DepGuard

1. One-liner

AI copilot that triages your Dependabot alerts down to the ones that actually matter.

2. Trend signal — why now?

AI-generated code is flooding production. Pull requests containing AI-assisted code produce 1.7x more issues than human-written code (CodeRabbit State of AI Code Report, 2026). 43% of AI-generated changes need debugging in production (Lightrun 2026 State of AI-Powered Engineering Report). More code ships faster, which means more dependencies pulled in with less review.

Meanwhile, dependency alert tools are drowning the people they’re supposed to help. Filippo Valsorda — Go standard library cryptography maintainer, formerly Google — called GitHub’s Dependabot a “noise machine” that “opened thousands of PRs against unaffected repositories” after a one-line security fix. He argued false positives “reduce security by causing alert fatigue.” (The Register, Feb 2026.)

One dev team reported 40–60 Dependabot PRs per week across their repos, eventually turning it off entirely. Their conclusion: “Dependabot without a review process is bad.” (DEV Community, 2026.)

The numbers back the frustration: 83% of engineers ignore or dismiss security alerts at least occasionally. 42% of alerts go entirely uninvestigated. 61% of SOC teams have ignored alerts that later proved to be genuine incidents. (Microsoft/Omdia 2026, Vectra AI 2026.)

On the money side, Qodo raised $70M Series B (March 2026) for AI code verification. Socket raised $65M and acquired Coana — a reachability analysis startup — specifically to solve the “is this vulnerability actually exploitable?” problem. Endor Labs claims 92–97% noise reduction through function-level reachability analysis, but targets enterprise orgs. Snyk hits a brutal pricing cliff at 10 developers — past that, you’re looking at $15K+/year Enterprise contracts.

Small teams (5–50 devs) are stuck: free tools scream at them nonstop, and enterprise tools are priced for 500-person eng orgs.

Provenance:
  - Signal 1: Filippo Valsorda calls Dependabot a "noise machine" — thousands of false-positive PRs after one-line fix — https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/ — 2026-02-24
  - Signal 2: 43% of AI-generated code changes need production debugging; AI PRs create 1.7x more issues — https://venturebeat.com/technology/43-of-ai-generated-code-changes-need-debugging-in-production-survey-finds — 2026-04
  - Signal 3: Qodo raises $70M for AI code verification; Socket acquires Coana for reachability analysis; Endor Labs targets enterprise — https://techcrunch.com/2026/03/30/qodo-bets-on-code-verification-as-ai-coding-scales-raises-70m/ — 2026-03-30
  Category: Tech-unlock

3. The opportunity

Every engineering team using GitHub or GitLab has the same dependency security stack: Dependabot or Renovate for updates, maybe Snyk or GitHub Advanced Security for vulnerability scanning. All of them generate firehose-level alert volume. None of them answer the question that actually matters: “Does this vulnerability affect my running code?”

Enterprise tools like Endor Labs do reachability analysis — checking whether your code actually calls the vulnerable function — and report 92–97% noise reduction. But they’re priced and sold for 200+ developer orgs with dedicated AppSec teams.

The gap: small and mid-size teams (5–50 developers) who can’t afford $40–60/dev/month for Snyk Enterprise or Endor Labs, but are drowning in the free-tier noise of Dependabot. They need a lightweight triage layer, not a full AppSec platform. Something that sits on top of what they already use and says: “Of your 200 open alerts, here are the 7 that touch code paths your app actually executes. Fix these. Ignore the rest.”

That’s DepGuard.

4. Target market

• Primary customer: Engineering leads and senior developers at startups and SMBs with 5–50 developers, using GitHub (primary) or GitLab. Already have Dependabot/Renovate generating alerts they mostly ignore.
• Why they buy: They feel guilty ignoring security alerts but don’t have time to triage 200+ vulnerability notifications per month. They’ve been burned once — a real vulnerability slipped through because it was buried in noise. They want someone to tell them which alerts matter without hiring a full-time AppSec person.
• Rough TAM reasoning: GitHub has 180M+ developers (2026). GitHub Team plan is designed for 10–50 dev orgs. Conservative estimate: 500K+ teams in this bracket worldwide. If 2% have active dependency alert pain and would pay $200/mo, that’s a $24M addressable market for this specific niche.
• Why now for them: AI coding tools (Copilot, Cursor, Claude Code) are accelerating code output, which means more dependencies, more PRs, more alerts. The noise problem is getting worse, not better. GitHub just added “assign alerts to AI agents” (April 2026), signaling they know triage is the bottleneck — but their solution pushes work to expensive Copilot credits, not cheap standalone triage.

