start scanning →- ✓100 credits / day (full refill)
- ✓Up to 10 000 source files per scan
- ✓Every basic-tier check across 7 layers
- ✓Install-script & code-pattern checks
- ✓Typosquat + known-bad package DB
- ✓Shareable report URLs
- ✓Public CLI: npx shieldrepo <url>
most popular
Pro
14 checks$9per month
If you're serious about security. Deeper analysis, longer history, dependency intel.
Go Pro →- ✓Everything in Free, plus
- ✓1 000 credits / day
- ✓Private GitHub repos via OAuth
- ✓Full git-history secret scan
- ✓Transitive dependency audit (4+ levels)
- ✓DNS / env-exfil dataflow analysis
- ✓Cross-file behavior chain analysis
- ✓API access · longer retention
Maxx
6 checks$29per user / month
Everything in Pro, plus our secret check pack. Details kept internal so attackers can't build evasion.
Go Maxx →- ✓Everything in Pro, plus
- ✓Effectively unlimited credits
- ✓Secret check pack (Maxx-only)
- ✓Workflow permission audit matrix
- ✓Auto-revocation playbooks for leaks
- ✓SSO, audit logs, RBAC
- ✓Slack / PagerDuty integrations
- ✓Priority support · SLA
Enterprise
6 checksContact us
Custom retention, on-prem scanner, white-label, dedicated triage. For org-wide rollouts.
Email sales →- ✓Everything in Maxx, plus
- ✓Custom policy engine + JSON DSL
- ✓Self-hosted scanner option
- ✓Custom check pack tailored to your stack
- ✓Dedicated security engineer review
- ✓99.9% SLA + named support contact
full check matrix
Every check, every tier
All 52 checks visible below are implemented or on the immediate roadmap. Severity and weight are fixed across tiers — what changes is the analysis depth. Maxx-tier secret checks intentionally appear without name or description — we keep those internal so attackers can't build evasion.
id
check
severity
weight
tier
RS-001
Repo Age & Activity
Flags repos less than 14 days old with install scripts. New repo + executable payload = classic npm supply chain pattern.
medium
+15
free
RS-002
Star/Fork Anomaly
Detects inflated metrics — sudden star bursts, fork-to-star ratio mismatch, stars from zero-activity accounts (bought stars).
medium
+10
free
RS-003
Contributor Trust Score
Scores maintainers by account age, public contribution history, verified email, 2FA status. Solo new account = higher risk.
info
+5–20
free
RS-006
Release vs Code Mismatch
Detects when the tagged release contains code not in any branch. xz-utils style attack where the published tarball differs from git source.
critical
+45
pro
SC-001
eval() / Function() Usage
Detects runtime code evaluation. Almost never legitimate in modern code. Used to hide payloads from static scanners.
critical
+25
free
SC-002
child_process Shell Execution
Flags exec/spawn/execSync with dynamic or user-controlled arguments. Command injection + RCE vector.
critical
+30
free
SC-003
Dynamic require()
require() with variable or template literal arguments. Used to load obfuscated modules at runtime.
medium
+15
free
SC-004
Base64 Payload Detection
Finds base64 strings >500 chars, especially when paired with Buffer.from() + eval. Classic payload hiding.
critical
+25
free
SC-005
Hex/Unicode Obfuscation
Detects strings built entirely from \x## or \u#### sequences — the classic 'hidden string' obfuscation trick.
medium
+20
free
SC-006
Sensitive File Access
Flags fs reads of ~/.ssh, ~/.aws, ~/.env, browser cookie stores, wallet files, keychain paths.
critical
+30
free
EX-001
Dangerous npm Lifecycle Scripts
Inspects preinstall/postinstall/prepare in package.json. Any shell command here is immediately suspicious.
critical
+30
free
EX-002
curl | bash Patterns
Any variant of curl/wget piped to sh/bash/zsh — the single most abused malware delivery pattern.
critical
+40
free
EX-003
Hidden node_modules Commit
node_modules committed to repo. Bypasses npm integrity checks and can contain modified package code.
critical
+35
free
EX-004
Dockerfile Remote Execution
RUN curl|bash, ADD http://, or secret exfil via build args in Dockerfile.
