Sourcing-time, not detection-time
Scores OSS projects before adoption, not after. Programs catch unhealthy dependencies before they enter the build instead of finding out months later when CVEs accumulate.
Checkmarx • Application security
Checkmarx Repository Health
Checkmarx Repository Health scores open-source projects on maintenance frequency, contributor diversity, vulnerability response time, license trust, and project provenance, giving AppSec a sourcing-time verdict on whether to depend on the project at all before SCA evaluates the artifact.
When Merito stands up Checkmarx Repository Health, the engagement covers grandfathering existing dependencies, tuning score thresholds to the customer's risk tolerance, and wiring PR-time sourcing gates so unhealthy OSS projects get caught before they enter the dependency tree.
- Best for
- AppSec leaders adding sourcing-time governance to OSS dependency decisions, Engineering leaders enforcing OSS sourcing standards across the engineering org, AppSec architects designing policy thresholds for OSS project adoption
- Hosting
- SaaS
- Time to value
- First repository scored in days. Policy thresholds tuned and PR-time gates live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
Checkmarx Repository Health in the enterprise stack
Checkmarx Repository Health is the sourcing-time scoring engine inside the Checkmarx One Supply Chain pillar. Where SCA evaluates artifacts after they enter the build, Repository Health scores the OSS projects feeding the dependency tree before adoption. Inputs include maintenance frequency, contributor diversity, vulnerability response time, license trust, project provenance (who controls the repository, where the maintainers are based, what the funding model is), and historical security posture. Outputs are project-level scores AppSec can gate on.
The premise is that not all OSS dependencies are equally trustworthy. A library with active maintainers, fast vulnerability response, and a healthy contributor base is a different risk than a library with a single maintainer who has not committed in two years. Both might pass an SCA scan today; only one is a defensible dependency tomorrow. Repository Health makes that distinction explicit and scorable rather than leaving it to developer intuition.
Comparison to OSSF Scorecard is fair. Scorecard provides similar signals as an open-source project. Checkmarx Repository Health adds curated scoring, integration with Checkmarx One findings, policy gates inside CI/CD, and a richer feed than the public Scorecard data. Programs running OSSF Scorecard manually can keep doing so; programs that want a productized score with policy enforcement adopt Repository Health.
What disrupts Repository Health adoption is overrestrictive defaults. Scoring every OSS project against a strict policy generates a flood of warnings on dependencies the program has been running for years and depends on now. Merito's engagement starts with grandfathering existing dependencies, applying the score gate only to newly-introduced dependencies, and tuning the policy thresholds to the customer's actual risk tolerance. Without that, the program looks like SCA all over again: noise overwhelming signal.
Ideal use cases
- Sourcing-time gates on new OSS dependency adoption
- OSS project hygiene scoring across maintenance, contributors, and response time
- Provenance-aware OSS sourcing for regulated and federal programs
- Pairing Repository Health with Malicious Package Protection for layered sourcing controls
- Migrating off manual OSS review or OSSF Scorecard onto a productized scoring engine
What it is best at
Where Checkmarx Repository Health earns its seat
Multi-factor scoring beyond CVE history
Maintenance frequency, contributor diversity, vulnerability response time, license trust, project provenance. CVE-only scoring misses projects that look clean today but have no maintainer behind them.
Policy gates inside CI/CD
PR-time gates can require minimum Repository Health score before a new dependency is merged. Sourcing decisions become enforceable rather than aspirational.
Cross-product correlation with SCA
Repository Health scores cross-reference with SCA CVE findings inside Checkmarx One. AppSec sees both the CVE and the project hygiene context in one view.
Pairs with Malicious Package Protection
Malicious Package Protection blocks known-bad packages at fetch time; Repository Health scores project hygiene before adoption. Together they cover sourcing-time governance from both directions.
Core capabilities
Checkmarx Repository Health capabilities, grouped by outcome
Project scoring
Multi-factor health scoring grounded in real project signals.