5. Product sketch (MVP)

• GitHub App installs in 2 minutes — connects to existing repos, reads Dependabot/Renovate alerts and open PRs
• Performs lightweight static reachability analysis: maps import trees and call graphs to determine which vulnerable functions your code actually calls
• Classifies every open dependency alert as Critical (reachable, exploitable), Monitor (reachable but low-risk), or Noise (unreachable, dev-only, or test-only dependency)
• Weekly digest email/Slack: “You have 3 Critical alerts this week. Here’s what to fix and why.”
• One-click “approve & merge” for safe auto-updates that passed reachability checks — rubber-stamp the noise with confidence
• Dashboard showing alert triage history, noise reduction stats (“DepGuard silenced 94% of your alerts this month”), and compliance audit trail

6. AI angle — what’s load-bearing

AI is doing the actual triage work here — the part that currently requires a senior developer to manually read each CVE, trace it through dependency trees, check if the vulnerable code path is reachable, and decide whether it matters. Without AI:

• Static reachability analysis alone catches the obvious cases (dev-only deps, unused imports) but misses conditional code paths and transitive dependency chains
• LLM layer reads the CVE description, the actual patch diff, and the team’s code context to determine exploitability in a way that pattern-matching can’t
• The weekly digest turns raw triage data into actionable language — not “CVE-2026-12345 in lodash 4.17.21” but “Your /api/users endpoint calls _.template() which is vulnerable to prototype pollution. Upgrade lodash to 4.17.22. Here’s the one-line change.”

Remove the AI and you’re left with a dashboard that reorganizes the same alerts Dependabot already shows. The AI is what turns 200 alerts into 7 actionable items.

7. Localization angle (if any)

N/A — this is a global play. Dependency management pain is universal across every geography where developers use GitHub/GitLab. No localization wedge; the product is English-first for a global developer audience. Pricing in USD with potential for INR/EUR tiers later.

8. Business model — path to $1M–$5M ARR

• Pricing: $29/mo for teams up to 10 repos, $99/mo for up to 50 repos, $249/mo for unlimited repos. Per-workspace, not per-developer — deliberately avoiding the pricing model developers hate.
• ACV: ~$1,200–$3,000/year per customer (blended)
• Rough math to $1M ARR: 500 customers at avg $170/mo = $1.02M ARR
• Rough math to $5M ARR: 2,000 customers at avg $210/mo = $5.04M. Requires expanding from GitHub to GitLab + Bitbucket, adding compliance reporting tier for SOC 2 / ISO 27001 audits.
• Expansion path: Compliance tier ($499/mo) that generates audit-ready dependency security reports — “prove to your auditor that you triaged every CVE within 48 hours.” This is the natural upsell once teams trust the triage layer.

9. Go-to-market wedge — first 100 customers

• GitHub Marketplace listing — Dependabot is already installed on millions of repos. Teams searching “Dependabot alternative” or “dependency security” in the Marketplace are pre-qualified buyers. Target: 30 installs/week from organic discovery.
• Content play on the Dependabot frustration wave — Write “We turned off Dependabot. Here’s what we do instead.” style posts on DEV Community, Hacker News, and r/programming. The Valsorda “noise machine” story is February 2026 — the conversation is happening right now. Target: 3 viral posts in first 8 weeks.
• Cold DM maintainers who publicly complained — Scrape GitHub issues (#2158, #3341, #4031 on dependabot-core), DEV Community posts about Dependabot noise, and Twitter/X threads. Personalized outreach: “Saw you turned off Dependabot because of noise. We built the triage layer you described.” Target: 200 DMs, 10% reply rate, 5% convert = 10 customers.
• Open-source bait — Ship a free CLI tool depguard-scan that runs reachability analysis locally and prints a report. Gets the name in front of developers, builds trust, funnels to the hosted product. Target: 500 GitHub stars in first month.
• Dev tool newsletters and podcasts — Changelog, DevOps Weekly, TLDR, Software Engineering Daily all cover this space. A well-timed “97% of your dependency alerts are noise” pitch angle gets coverage. Target: 2 newsletter features, 1 podcast appearance.

10. Build complexity — justification

Medium. The core reachability analysis engine is the hardest part — building import tree traversal and call graph analysis across JavaScript/TypeScript (primary), Python, and Go. This isn’t research-grade; static analysis libraries exist (tree-sitter for parsing, existing call graph tools). The LLM layer for CVE-to-code-path matching uses off-the-shelf APIs (Claude, GPT-4). GitHub App integration is well-documented. Estimate: 2–3 developers, 12–16 weeks to a credible v1 covering JS/TS ecosystems. Python and Go follow in months 4–6.

11. Gating checklist

Gate	Pass?	Note
Legal in target market	✅	Standard SaaS, no regulated data
Ethical — no harm / dark patterns	✅	Improves security posture, transparent triage logic
Market exists (evidence above)	✅	180M+ GitHub developers, Dependabot noise complaints are widespread and documented
1–5 person team can build this	✅	2–3 engineers for v1, standard web stack + static analysis
Launchable with <$50K / ₹40L	✅	Cloud hosting + LLM API costs. No hardware, no licensing fees. ~$10K to launch.

