Free for public repositories. No account required.

Know if a GitHub repo is healthy before you depend on it.

Paste a URL. Get an instant health report covering security vulnerabilities, dependency freshness, maintenance signals, code quality, and license risk. Results in under 10 seconds. No setup. No account required.

No account requiredGitHub API-powered, not guessworkDirect from OSV vulnerability databaseShareable reports with a single link

Here is what a RepoLens health report looks like

E

example-project/cli-tool

TypeScript ยท 2.3k stars ยท 156 forks

SAMPLE REPORTGood
81B

Overall Health

Security
81
Dependencies
74
Maintenance
89
Code Quality
82
Documentation
71
License
100
Critical Findings
MEDIUMCVE-2024-21538 in cross-spawn@7.0.3 (Node.js argument injection). Fix: upgrade to 7.0.5.
WARNING6 npm packages are 1+ major versions behind. Review before next release.
Last Commit
4 days ago
Dependencies
47 packages
License
MIT

You're flying blind every time you add a new dependency.

Every week you evaluate open source libraries, inherit codebases, or review vendor software. You check the GitHub stars. Maybe you glance at the last commit date. Then you add it and hope for the best.

๐Ÿ”ด

You ship CVEs you never knew about.

The average npm package has 79 transitive dependencies. You audited the one you installed. Nobody checked the 78 underneath it.

๐ŸŸก

You get locked into unmaintained code.

43% of open source projects with over 1,000 stars have not had a commit in over 6 months. Stars don't expire. Maintenance does.

๐Ÿ”ต

You discover the license problem in legal review.

GPL and AGPL licenses in your dependency tree are expensive surprises at Series B.

RepoLens closes the gap. One URL. One report. Under 10 seconds.

Six health dimensions. One score. Instant clarity.

RepoLens calls the GitHub API, OSV vulnerability database, and package registries simultaneously.

Security

30% of score

CVEs in direct and transitive dependencies, secret scanning alerts, security policy presence, and Dependabot configuration.

Example: 2 Critical CVEs in lodash@4.17.15. Fix: upgrade to 4.17.21.

Dependencies

25% of score

Outdated packages by major/minor/patch version gap, deprecated packages, unpinned wildcards across npm, PyPI, Cargo, and more.

Example: 14 dependencies behind by 1+ major versions. 3 deprecated packages.

Maintenance

20% of score

Last commit recency, 90-day commit frequency, open/closed issue ratio, PR merge time, release cadence, contributor diversity.

Example: Last commit 14 months ago. 73% of commits from one contributor.

Code Quality

15% of score

CI/CD pipeline presence and last run status, code scanning configuration, test directory detection, linter configuration.

Example: No test directory detected. CI workflows present but last 3 runs failed.

Documentation

7% of score

README length and quality, code examples, CHANGELOG, CONTRIBUTING guide, and API documentation directory.

Example: README exists but has no code examples or installation instructions.

License

3% of score

License detection, SPDX classification, risk tier assessment, and commercial use compatibility check.

Example: GPL-3.0 detected. Requires derivative works to also be GPL-licensed.

What developers and engineering managers say

โ€œI evaluated 12 npm packages in the time it used to take me to manually check one. RepoLens showed me three of them had Critical CVEs I would have shipped without knowing.โ€

Sarah Chen

Senior Frontend Engineer

Fintech startup, 45-person eng team

โ€œI run quarterly dependency reviews across our 23 internal repos. Before RepoLens, this took two days of manual work. Now it takes 20 minutes and I have charts showing the trend.โ€

Daniel Okafor

VP of Engineering

B2B SaaS company, Series B

โ€œI maintain four open source libraries. The Slack alerts are the killer feature for me. I found out about a CVE in a transitive dependency within hours of publication.โ€

Marta Kowalski

Staff Engineer and OSS Maintainer

Independent

Built for the moments that matter most

Before Adding a Dependency

You're 20 minutes into researching a new library. Before you add it to package.json, paste the URL into RepoLens. In 10 seconds: CVEs? Maintained? License compatible? Full picture before you commit.

Quarterly Tech Debt Review

Your manager asked for a dependency health audit. In the old world: a week of manual work. With RepoLens: add repos to watchlist, run scans, export data, present trend charts. Done in an afternoon.

Evaluating Open Source Before Forking

Before committing to a multi-year maintenance obligation, RepoLens shows you current health, maintenance velocity, contributor diversity, and dependency landmines.

Due Diligence on Acquired Repos

Your company just acquired a startup. Technical due diligence requires a dependency and security audit. RepoLens gives you a quantified health score and prioritized findings in minutes.

Start free. Upgrade when you need more.

All the data you need to make smarter dependency decisions.

Free

$0/ forever

Everything you need to evaluate any public repository.

  • Public repository scans (5 per day)
  • Full 6-dimension health report
  • Dependency audit with version gaps
  • Security vulnerability scan (CVE list)
  • Code quality and maintenance signals
  • License risk check
  • README quality score
  • Shareable report URL
  • 24-hour report cache
Scan a Repo Now - No Account Required
Most Popular

Pro

$12/ month

Everything in Free, plus powerful monitoring.

  • Private repository scanning
  • Weekly automated rescans (every Monday)
  • Slack alerts for new CVEs (within 4 hours)
  • CI/CD health badge for your README
  • 12-week score trend tracking
  • Team dashboard (up to 10 members)
  • Watchlist of up to 50 repos
  • Monday email digest
  • Priority support
Start 14-Day Free Trial

No credit card required. Cancel anytime.

Common questions

Does RepoLens work on private repositories?

Yes, with a paid subscription. Connect your GitHub account with repository access permissions, and you can scan any private repo you have access to. Your private repo data is never shared or cached publicly.

How accurate is the CVE data?

RepoLens pulls vulnerability data directly from the Open Source Vulnerabilities (OSV) database, the same source used by GitHub's own Dependabot. OSV covers 22+ ecosystems and is maintained by Google. No proprietary heuristics - only published, verified CVEs.

What ecosystems does the dependency audit cover?

npm (Node.js), PyPI (Python), Maven (Java/Kotlin), Cargo (Rust), Go modules, RubyGems, and NuGet. For multi-language repos, we audit all detected ecosystems in a single scan.

Does scanning a repo count against my GitHub rate limits?

Not for you. RepoLens uses its own GitHub App credentials when scanning public repositories. Private repo scans use your delegated OAuth token, but each scan uses fewer than 20 API calls - negligible against GitHub's 15,000 req/hour limit.

How long does a scan take?

Under 10 seconds for the vast majority of repositories. Repos with unusually large dependency trees (200+ direct dependencies) may take 15-20 seconds. We run all API calls in parallel to keep scan time minimal.

Is the health score methodology documented?

Yes. The complete scoring algorithm - including weights, data sources, and the calculation for each signal - is fully documented. We want our scores to be auditable and explainable, not a black box.

What happens to my data if I cancel my subscription?

Your private repo reports are deleted within 30 days of cancellation. Public repo scan history is retained for 90 days. You can request immediate deletion at any time by emailing privacy@repolens.io.

Your next dependency audit starts with a URL.

Stop relying on star counts and gut instinct. Get a scored, shareable, actionable health report in 10 seconds. Free for public repos, always.

No account required. Results in under 10 seconds.