GitHub Repository Intelligence

Analyze any GitHub repository for security vulnerabilities, outdated dependencies, and maintenance health in seconds. Get a comprehensive 0-100 intelligence score combining security metrics, vulnerability detection, and maintenance indicators.

What It Does

This Apify Actor performs deep analysis on GitHub repositories using three complementary APIs:

1. GitHub REST API — Extracts repository metadata (stars, forks, last commit, open issues, license)
2. OSV (Open Source Vulnerabilities) API — Identifies known CVEs in project dependencies with severity levels
3. npm Registry API — Detects outdated packages in project dependencies

The actor then synthesizes these data points into three actionable scores:

• Security Score (0-100) — Vulnerability assessment + dependency freshness
• Maintenance Score (0-100) — Last commit age + open issue backlog + dependency updates
• Overall Score (0-100) — Combined health indicator for quick evaluation

Scoring Algorithm

Overall Score = 100 baseline
- (days_since_commit / 30) × 5 (max -30 points)
- outdated_packages × 3 (max -30 points)
- critical_vulns × 15 (per CVE)
- high_vulns × 8 (per CVE)
- (open_issues > 50 ? -10 : 0)
Final: Math.max(0, Math.min(100, score))

Security and Maintenance scores use similar weighted deductions on domain-specific metrics.

Input Schema

Parameter	Type	Required	Notes
repoUrl	string	Yes	Full GitHub URL, e.g. https://github.com/facebook/react
githubToken	string	No	GitHub PAT for 5000 req/hr (vs 60 unauthenticated)

Example Input:

{
  "repoUrl": "https://github.com/nodejs/node",
  "githubToken": "ghp_xxxxxxxxxxxx"
}

Output Fields

Field	Type	Description
repo_url	string	GitHub URL analyzed
repo_name	string	owner/repo format
stars	integer	GitHub star count
last_commit_days	integer	Days since last push
open_issues_count	integer	Active issue count
license	string	Repository license (MIT, Apache, etc.)
outdated_packages_count	integer	npm packages with newer versions
total_vulns	integer	Total CVEs found across dependencies
critical_vulns	integer	CVEs with CRITICAL severity
high_vulns	integer	CVEs with HIGH severity
security_score	number	0-100 vulnerability assessment
maintenance_score	number	0-100 activity & health indicator
overall_score	number	0-100 combined intelligence score
disclaimer	string	Legal disclaimer (see below)
timestamp	string	ISO 8601 analysis timestamp

Example Output:

{
  "repo_url": "https://github.com/nodejs/node",
  "repo_name": "nodejs/node",
  "stars": 112850,
  "last_commit_days": 0,
  "open_issues_count": 2847,
  "license": "MIT",
  "outdated_packages_count": 3,
  "total_vulns": 5,
  "critical_vulns": 0,
  "high_vulns": 2,
  "security_score": 88,
  "maintenance_score": 92,
  "overall_score": 90,
  "disclaimer": "This Actor aggregates publicly available data...",
  "timestamp": "2026-04-13T22:45:00.000Z"
}

Use Cases

• Dependency Vetting — Before adding a package, check its security and maintenance posture
• Portfolio Auditing — Scan your organization's repositories for vulnerability trends
• Third-Party Risk — Evaluate contractor/vendor code quality before integration
• OSS Monitoring — Watch libraries your code depends on for security regressions
• Competitive Analysis — Benchmark competitors' repo health metrics

Rate Limits & Performance

• Without GitHub Token: 60 requests/hour (rate-limited after ~1 min of heavy scanning)
• With GitHub Token: 5,000 requests/hour (recommended for production)
• Typical Run: 15–30 seconds per repository
• Package Analysis: Limited to 20 dependencies to avoid timeout; larger projects may show partial results

Disclaimer (Legal)

This Actor aggregates publicly available data from GitHub API (MIT/Apache licensed projects), OSV vulnerability database (CC0), and npm Registry (public data).

NOT SECURITY ADVICE. Results are informational only. Always perform professional security audits before production deployment. Data retrieved in real-time; accuracy depends on upstream sources.

The scores are heuristic estimates. A high score does not guarantee security; a low score does not indicate danger. Use as a decision-support tool, not as your sole risk assessment.

Data Privacy

All input repositories are public GitHub URLs. This actor does not store user data; results are returned in the Apify dataset and comply with GitHub, OSV, and npm data licensing.

Pricing

• Cost: $0.05 per repository analyzed
• Billing: Pay-per-event; charged only on successful analysis
• Free Tier: First 50 runs free as part of Apify platform credits

See Also

• OSV Database — Open Source Vulnerabilities
• GitHub REST API — Repository metadata
• npm Registry — Package information
• Apify Platform — Serverless Actor ecosystem

---

Built by NtriqPRO | Version 1.0 | MIT License