Try the scanner
Free
$0forever
Run scans and read public campaign intelligence.
- 25 scans / month
- 1 API key
- Public candidate feed
- Static evidence reports
Pricing
Start free. Add CI gates when package risk becomes real.
Static package evidence, candidate context, and a low-friction API gate before suspicious dependencies reach production builds.
Static analysis onlyNo install scripts runAPI + CI ready
Your first paid step
Starter
$12/ month
Gate one project's dependencies in CI — the low-cost on-ramp.
- 150 scans / month
- 3 API keys
- CI gate endpoint
- Static evidence reports
Most popular
For a single team
Pro
$39/ month
Gate suspicious updates in CI before they hit your build.
- 1,500 scans / month
- 10 API keys
- CI gate endpoint
- Early candidate alerts
For 5–20 engineers
Team
$99/ month
Standardise release checks across multiple repositories.
- 5,000 scans / month
- 25 API keys
- Audit log + private scan history
- Priority email support
For larger orgs
Scale
$299/ month
High-volume gating with priority during load and an SLA.
- 25,000 scans / month
- 100 API keys
- Priority during load + 4h SLA
- Private scan history + audit log
Platform-team scale
Enterprise
Customannual
Volume scans, SSO, SLA, and a procurement-friendly contract.
- Custom scan volume
- SSO + SAML
- Uptime SLA + status page
- Private package support
What is a scan? One package version evaluated, e.g. [email protected]. Re-scans within 24 h are cached and free. A typical 200-dep repo on every PR uses ~50–200 scans per month.
Cancel anytimeManage subscription through Stripe.No card on FreeSign in with email, scan packages immediately.Static only · no code executionNo install scripts run, no lifecycle hooks, no sandboxing — any ecosystem.
Compare plans
What you actually get at each tier
| Feature | Free | Starter | Pro | Team | Scale | Enterprise |
|---|---|---|---|---|---|---|
| Static package scans / month | 25 | 150 | 1,500 | 5,000 | 25,000 | Custom |
| API keys | 1 | 3 | 10 | 25 | 100 | Unlimited |
| CI gate endpoint | — | ✓ | ✓ | ✓ | ✓ | ✓ |
| Candidate campaign feed | Public only | Public only | Public + early alerts | Public + early alerts | Public + early alerts | Public + private alerts |
| Scan history retention | 30 days | 30 days | 90 days | 12 months | 12 months | Custom |
| Audit log | — | — | — | ✓ | ✓ | ✓ |
| SSO + SAML | — | — | — | — | — | ✓ |
| Uptime SLA | — | — | — | — | ✓ | ✓ |
| Support | Community | Community | Priority email | Priority email | Slack + named contact |
Questions
Common pricing questions
What counts as a scan?
One package version evaluated, e.g. [email protected]. Re-scans of the same package@version within 24 hours are served from cache and don't count against your quota. A typical 200-dependency repo running on every PR uses 50 to 200 scans a month.
Which ecosystems does my plan cover?
Every plan covers all nine ecosystems we support: npm, PyPI, RubyGems, Cargo, Maven, NuGet, Composer, Go, and Pub. The quota is shared across them. See /coverage for per-ecosystem corpus size.
What happens if I hit my monthly scan limit?
Scans return a 429 with a retry-after window. The CI gate is configurable to fail open with a warning rather than block builds, so an exhausted quota never stops a deploy. You can upgrade in the dashboard without rotating API keys.
Can my whole team share one plan?
Yes. Plans are workspace-level — invite the rest of your team, share API keys, and the scan quota applies to the workspace. Team adds an audit log; Enterprise adds SSO/SAML and per-user identity.
Do you offer annual billing?
Yes. Switch from monthly to annual in Stripe's billing portal for two months free on Pro and Team. Enterprise is annual-only with custom terms.
Does the CI gate slow down my builds?
The cached path (the common case) returns in under 200 ms. First-time scans of a brand-new release land in 1–3 seconds depending on artifact size. The gate can be configured to fail open on timeout, so transient slowness never blocks a deploy.
Do you need access to my source code or lockfile?
No. The CLI computes the dependency list on your side; only the resulting package@version strings are sent to PkgRadar. We never read your repository, your lockfile contents, or any local code.
Can I cancel or downgrade anytime?
Yes, through Stripe's portal. Paid features stay active until the end of the current billing cycle. API keys keep working on the lower tier's monthly quota; we never silently disable them.