12. Feasibility score

Axis	Weight	Score	Notes
Problem intensity	20	16/20	Real pain felt daily. Teams turning off their security tools entirely because of noise. 83% of engineers ignore alerts. But it’s a “slow burn” not “hair on fire” — nobody’s losing money today, they’re accumulating risk.
Demand evidence	15	13/15	Valsorda’s “noise machine” post, multiple GitHub issues with hundreds of comments, DEV Community posts about turning off Dependabot, $70M+ flowing into code verification. Multiple independent signals.
Build feasibility	15	10/15	Reachability analysis across multiple languages is non-trivial. Tree-sitter helps, but building reliable call graphs for JS/TS with dynamic imports is genuinely hard. Scoping to JS/TS first is critical.
Distribution clarity	15	13/15	GitHub Marketplace is a built-in distribution channel. The Dependabot frustration conversation is happening now on Hacker News, DEV, Reddit. Named channels, named lists, realistic conversion math.
Revenue mechanics	15	11/15	Per-workspace pricing avoids developer backlash. $29–249/mo range is validated by comparable tools (CodeRabbit $24/dev, Sourcery $12/dev). Question mark: will teams pay for triage when the underlying scanner is free?
Time to first revenue	10	7/10	14–16 week build, then 2–4 week trial-to-paid conversion. Revenue in ~5 months from start. Not instant, but acceptable for the complexity.
Defensibility	10	7/10	Reachability data compounds — the more repos DepGuard analyzes, the better its triage models get. Workflow lock-in once teams trust the weekly digest. But GitHub could ship this natively (they already have “assign to AI agent” for alerts).
Total	100	77/100

13. Qualitative modifiers

Founder-fit tags

technical-heavy — This is a static analysis + LLM product. The founder needs to understand compilers, ASTs, and call graph analysis. No way around it.

Key assumptions to validate (3–5)

1. Assumption: Small teams will pay $29–99/mo for alert triage when Dependabot is free. How to test: Launch the free CLI tool, measure how many users ask “can this run automatically?” and “is there a hosted version?” within 30 days.
2. Assumption: Lightweight static reachability analysis (without full symbolic execution) is accurate enough to reduce noise by 80%+ without missing real vulnerabilities. How to test: Run against 50 open-source repos with known CVEs, measure false-negative rate. Target: <5% false negatives on reachable vulnerabilities.
3. Assumption: GitHub Marketplace discovery is a meaningful acquisition channel for this category. How to test: Ship a free version to Marketplace, measure organic install rate over 4 weeks without paid promotion.
4. Assumption: Weekly digest format drives action better than real-time alerts. How to test: A/B test digest vs. real-time notifications in beta, measure alert-to-fix conversion rate.

Risk flags

1. [Platform risk]: GitHub could build native reachability-based triage into Dependabot. They’ve already added “assign alerts to AI agents” (April 2026). If they ship a good enough version, the standalone market shrinks. Mitigation: move fast, build GitLab/Bitbucket support early, and make the compliance reporting tier the real product.
2. [Technical risk]: Call graph analysis for dynamically-typed languages (JavaScript, Python) is inherently imprecise. Over-aggressive noise filtering could miss a real vulnerability — and one miss destroys trust. Mitigation: default to “Monitor” (not “Noise”) for uncertain cases, let teams tune sensitivity.
3. [Market timing risk]: The “dependency alert fatigue” conversation is peaking now (Q1–Q2 2026). If the v1 takes 16 weeks, the conversation may have moved on by launch. Mitigation: ship the free CLI in week 6 as a wedge, capture mindshare before the full product is ready.

14. Structured verdict

Score:                  77/100
Verdict:                GO
Confidence:             Medium
Best-fit builder:       Technical founder with compiler/static-analysis background, ideally with prior DevTools experience
Time to revenue:        5–6 months
Capital to launch:      $10K–$20K (cloud infra + LLM API costs)
Top 3 assumptions to validate first:
  1. Teams will pay for triage on top of free Dependabot — test with free CLI → hosted upsell funnel
  2. Static reachability analysis is accurate enough without full symbolic execution — test on 50 OSS repos
  3. GitHub Marketplace drives meaningful organic installs — test with free tier listing
Kill criteria:
  - Abandon if <5% of free CLI users express interest in a paid hosted version within 60 days
  - Abandon if false-negative rate exceeds 10% on reachable vulnerability benchmark
  - Abandon if GitHub ships native reachability-based alert triage before DepGuard v1 launches

15. Next step — 1-week validation sprint

• Day 1–2: Build a minimal CLI that parses package.json + package-lock.json, runs tree-sitter over the codebase, builds an import graph, and cross-references against the OSV vulnerability database. Output: a text report showing “X of Y alerts are reachable, Z are noise.”
• Day 3: Run the CLI against 20 popular open-source repos with known Dependabot alert backlogs. Measure: what % of alerts does it classify as noise? Is the reachable set credible?
• Day 4: Post the CLI on Hacker News with title “We analyzed 20 repos — 91% of Dependabot alerts are noise. Here’s the tool.” Measure: upvotes, comments, GitHub stars, “where can I buy this?” responses.
• Day 5: Decide go/no-go based on: (a) CLI accurately classifies >80% of alerts with <5% false negatives, (b) HN post gets >50 points and >10 “take my money” style comments. If both hit, commit to building the full product. If (a) fails, the technical approach needs rethinking. If (b) fails, the market isn’t ready to pay.