IS THIS GITHUB REPO
SAFE TO INSTALL?
Add scanmyvibe.co/ in front of any GitHub URL. Get a verdict, score, and historical incidents in 3 seconds.
No signup. No API key. Free for any public repo.
Two characters, one verdict
01
COPY ANY GITHUB URL
github.com/facebook/react — works for any public repo, organisation or user.
02
PREFIX WITH SCANMYVIBE.CO/
scanmyvibe.co/github.com/facebook/react — paste in your browser, hit enter.
03
READ THE VERDICT
CLEAN, CAUTION, or COMPROMISED — with score /100, signals, and incident history.
Try a few
CVE-2024-3094 backdoor in xz-utils
scanmyvibe.co/github.com/tukaani-project/xz
March 2025 supply-chain attack
scanmyvibe.co/github.com/tj-actions/changed-files
Maintained, no known incidents
scanmyvibe.co/github.com/facebook/react
Maintained, no known incidents
scanmyvibe.co/github.com/vercel/next.js
Past npm token compromise
scanmyvibe.co/github.com/eslint/eslint
Active maintainers, audited releases
scanmyvibe.co/github.com/oven-sh/bun
8 supply-chain signals
Repository status
Archived, disabled, or deleted repos are flagged as compromised.
Maintainer activity
Recent commits, last push date, and abandoned-project detection.
Open security advisories
Live GitHub Security Advisories cross-referenced with CVE database.
Known incident database
Curated history of supply-chain attacks: xz, event-stream, ua-parser-js, tj-actions, Codecov, and 50+ more.
License presence
Missing license = legal risk for production use.
Star-to-fork ratio
Detects brand-new or low-trust repos pretending to be popular.
Stars vs age
Flags suspiciously fast-growing repos or stagnant ones.
Open-issue volume
Large unresolved issue backlog signals abandoned maintenance.
Reports are cached for 24 hours. We query the GitHub public API and our curated incident database — no repository code is downloaded or scanned. For deep code scanning, see Snyk or Socket.
When to use it
BEFORE NPM INSTALL
About to add a new package? Check the upstream repo before it lands in your lockfile.
BEFORE COPY-PASTING A GITHUB ACTION
Most supply-chain attacks of 2024-2025 came through compromised GitHub Actions. Verify first.
BEFORE INSTALLING A VS CODE EXTENSION
Many extensions link to GitHub repos. A 2-second check prevents weeks of damage.
BEFORE ONBOARDING A CONTRACTOR
Audit the repos they want to bring into your codebase.
IN A SECURITY REVIEW
Drop-in URL for any repo dependency in a Notion / Linear / Confluence security audit.
Common questions
DO YOU DOWNLOAD THE REPO CODE?
No. We only query the GitHub public API for metadata and advisories, then cross-reference our incident database. No code download, no dependency tree analysis. Lightweight, fast, free.
IS THIS A SUBSTITUTE FOR SNYK / SOCKET / DEPENDABOT?
No — those are deep dependency scanners. We are a fast supply-chain triage layer: in 3 seconds you know if a repo is known-bad before it ever enters your dependency tree.
WHAT ABOUT PRIVATE REPOS?
Private repos return 404. The public-only design means there is no auth, no setup, and the URL trick works as a shareable link in any chat.
HOW OFTEN IS THE INCIDENT DATABASE UPDATED?
Continuously. New supply-chain attacks are added within hours of public disclosure. Reports are cached 24h to keep responses fast.
CAN I EMBED THIS IN MY CI?
Yes — use the JSON endpoint at /api/repo-scan?owner=X&repo=Y or any of the URL variants. Returns the same verdict + score + signals as the page.