Pricing

Free for devs.
$15/mo for builders. $29/mo for teams.

The CLI, web audit, and single-package API are free forever. Developer ($15/mo) adds batch scanning and CI/CD automation for builders. Pro ($29/mo) adds team-scale monitoring and alerts — priced per project, not per seat. A 50-person team pays the same as a 5-person team.


Four attacks. Each one readable beforehand — by a different behavioral signal.

LiteLLM

Backdoored CI pipeline. 1 npm publisher, 4M+ weekly downloads. Commit score: CRITICAL before the incident.

axios

Stolen npm credentials. 1 publisher, 99M weekly downloads, OpenSSF Scorecard 8.1/10. Commit score: CRITICAL.

Shai-Hulud

Self-replicating worm. 637 package versions in 39 minutes. Installed Claude Code & VS Code persistence hooks. Two OpenAI devices affected.

Mastra

Dormant publisher hijack. 141 packages across @mastra/*, ~8M weekly downloads, 88 minutes. The injected typosquat easy-day-js scored 30 — its target dayjs scored 90. Read the analysis.

npm audit flagged none of these beforehand. Behavioral signals flagged all of them. Monitoring catches score changes before the next one reaches your tree.


Maintainers are moving. The detector confirms it live.

PostCSS creator Andrey Sitnik moved nanoid and nanospy to Staged Publishing on June 19. Hono creator Yusuke Wada merged it into Hono on June 22 — four days later. preact shipped the same hardening earlier without announcement. Four packages, ~290M combined weekly downloads, all verified by our detector.

"I already moved nanoid and nanospy to the new process, we can test them." — Andrey Sitnik, PostCSS creator · postcss/postcss#2096 · June 2026

Verify it yourself: scan nanoid · scan hono · scan preact · scan postcss (PostCSS itself is in flight — "in a week or two", per the thread; see hono#5035 for Hono's adoption). Monitoring flags when each promotes from stage to latest. The score moves before the install does.


Open
Free forever

Individual developers, open source maintainers, evaluators.

Get Started →
  • CLI (npx proof-of-commitment)
  • Web audit tool
  • Single-package API — 200 req/day with free API key
  • README badges (unlimited)
  • GitHub Action — 1 repo, manual trigger
  • MCP server (remote HTTP, unlimited with free API key)
  • Dependency monitoring — 3 packages, weekly digest
  • Full score breakdown + risk flags
New
Developer
$15 / month

Builders, open source maintainers, dev-stage projects wanting automation without team overhead.

30-day money-back guarantee. Cancel anytime, no contract.

  • Everything in Open
  • Single-package API — 1,000 req/day (5× free)
  • Batch API (up to 5 packages) — 2,000 req/month
  • GitHub repo audit — 50 req/month
  • GitHub Action — unlimited repos, auto-trigger on PR
  • Dependency monitoring — 15 packages (5× free), daily scans
  • Instant email alerts (vs free weekly digest)
  • Historical score data — 30 days
  • 1 API key
  • MCP server (remote HTTP mode)
Pro
$29 / month

Small teams, indie devs with multiple projects, security-conscious startups.

30-day money-back guarantee. Cancel anytime, no contract.

  • Everything in Open
  • Batch API (up to 20 packages) — 10,000 req/month
  • GitHub repo audit — 500 req/month
  • Dependency graph analysis — 200 req/month
  • GitHub Action — unlimited repos, auto-trigger on PR
  • Dependency monitoring — 10 projects, daily scans
  • Alert webhooks (Slack, email, custom URL)
  • Historical score data — 90 days
  • 2 API keys
  • MCP server (remote HTTP mode)
  • Priority badge CDN (<500ms cache)
Enterprise
$199 / month

Mid-market companies, compliance-driven orgs, platform teams.

Contact Us →
  • Everything in Pro
  • Batch API — unlimited
  • Dependency monitoring — unlimited projects, hourly scans
  • Historical score data — 1 year
  • SBOM import/export (CycloneDX, SPDX)
  • Custom risk thresholds per org
  • SSO / SAML
  • 99.9% uptime SLA
  • Quarterly compliance reports (SOC 2 narrative)
  • Dedicated Slack Connect or email support
  • On-prem scoring engine (add-on)
Cancel anytime — no lock-in · 30-day money-back guarantee · Secure checkout via Stripe

Open source CLI and web audit are free forever. Paid tiers add batch API, CI automation, and monitoring. Start free, upgrade when your pipeline needs it.

Get your free API key

Free tier: 200 req/day, no credit card required. Your key appears on this page in seconds — paid tiers ($15+/mo) work the same way.

Get your API key →

Per-seat pricing doesn't scale. Ours does.

Socket and Snyk charge per developer — the cost compounds as your team grows. Commit is priced per project. A 50-person team pays the same as a 5-person team.