medium
+20
free
EX-005
Binary Executables in Repo
Finds ELF/Mach-O/PE binaries. Almost never legitimate in a source repo. Often pre-compiled malware.
critical
+35
pro
NW-001
Hardcoded URL Extraction
Extracts all URLs from source. Compares against known-bad domain list + flags suspicious TLDs (.tk, .ml, free DDNS).
medium
+10–40
free
NW-002
Raw IP Address Communication
Code talking to raw IPs instead of domains. Common evasion technique to avoid DNS-based blocking.
medium
+20
free
NW-003
Environment Variable Exfiltration
process.env access immediately followed by HTTP POST/fetch. Credential theft signature.
critical
+45
pro
NW-005
Webhook & Discord/Telegram Bots
Flags hardcoded Discord/Telegram webhooks — popular C2 channels for low-effort malware.
critical
+40
pro
DP-001
Known Malicious Package DB
Cross-references package names against OSV, GitHub Advisory DB, npm security feed. Instant block for known bad.
critical
+100
free
DP-002
Typosquatting Detection
Levenshtein distance against top 5000 npm packages. Catches 'lodahs', 'expresss', 'reakt' style attacks.
critical
+40
free
DP-003
Very New Dependency
Flags packages published <30 days ago with <1000 downloads. Fresh packages are statistically most likely to be malicious.
medium
+15
free
DP-004
Deep Transitive Dependency Scan
Recursively scans full dependency tree (not just direct). Most malware hides 3-4 levels deep.
medium
+5–30
pro
DP-005
Maintainer Compromise Heuristics
Flags when a long-dormant package is published by a new npm account within 24h — classic account takeover signature.
critical
+55
pro
DP-007
Publisher Provenance Regression
Catches the Axios-2026 attack signature: a package that previously published with OIDC + SLSA provenance suddenly publishes without it, or with a different maintainer email. Either signal alone is a five-alarm fire.
critical
+50
free
DP-006
Package Lock Drift
package-lock / pnpm-lock references registries, hashes, or tarball URLs that don't match the declared package sources.
medium
+20
pro
NW-004
DNS Over HTTPS Abuse
Code routes traffic through DoH endpoints (cloudflare-dns, google, quad9) to evade DNS monitoring.
medium
+25
pro
EX-006
setup.py exec / install hooks
Arbitrary code inside setup.py / pyproject.toml that runs at pip install. The Python analogue of npm postinstall.
critical
+30
free
EX-007
Advanced check — details withheld
Maxx-tier subscribers see the full description in their dashboard. Public docs deliberately omit it.
critical
+0–80
maxx
RS-004
Account Takeover Indicators
Detects force-push to default branch, email change in commit author, or new committer with admin rights in last 72h.
critical
+60
pro
RS-005
Recently Transferred Repo
Repo transferred to a new owner within 30 days. Common in typosquat / trust-transfer attacks.
medium
+20
free
RS-007
Dependency Confusion Window
Public package name collides with an internal private org namespace — opens the door to dependency-confusion attacks.
critical
+50
maxx
SC-007
Crypto-Stealer Heuristics
Patterns for wallet file access, MetaMask/Phantom store reads, clipboard hijack + address-regex replace.
critical
+50
free
SC-008
Prototype Pollution Sinks
Flags Object.assign / lodash merge / JSON.parse reviver patterns that taint Object.prototype.
medium
+15
pro
SC-009
Cross-File Behavior Chain Analysis
Correlates signals across files: env read → encrypt → fetch — detects multi-step exfil that single-file AST misses.
critical
+60
maxx
SC-010
Anti-Analysis / Debugger Detection
Code that alters behavior when a debugger is attached, or checks env like CI, NODE_INSPECT. Classic evasion.
medium
+20
pro
SC-011
TLS / Cert Validation Bypass
Detects code that disables TLS chain or hostname verification (rejectUnauthorized:false, NODE_TLS_REJECT_UNAUTHORIZED=0, verify=False). Lets a self-signed C2 cert MITM the connection.
critical
+30
free
SC-012
Hardcoded Backdoor / Magic-String Auth
Catches `if (token === 'supersecret')`-style auth bypasses and undocumented `x-debug` / `x-admin` header gates that almost never appear in legit code.