Maintenance frequency scoring
Recent commits, release cadence, and active branch activity. Stalled projects score lower regardless of CVE history.
Contributor diversity
Number of distinct contributors, commit concentration, and bus-factor risk. Single-maintainer projects flagged for review.
Vulnerability response time
How fast the project has historically patched reported vulnerabilities. Slow responders score lower.
License trust and provenance
License clarity, attribution discipline, repository ownership, maintainer geography, funding model where known.
Policy and gates
Turning scores into enforceable sourcing decisions inside the build.
Configurable score thresholds
Programs set minimum scores per application, business unit, or risk tier. Customer-facing services gate stricter than internal tooling.
PR-time sourcing gates
Block-on-introduce policy stops new dependencies below the threshold from being merged. Existing dependencies grandfathered.
Override workflow
Auditable override workflow with rationale capture for cases where a low-scoring project is the right choice.
Reporting and integration
Repository Health output flowing into the AppSec backlog with the rest of Checkmarx One.
Cross-product correlation with SCA
Repository Health scores attached to SCA findings so AppSec sees CVE and project hygiene together.
Triage and Remediation context
Scores feed into Triage and Remediation clustering so high-risk-project findings rank above low-risk-project findings.
Compliance reporting
Audit-ready evidence for OSS-provenance requirements in federal, healthcare, and financial-services programs.
Where it fits in the stack
How Checkmarx Repository Health connects to the rest of your landscape
Checkmarx One platform (native)
Native- Checkmarx SCARepository Health scores attached to SCA findings for unified context.
- Checkmarx Malicious Package ProtectionSourcing-time scoring complements fetch-time blocking for layered sourcing governance.
- Checkmarx Software Supply Chain SecurityScores roll into the SLSA-aligned supply-chain governance picture.
- Checkmarx Triage and RemediationProject hygiene context feeds clustering and ranking.
CI/CD and developer tooling (certified)
Certified- Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesPR-time sourcing gates inside the customer's CI fabric.
- GitHub, GitLab, Bitbucket, Azure DevOps ReposSource-control review surfaces show Repository Health scores on pull-request comments.
- Jira, Azure BoardsOverride-workflow events flow into ticketing for audit-trail review.
Custom integrations
Custom- Internal CI/CD and OSS sourcing systemsIntegration with internal CI platforms and OSS-sourcing-review systems.
- GRC and OSS provenance reportingRepository Health data flowed into internal GRC and OSS-license-management systems.
- Custom score thresholds per business unitCustomer-specific scoring policy and override workflow design.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- First repository scored in days. Policy thresholds tuned and PR-time gates live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
- Prerequisites
- Inventory of currently-used OSS dependencies for grandfathering
- Named DevSecOps or AppSec policy owner
- Risk-tier definitions (customer-facing vs. internal tooling)
- Override-workflow operating model
- CI/CD integration plan for sourcing gates
- What Merito usually handles
- Repository Health runs as Checkmarx One SaaS. Merito handles policy threshold design, grandfathering, PR-time gate wiring, override workflow setup, and the operating model that decides when overrides require additional review.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- Checkmarx Repository Health is part of the Checkmarx One Advanced and Enterprise bundles and licensed by repository count and bundle tier. Pricing depends on application count, developer count, and bundle. License acquisition flows through Merito; the sourcing-time governance program is scoped under a separate engagement.
- Editions and modules
Checkmarx One Advanced
Adds Repository Health alongside DAST, API Security, IaC Security, and Malicious Package Protection to the Essentials baseline.
Best for: Programs adding sourcing-time governance to an existing SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running OSS sourcing governance inside a fully consolidated AppSec platform.
- Common expansion areas
- Add Checkmarx Malicious Package Protection for fetch-time blocking of known-bad packages
- Add Checkmarx Software Supply Chain Security for SLSA-aligned build provenance
- Add AI Supply Chain Security for AI/ML model dependency risk
- Layer Triage and Remediation to cluster Repository Health context with SCA findings
Merito services
How Merito helps you win with Checkmarx Repository Health
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Repository Health Implementation
Policy threshold design, grandfathering, PR-time gate wiring, override workflow setup, and CI/CD integration.