Team size / scenario Socket.dev Snyk Commit
Solo dev / OSS maintainer building integrations $25/mo (Team min) $25/mo (Team min) $15/mo Developer tier
5-dev startup 10 projects $125/mo $125/mo $29/mo 77% cheaper
15-dev team 20 projects $750/mo $1,575/mo $29/mo 96% cheaper
50-dev company 50 projects $2,500/mo $5,250/mo $199/mo 92% cheaper

Socket Team at $25/dev/mo · Snyk Team at $25/dev/mo, Ignite at $105/dev/mo · Commit Developer $15/mo for solo builders · Commit Pro flat $29/mo regardless of team size. Socket and Snyk are excellent tools — they're just priced for a different model.

vs. token-based scanners ArgusRed & Semgrep scan your code. Commit monitors your imports.
ArgusRed / Semgrep (token-based)
  • Free tier requires account signup for tokens
  • 10 repos quarterly: ~$400/year (estimated)
  • Daily CI: token burn scales with codebase size
  • Scans code you wrote — not supply chain risk
  • Point-in-time — miss changes between scans
Commit (flat monitoring)
  • Free tier: 200 API calls/day, instant key, no signup
  • 10 repos continuously: $29/mo = $348/year
  • Daily CI: same flat rate regardless of frequency
  • Monitors deps you import — supply chain risk
  • Alerts fire when a trusted package degrades

Different tools, different attack surfaces. Use ArgusRed/Semgrep for your own code; use Commit for your dependency graph. Full comparison →


Frequently asked

What's the difference between Developer and Pro?

Developer ($15/mo) is for builders: you get 5× more API requests than free, batch scanning for up to 5 packages at once, GitHub Action auto-triggers on PR, and monitoring for 15 packages (5× the free-tier weekly digest) with daily scans + instant email alerts the moment any score drops a tier. It's the right tier when you're building something with Commit's API but aren't yet running team-scale pipelines.

Pro ($29/mo) is for teams in production: 10,000 requests/month (pooled), batch up to 20 packages, 10 monitored projects, Slack/webhook alerts, 90-day history, and priority badge CDN. If you're integrating into a team CI/CD pipeline, Pro is the right tier.

Why per-project, not per-seat?

Per-seat pricing is standard in security SaaS because it's easy to enforce — SSO gives you headcount. But it creates perverse incentives: teams avoid adding contributors to save costs, and security coverage gets gaps.

Commit's data comes from public registries — we don't touch your code, so we don't need to count seats. Per-project pricing aligns cost with value: you pay for what you monitor, not for who's on your team. A growing team shouldn't cost more for the same security coverage. That's the structural advantage of being metadata-only.

Is Commit replacing Socket or Snyk?

No. Use all of them. Socket detects malicious code after it's published. Snyk finds known CVEs. Commit identifies structural exposure before any code changes — it maps which packages are the kind of thing that gets targeted. The ua-parser-js attack (October 2021, ~8M weekly downloads, one maintainer) triggered zero warnings in Socket or Snyk beforehand. The same structural pattern — concentrated publish authority over a high-volume install base — flagged axios CRITICAL months before its March 2026 credential-theft incident.

How does Commit compare to automated code scanners like Semgrep or ArgusRed?

They answer different questions. Automated code scanners (Semgrep, ArgusRed, CodeQL) search your own source code for exploitable vulnerabilities — they run after you've written the code. Commit audits the packages you depend on, before they enter your codebase.

The relevant sequence: Commit flags a dependency as CRITICAL in your PR review → you reject the import → there's nothing for a code scanner to find later. If you skip the supply-chain check, the best a scanner can do is find the exploit after you've already shipped the risky dependency to production.

Pricing model also differs. Token-based scanners cost more as you scan more repos more often. Commit is flat per project — continuous monitoring included at every tier, regardless of how frequently packages change. Use both approaches if your budget allows; if you're prioritising, supply-chain exposure is where most real-world package-level incidents originate.

What counts as a "project" for Pro monitoring?

A project is a dependency manifest you want Commit to monitor continuously — typically a package.json or GitHub repository. Pro covers 10 projects with daily scans. Enterprise covers unlimited projects with hourly scans. Single-package audits via the API don't count toward your project limit.

Is the CLI really free forever?

Yes. The CLI (npx proof-of-commitment), the scoring algorithm, and the web audit tool are MIT-licensed and free forever. Security tools that hide their methodology are asking for blind trust — that's not how we want to operate. The value in Pro and Enterprise isn't the algorithm (it's public) — it's the infrastructure: monitoring, alerts, historical data, and CI/CD integration.

What's the API rate limit on the free tier?

Free tier: 200 single-package requests per day with a free API key (instant signup at /get-started, no card). Anonymous (no key): 15/day per IP — kept tight because corporate NAT, CGN, and CI runners share IPs. Batch requests (up to 5 packages) come with Developer ($15/mo); up to 20 packages with Pro ($29/mo). If you hit the limit, the API returns HTTP 429 with a Retry-After header and an upgrade link.


Start with the free audit

Paste your dependencies. See which packages are structurally exposed. No account required.

Run a free audit →

Didn't upgrade. Why? Email pico@amdal.dev — I'm trying to figure out what's missing. One sentence is enough.