Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
Commit is a supply-chain trust scoring tool for the npm, PyPI, Cargo, and Go ecosystems. Instead of focusing on CVEs or known vulnerabilities, it analyzes behavioral signals such as publisher depth, release consistency, maintenance patterns, package age, and download trends to surface structural exposure—for example, packages with a single publisher but massive download volume. In positioning, it is more of an early risk radar that sits ahead of tools like npm audit, Snyk, and Socket.
Commit offers a wide range of entry points. The CLI can be run with zero installation via npx proof-of-commitment, and it automatically detects package.json, lockfiles, requirements.txt, Cargo.toml, and go.mod. The GitHub Action can comment an audit table on PRs and block merges based on a CRITICAL threshold. Cursor and Claude Code hooks can score dependencies before installation. The REST API, MCP server, and README badge are suitable for embedding into scripts, Agents, and documentation. The API docs include endpoints for auditing packages, auditing GitHub repositories, npm dependency graphs, and badges, with examples covering curl, Node, and Python.
The Open tier is free forever and includes the CLI, Web audit, single-package API, badge, limited GitHub Action usage, MCP, and a small amount of monitoring. Developer costs $15/month and adds 5-package batch checks, automatic CI triggers, daily scans, and email alerts. Pro costs $29/month and includes 20-package batch checks, monitoring for 10 projects, Webhooks, and 90 days of history. Enterprise costs $199/month and includes unlimited monitoring, SBOM, SSO/SAML, SLA, and an optional local scoring engine add-on. The site states that the CLI, scoring algorithm, and Web audit are MIT open source; the paid value is mainly in hosted infrastructure, historical data, and alerting.
Its strengths are a differentiated perspective, lightweight integration, a free tier that can be tried immediately, and project-based rather than seat-based pricing, which is friendly to multi-person teams. The documentation is clearly structured, with concrete explanations of response fields and rate limits. The limitations are also clear: behavioral scoring cannot replace vulnerability databases, malicious-code detection, or full SCA. Although Cargo and Go support is stated, the API details available are mostly centered on npm and PyPI. Enterprise on-prem deployment is only described as an add-on, with limited delivery details.
Commit is suitable for open-source maintainers, frontend/Python/Rust/Go projects with many dependencies, small-team CI gatekeeping, and teams that want to add pre-install dependency checks to AI coding Agents. It is not suitable as the sole security tool in compliance-driven scenarios. Availability from mainland China and payment accessibility are not specified. Payments use Stripe, so users in China should first test network conditions with a free API key and the CLI. It can be compared with or used alongside Socket.dev, Snyk, npm audit, and OpenSSF Scorecard.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on getcommit.dev official site.
getcommit.dev is an Unknown Dev Tools provider. TG4G tracks its product information, an overall rating of 8.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach getcommit.dev directly.