Try the scanner
Free
Run scans and read public campaign intelligence.
- 25 scans / month
- 1 API key
- Public candidate feed
- Static evidence reports
Pricing
Static package evidence, candidate context, and a low-friction API gate before suspicious dependencies reach production builds.
Try the scanner
Run scans and read public campaign intelligence.
Your first paid step
Gate one project's dependencies in CI — the low-cost on-ramp.
For a single team
Gate suspicious updates in CI before they hit your build.
For multi-repo workloads
Standardize release checks across many repositories.
For larger orgs
High-volume gating with priority support during load.
Platform-team scale
Volume scans, SSO, and a procurement-friendly contract.
What is a scan? One package version evaluated, e.g. [email protected]. Re-scans within 14 days are cached and free. A typical 200-dep repo on every PR uses ~50–200 scans per month.
Compare plans
| Feature | Free | Starter | Pro | Team | Scale | Enterprise |
|---|---|---|---|---|---|---|
| Static package scans / month | 25 | 150 | 1,500 | 5,000 | 25,000 | Custom |
| API keys | 1 | 3 | 10 | 25 | 100 | Unlimited |
| CI gate endpoint | Within quota | ✓ | ✓ | ✓ | ✓ | ✓ |
| Candidate campaign feed | Public only | Public only | Public + early alerts | Public + early alerts | Public + early alerts | Public + private alerts |
| Scan history retention | 30 days | 30 days | 90 days | 12 months | 12 months | Custom |
| SSO + SAML | — | — | — | — | ✓ | ✓ |
| Uptime SLA | — | — | — | — | — | By contract |
| Support | Community | Community | Priority email | Priority email | Slack + named contact |
Questions
One package version evaluated, e.g. [email protected]. Re-scans of the same package@version within 14 days are served from cache and don't count against your quota. A typical 200-dependency repo running on every PR uses 50 to 200 scans a month.
Every plan covers all nine ecosystems we support: npm, PyPI, RubyGems, Cargo, Maven, NuGet, Composer, Go, and Pub. The quota is shared across them. See /coverage for per-ecosystem corpus size.
By default the gate fails open: new dependencies it couldn't scan are flagged with a warning but the build still passes, so an exhausted quota never stops a deploy. Already-known dependencies keep being checked from cache. If you'd rather be strict, run the gate fail-closed and it will block any new dependency it couldn't scan — quota exhaustion included. Either way you can raise your quota in the dashboard without rotating API keys.
One CI gate token covers an entire pipeline — every PR and every engineer's builds run against the same plan, so a whole repo is protected by one membership. The Team and Scale plans add a shared workspace: invite unlimited teammates, assign owner/admin/member roles, and review an audit log of every change. Members share one quota, API keys, allowlist and watchlist — we bill per plan, not per seat. SSO and SAML (OIDC + SAML) are available on the Scale plan — an org owner configures the identity provider, verifies the email domain, and optionally enforces SSO under Settings → Single sign-on. Enterprise adds custom terms and a procurement review.
Yes — two months free on Pro and Team. Switch the billing toggle above the plans to Annual and start checkout at the annual price, or change an existing subscription anytime in your dashboard via Billing → Manage subscription (Stripe's secure portal). Enterprise is annual-only with custom terms.
The cached path (the common case) returns in under 200 ms. First-time scans of a brand-new release land in 1–3 seconds depending on artifact size. The gate can be configured to fail open on timeout, so transient slowness never blocks a deploy.
No. The CLI computes the dependency list on your side; only the resulting package@version strings are sent to PkgRadar. We never read your repository, your lockfile contents, or any local code.
Yes — in your dashboard, Billing → Manage subscription opens Stripe's portal where you can cancel or change plans yourself. Paid features stay active until the end of the current billing cycle. API keys keep working on the lower tier's monthly quota; we never silently disable them.