Explore service02MAPS Assessment
OSS sourcing governance scoping for Repository Health alongside OSSF Scorecard and manual review.
Explore service03DevOps Consulting
Sourcing gates integrated into PR-time CI and source-control review.
Explore service04CRAFT Enablement
Developer enablement around OSS sourcing standards and override discipline.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Repository Health.
Explore service06Managed Services
Long-term run support including policy-threshold tuning, grandfathering maintenance, and override-workflow operation.
Explore service07Training and Enablement
Role-based training for AppSec architects, DevSecOps owners, and engineering leads.
Explore service08Staff Augmentation
Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx Repository Health licensing
License the score. Design the policy. One Merito engagement.
Repository Health pricing arrives with policy-threshold design, grandfathering, PR-time gate wiring, and override-workflow setup that turn sourcing-time scoring into enforceable OSS governance.
Merito point of view
Whether to depend on the project at all is the question SCA never asks.
Merito has audited dependency trees that passed SCA cleanly and contained libraries with one stalled maintainer, no recent commits, and unanswered open vulnerability reports from a year ago. The library is fine today; it is a future incident waiting for circumstance. Repository Health makes that risk visible and scorable. SCA evaluates the artifact; Repository Health evaluates whether the project should be in the tree at all.
Merito recommends Repository Health specifically when programs are scaling OSS adoption fast enough that manual review cannot keep up, when regulated workloads require provenance evidence, and when sourcing-time governance is part of the security posture. For programs that already run OSSF Scorecard with policy gates and have manual review discipline, Repository Health adds productized scoring and Checkmarx integration but the delta is modest.
The pairing with Malicious Package Protection is the load-bearing move on sourcing-time governance. Malicious Package Protection blocks known-bad at fetch time; Repository Health scores hygiene before adoption. Programs running one without the other are filtering downstream risk without screening upstream provenance. Merito recommends both for any program that takes supply-chain governance seriously.
What buyers usually underestimate
- Applying Repository Health policy to existing dependencies without grandfathering, generating a flood of warnings on dependencies the program already runs.
- Setting score thresholds too high across the portfolio, blocking legitimate sourcing decisions and undermining adoption.
- Treating Repository Health as a replacement for SCA rather than a complement.
- Skipping override-workflow design, so the score gate becomes either a permanent blocker or a rubber stamp.
- Adopting Repository Health without Malicious Package Protection, so sourcing-time governance covers project hygiene but not fetch-time attacks.
Related from Merito
Continue exploring Checkmarx Repository Health on Merito
Related solutions
Related services
Related products
- Checkmarx Malicious Package ProtectionFetch-time blocking of known-bad packages.
- Checkmarx SCADetection-time SCA companion for the dependency tree.
- Checkmarx Software Supply Chain SecuritySLSA-aligned build provenance, signing, and SBOM lifecycle management.
- Checkmarx AI Supply Chain SecurityAI/ML model and dependency scoring at sourcing time.
- Checkmarx (vendor portfolio)Full Checkmarx One platform across Code, Supply Chain, Cloud, and Agentic AI.
Frequently Asked Questions
Checkmarx Repository Health FAQs
Consultation request
Talk to Merito about Checkmarx Repository Health
Share your OSS dependency-tree shape, current sourcing review process, and supply-chain governance posture. A Merito Checkmarx specialist follows up within one business day.
Sourcing-time scoring
Decide before adopting
Multi-factor scoring on maintenance, contributors, response time, license trust, and provenance. SCA cannot do this.
Policy gates
Enforceable, not aspirational
PR-time gates require minimum scores. Auditable override workflow for legitimate exceptions.
Next step
Score the project before the dependency enters the tree.
A Merito Repository Health engagement starts with grandfathering and policy-threshold design. Sourcing-time governance prevents what detection-time scanning catches after the fact.