Plans & Prices

Open Source Supply Chain Security for teams of all sizes and any software development pipeline

BOSS Scanner

Free

  • Unlimited opensource projects
  • 1 closed source project
  • 10 analyses per day
  • HTML reports
  •  
  •  
  •  

Free

Bootstrap

  • Unlimited opensource projects
  • 10 closed source projects
  • 100 analyses per day
  • Text, HTML, JSON reports
  • ✓ CI integration
  • ✓ Basic API access
  • ✓ Email support

£2000/year

Professional

  • Bootstrap Plan with:
  • 50 closed source projects
  • 1000 analyses per day
  • ✓ PDF reports
  • ✓ CI native integration
  • ✓ Full API access
  • ✓ Licence Inventory

£7000/year

Enterprise

  • Professional Plan with:
  • ✓ Higher limits
  • ✓ Team management
  • ✓ Licence risk analysis
  • ✓ SBoM compliance report
  • ✓ Custom report formats
  • ✓ Email & phone support

Contact us


Additional products BOSS-C Scanner for Docker images and Sentinel notification service are priced separately, please contact us for details.

FAQ

Why would I need Meterian’s open source security platform solution?

By automating the research, collation, and synthesis of the information gathering process, human time and energy is preserved so your developers are not left trying to achieve the wasteful impossible. With artificial intelligence, stakeholders can rely on automated compliance management to ensure policies are consistently upheld to safeguard data and intellectual property.

Meterian’s solution is superior to these tried and tested method common across the industry:
  • Manual research and record keeping in spreadsheets and documentation to record publicly disclosed vulnerabilities in a project’s chain of dependencies
  • Free Software Composition Analysis (SCA) tools such as Dependency-Check, GitHub security and compliance features, as well as paid tools for large enterprises.

Meterian offers maximum coverage and best interoperability with any SDLC requiring an easy-to-use DevSecOps solution.

What kind of reports do you offer?

Meterian can immediately provide reports in HTML, JSON, TXT and PDF formats depending on your subscription plan. Enterprise plans benefit from custom report formats too. Reports identify the name of the component, the CVE vulnerability number, and all the dependencies affected by the vulnerability.

Reports include an evaluation of:
  • Security – a detailed assessment of known vulnerabilities affecting components in your project
  • Stability – upgrade paths for each component (patch/ minor/ major)
  • Licensing – list of all the licences used by each component (and the associated risk score if included in your plan)


The report contains a score of 0 to 100 for each of these dimensions. Read our blog post on how the score is calculated.

Meterian has easy to read actionable reports with zero false positives. By limiting our reports to just the information needed, developers can find and fix issues more efficiently in their application security efforts. Easy to use reports enables faster decision making in data-driven organisations.

Which languages and platforms are supported?

See an overview of all the languages and integrations we support here. Read detailed documentation on the languages and the CI integrations we support.

How does Meterian prevent vulnerabilities from going live in my project release?

When configuring the client on your continuous integration system, you can set the threshold value of acceptable security, stability, and licensing scores by defining a number between 0 and 100 for each dimension of analysis. If the analysis scores are lower than the threshold values, the Meterian client blocks the codebase from progressing further in your continuous integration pipeline.

What is the difference between Licence Inventory and Licence Risk Analysis?

Professional and Enterprise plans provide the Licence Inventory, which is a list of all components and their licences as detected in Meterian’s scan. The Licence Risk Analysis includes the Licence Inventory (aka SBoM compliance report “Software Bill of Materials”) and checks that all open source software dependencies in use comply with your policies. Any administrator on the account can specify policies in the Account Dashboard’s Policies section. For example, to avoid the infection effect of specific open source software, such as GPL or Affero, policies can be defined to ban such components.

What is an analysis?

An analysis is triggered on our server when the client application is used against a codebase. Every run of the client counts as one analysis. All analyses are free for open source projects as long as the client detects this.

How much of my proprietary code would Meterian access?

We do not have access to your proprietary code, we access only the manifest information. You can be confident that your code will remain confidential and secure.

Please note that:
  • If you enable license scanning we will examine license and readme files: those can be sent to the server in order for our engine to analyze them and identify the license used based on the text. This behaviour can be disabled.
  • If you enable the Vanilla JS scanner the system will have to look into the HTML and PHP files in order to find javascript fingerprints. This behaviour has to be explicitly enabled.

How frequently would Meterian scan my projects?

Our Free Plan, running on public Github repositories, operates with a variable schedule depending on the platform load. You can expect your project to be scanned every 2.5 hours. If you are on a paid plan, this is completely under your control. In a typical setup, when one of our integrations is used, a codebase is scanned every time new code is added.

What are Meterian Accounts, Members & Plans?

Each account created can have one or more members. Your plan may limit the number of members you can have on the account. Paid plan accounts manage members and roles for your organisation, giving each member the right level of access to your information. A member is any user you would like to have access to your account’s plan benefits. Meterian does not enforce any limit to the number of developers that can contribute to a codebase. A member can be assigned any of these roles:

  • Administrator – full access to the account. Each account must have at least one administrator
  • Collaborator – limited access to manage projects, can run scans
  • Viewer – access to view online reports only

If you are on an Enterprise plan, you can also arrange members of your account in different Teams”. Each Team will have segregated access to tokens, projects and policies.

Would Meterian notify me if a new vulnerability is publicly disclosed and it affects my project after my application is released?

Yes as long as your project is managed in a Meterian subscription plan with Sentinel service. Regardless of when your next build is due to be released or when your last build was, Sentinel’s always-on security messaging service sends notification alerts by email or Slack IMs to account administrators 24 hours after a new known vulnerability has been ingested by Meterian’s system. We recommend developers scan their project with Meterian as soon as possible to see where the vulnerability is in the application and mitigate (or even autoremediate) it.

What is the difference between Basic and Full API access?

With Basic API access, you can request all information related to your project by sending your project id. Full API access lets you request information on a specific library/version, and in general to execute any function bypassing completely the web UI. For details on API, see our API documentation.

I found a problem/have a suggestion. Who can I contact?

Please send an email to support@meterian.com