PkgRadar

Pricing

Start free. Add CI gates when package risk becomes real.

Static package evidence, candidate context, and a low-friction API gate before suspicious dependencies reach production builds.

9 ecosystemsPre-merge CI gateAPI + CI ready

Try the scanner

Free

$0forever

Run scans and read public campaign intelligence.

  • 25 scans / month
  • 1 API key
  • Public candidate feed
  • Static evidence reports

Your first paid step

Starter

$12/ month

Gate one project's dependencies in CI — the low-cost on-ramp.

  • 150 scans / month
  • 3 API keys
  • CI gate endpoint
  • Static evidence reports

For multi-repo workloads

Team

$99/ month

Standardize release checks across many repositories.

  • 5,000 scans / month
  • Team workspace — unlimited members
  • Roles + audit log
  • 25 API keys
  • 12-month history retention
  • Priority email support

For larger orgs

Scale

$299/ month

High-volume gating with priority support during load.

  • 25,000 scans / month
  • Team workspace — unlimited members
  • Roles + audit log
  • SSO / SAML (OIDC + SAML)
  • 100 API keys
  • Priority support during load
  • 12-month history retention

Platform-team scale

Enterprise

Customannual

Volume scans, SSO, and a procurement-friendly contract.

  • Custom scan volume
  • SSO/SAML on request
  • Status page + custom terms
  • Private package support

What is a scan? One package version evaluated, e.g. [email protected]. Re-scans within 14 days are cached and free. A typical 200-dep repo on every PR uses ~50–200 scans per month.

Cancel anytimeManage subscription through Stripe.No card on FreeSign in with email, scan packages immediately.No source access neededOnly package@version strings are sent — never your repo or lockfile contents.

Compare plans

What you actually get at each tier

FeatureFreeStarterProTeamScaleEnterprise
Static package scans / month251501,5005,00025,000Custom
API keys131025100Unlimited
CI gate endpointWithin quota
Candidate campaign feedPublic onlyPublic onlyPublic + early alertsPublic + early alertsPublic + early alertsPublic + private alerts
Scan history retention30 days30 days90 days12 months12 monthsCustom
SSO + SAML
Uptime SLABy contract
SupportCommunityCommunityEmailPriority emailPriority emailSlack + named contact

Questions

Common pricing questions

What counts as a scan?

One package version evaluated, e.g. [email protected]. Re-scans of the same package@version within 14 days are served from cache and don't count against your quota. A typical 200-dependency repo running on every PR uses 50 to 200 scans a month.

Which ecosystems does my plan cover?

Every plan covers all nine ecosystems we support: npm, PyPI, RubyGems, Cargo, Maven, NuGet, Composer, Go, and Pub. The quota is shared across them. See /coverage for per-ecosystem corpus size.

What happens if I hit my monthly scan limit?

By default the gate fails open: new dependencies it couldn't scan are flagged with a warning but the build still passes, so an exhausted quota never stops a deploy. Already-known dependencies keep being checked from cache. If you'd rather be strict, run the gate fail-closed and it will block any new dependency it couldn't scan — quota exhaustion included. Either way you can raise your quota in the dashboard without rotating API keys.

Can my whole team share one plan?

One CI gate token covers an entire pipeline — every PR and every engineer's builds run against the same plan, so a whole repo is protected by one membership. The Team and Scale plans add a shared workspace: invite unlimited teammates, assign owner/admin/member roles, and review an audit log of every change. Members share one quota, API keys, allowlist and watchlist — we bill per plan, not per seat. SSO and SAML (OIDC + SAML) are available on the Scale plan — an org owner configures the identity provider, verifies the email domain, and optionally enforces SSO under Settings → Single sign-on. Enterprise adds custom terms and a procurement review.

Do you offer annual billing?

Yes — two months free on Pro and Team. Switch the billing toggle above the plans to Annual and start checkout at the annual price, or change an existing subscription anytime in your dashboard via Billing → Manage subscription (Stripe's secure portal). Enterprise is annual-only with custom terms.

Does the CI gate slow down my builds?

The cached path (the common case) returns in under 200 ms. First-time scans of a brand-new release land in 1–3 seconds depending on artifact size. The gate can be configured to fail open on timeout, so transient slowness never blocks a deploy.

Do you need access to my source code or lockfile?

No. The CLI computes the dependency list on your side; only the resulting package@version strings are sent to PkgRadar. We never read your repository, your lockfile contents, or any local code.

Can I cancel or downgrade anytime?

Yes — in your dashboard, Billing → Manage subscription opens Stripe's portal where you can cancel or change plans yourself. Paid features stay active until the end of the current billing cycle. API keys keep working on the lower tier's monthly quota; we never silently disable them.