Every dependency you install, every pull request you merge, carries an implicit trust decision. You trust that the person behind the commit is who they claim to be, that their account hasn’t been compromised, and that their contribution is genuine. Most of the time, that trust is warranted. But supply chain attacks like the xz utils backdoor remind us that trust without verification is a vulnerability.
reputer is a CLI tool that calculates contributor reputation scores from Git provider APIs. It doesn’t claim to detect malicious intent. Instead, it answers a narrower question: based on observable signals from GitHub or GitLab (other signal providers coming soon), how confident should you be in a contributor’s identity and engagement? The score is best understood as an identity confidence indicator, not a judgment of code quality.
What it measures
reputer evaluates seven signals grouped into four threat-model-prioritized categories. Each category carries a weight reflecting its relative importance to supply chain risk:
Code Provenance — Are commits cryptographically signed? Is two-factor authentication enabled? Unsigned commits from accounts without 2FA represent the highest-risk vector. An account with 2FA acts as a multiplier on the verification score, while accounts without it are penalized up to 50% on core reputation.
Identity Authenticity — How old is the account, and does the contributor belong to the repository owner’s organization? Freshly created accounts are inherently higher risk. Account age follows a logarithmic curve where early days matter most, with a ceiling at two years. Organization membership is a binary signal that provides strong identity corroboration.
Engagement Depth — What proportion of the repository’s commits belong to this contributor, and how recently did they contribute? A long-time contributor with recent activity is more trustworthy than an account that appeared once. Commit proportion adapts to the contributor count, and recency uses exponential decay with a 90-day half-life.
Community Standing — What does the contributor’s broader GitHub presence look like? Follower-to-following ratio and repository count provide weak but useful signals. These carry the lowest weight because they’re the easiest to fabricate.
How scoring works
reputer uses a graduated proportional model. Each signal contributes linearly between zero and its weight ceiling. The final score sums all signal contributions to produce a value between 0.0 and 1.0.
Three mathematical curves shape the signals:
- Linear clamping for ratios like commit proportion, where more is proportionally better up to a ceiling
- Logarithmic scaling for signals like account age and follower ratio, where early growth matters more than late growth (diminishing returns)
- Exponential decay for recency, where the signal halves roughly every 90 days of inactivity
A suspended account always scores zero, regardless of other signals. The model version is included in every report, so consumers can track scoring methodology changes over time.
Architecture
The tool follows a layered design:
CLI → Reporter → Provider → Scoring Engine
The CLI layer parses flags and authenticates against the Git provider. The Reporter orchestrates the query and serializes output. The Provider layer abstracts the Git hosting API — GitHub is fully implemented, GitLab is mostly done. The Scoring Engine in pkg/score is a standalone package with no provider dependencies, making it independently testable.
When evaluating a repository, reputer paginates through commits, then concurrently fetches user profiles (up to 10 at a time) with built-in rate-limit awareness. It pauses when API calls run low and waits for the rate limit window to reset, so it won’t burn through your token quota.
The output is structured JSON that includes repository metadata, the scoring model version, category weight definitions, and per-contributor scores with optional detailed stats.
Using the CLI
Install via Homebrew, Go, or download a binary from the releases page:
brew tap mchmarny/reputer && brew install reputer
Then point it at a repository:
reputer --repo github.com/owner/repo
Add --stats to see the raw signals behind each score, or --file report.json to write output to a file. The JSON report includes every contributor’s reputation score alongside the model metadata:
{
"repo": "github.com/owner/repo",
"total_commits": 338,
"total_contributors": 4,
"meta": {
"model_version": "2.0.0",
"categories": [
{ "name": "code_provenance", "weight": 0.35 },
{ "name": "identity", "weight": 0.25 },
{ "name": "engagement", "weight": 0.25 },
{ "name": "community", "weight": 0.15 }
]
},
"contributors": [
{
"username": "contributor-a",
"reputation": 0.92,
"context": {
"created": "2016-03-12T10:22:08Z",
"name": "Alice Example",
"company": "ExampleOrg"
},
"stats": {
"verified_commits": true,
"strong_auth": true,
"age_days": 3634,
"commits": 295,
"unverified_commits": 0,
"public_repos": 47,
"private_repos": 12,
"followers": 183,
"following": 22,
"last_commit_days": 3,
"org_member": true
}
},
{
"username": "contributor-b",
"reputation": 0.41,
"context": {
"created": "2024-11-08T15:44:31Z",
"name": "Bob NewDev"
},
"stats": {
"age_days": 470,
"commits": 12,
"unverified_commits": 12,
"public_repos": 3,
"followers": 2,
"following": 15,
"last_commit_days": 38
}
}
]
}
Using the GitHub Action
reputer also ships as a GitHub Action that automatically welcomes first-time pull request contributors with their reputation stats. Add a workflow file to your repository:
name: welcome
on:
pull_request_target:
types: [opened]
permissions:
pull-requests: write
contents: read
jobs:
welcome:
runs-on: ubuntu-latest
steps:
- uses: mchmarny/reputer@main
When a new contributor opens their first PR, the action posts a comment with a reputation summary table — account age, 2FA status, commit verification, follower count, and the overall score. It gives maintainers a quick signal without requiring them to manually investigate the contributor’s profile.
The action uses pull_request_target rather than pull_request, meaning it runs in the context of the base repository and never checks out untrusted PR code.
Conclusion
No single tool solves supply chain security. But having a quantified, reproducible signal about contributor identity confidence is one more data point for maintainers making trust decisions. reputer is open source under Apache 2.0 — try it on your own repositories, and decide for yourself whether the signals it surfaces are useful for your threat model.