critical
+50
free
NW-006
Advanced check — details withheld
Maxx-tier subscribers see the full description in their dashboard. Public docs deliberately omit it.
critical
+70
maxx
NW-007
Decentralized C2 / IPFS / ICP Canister Exfil
Detects calls to ICP canister endpoints (*.icp0.io, *.ic0.app, raw.icp.host), IPFS gateways (ipfs.io, pinata.cloud, w3s.link, dweb.link, etc.), and bare ICP canister IDs near network sinks. The defining exfil channel of 2025-2026 npm worms (CanisterWorm, Shai-Hulud variants).
critical
+45
free
SC-013
npm Token Theft / Self-Propagating Worm
Catches the defining 2025-2026 attack pattern: code that reads `_authToken` out of `~/.npmrc`, runs `npm whoami` / `npm access ls-packages` to enumerate publishable packages, then spawns `npm publish` from runtime. Almost no legitimate package does any of these from runtime code.
critical
+60
free
CI-001
Unpinned GitHub Actions
Actions referenced by tag (@v2) instead of SHA — a single upstream compromise can inject arbitrary code into CI.
medium
+20
free
CI-002
pull_request_target Abuse
Workflows using pull_request_target with secrets + untrusted code checkout — a privileged RCE vector.
critical
+55
free
CI-003
Over-Privileged Workflow Tokens
permissions: write-all or unscoped GITHUB_TOKEN — amplifies blast radius of any CI compromise.
medium
+25
free
CI-004
Release Publishing Chain
Who can push to npm/PyPI/crates? Are secrets scoped? This check maps the full publish trust chain.
medium
+0–40
pro
CI-005
Workflow Permission Audit Matrix
Per-workflow, per-trigger permission matrix with diffs across the last 30 commits. Maxx tier only.
info
+0–30
maxx
SK-001
Committed .env / credentials files
Files named .env, credentials.json, service-account.json in the working tree. Instant leak signal.
critical
+40
free
SK-002
Hardcoded API Keys
Provider-specific tokens (AWS AKIA, OpenAI sk-, Stripe sk_live, Google AIza…) in source.
critical
+45
free
SK-003
Private Key Blocks
BEGIN RSA/OPENSSH/EC PRIVATE KEY blocks committed to source or release artifacts.
critical
+50
free
SK-004
Git History Secret Scan
Deep-scans every commit in history — secrets deleted in HEAD but still reachable via git log are still leaked.
critical
+0–60
pro
SK-005
High-Entropy String Clusters
Catches unknown-format secrets by entropy + length + character-class mix, tuned to avoid base64 false positives.
medium
+15
pro
SK-006
Advanced check — details withheld
Maxx-tier subscribers see the full description in their dashboard. Public docs deliberately omit it.
info
n/a
maxx
faq
Questions we get a lot
- Does RepoShield execute code from the repo?
- Never on Free or Pro. Maxx's sandboxed install-behavior trace (when shipped) runs npm install inside an isolated microVM — your machine, our infra, nothing persists.
- How accurate are the severity scores?
- Scores are deterministic — built from a weighted sum of matched rules, not a black-box model. Every finding cites the exact file and line so you can verify.
- Can I scan private repos on Free?
- No. Private repos require Pro (OAuth-scoped to the specific repo) or Maxx (org-wide install with SSO).
- Do you store my scan history?
- Free scans expire after 24h unless you create an account. Pro and Maxx scans retain for 90 days and can be exported to JSON anytime.
- What are the 'secret checks' on Maxx and Enterprise?
- Sensitive detectors we keep internal so attackers can't build evasion. Maxx subscribers see the names in their dashboard; the public methodology page intentionally omits them. Enterprise customers can request a tailored pack under NDA.
- Is there a CLI?
- Yes — npx shieldrepo <repo-url>. Streams a verdict to your terminal in seconds, no install needed. Returns non-zero exit codes on caution / danger so you can wire it into CI.
- How is this different from Snyk / Socket / Dependabot?
- Those focus on known CVEs in published packages. RepoShield focuses on trust signals in the repo itself — install scripts, code patterns, maintainer behavior — before you even pull a dependency.