When I came across a study that traced 4.5 million fake GitHub stars, it confirmed a suspicion I’d had for a while: stars are noisy. The issue is they’re visible, they’re persuasive, and they still shape hiring decisions, VC term sheets, and dependency choices—but they say very little about actual quality.
I wrote StarGuard to put that number in perspective based on my own methodology inspired with what they did and to fold a broader supply-chain check into one command-line run.
It starts with the simplest raw input: every starred_at timestamp GitHub will give. It applies a median-absolute-deviation test to locate sudden bursts. For each spike, StarGuard pulls a random sample of the accounts behind it and asks: how old is the user? Any followers? Any contribution history? Still using the default avatar? From that, it computes a Fake Star Index, between 0 (organic) and 1 (fully synthetic).
But inflated stars are just one issue. In parallel, StarGuard parses dependency manifests or SBOMs and flags common risk signs: unpinned versions, direct Git URLs, lookalike package names. It also scans licences—AGPL sneaking into a repo claiming MIT, or other inconsistencies that can turn into compliance headaches.
It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged. It skims for obvious code red flags: eval calls, minified blobs, sketchy install scripts—because sometimes the problem is hiding in plain sight.
All of this feeds into a weighted scoring model. The final Trust Score (0–100) reflects repo health at a glance, with direct penalties for fake-star behaviour, so a pretty README badge can’t hide inorganic hype.
I added for the fun of it it generating a cool little badge for the trust score lol.
Under the hood, its all uses, heuristics, and a lot of GitHub API paging. Run it on any public repo with:
python starguard.py owner/repo --format markdown It works without a token, but you’ll hit rate limits sooner.
Please provide any feedback you can.
Comments URL: https://news.ycombinator.com/item?id=43962427
Points: 29
# Comments: 6
Login to add comment
Other posts in this group
As the creator of TerarkDB (acquired by ByteDance in 2019), I have developed ToplingDB in recent years.
ToplingDB is forked from RocksDB, where we have replaced almost all components with mo
I have some friends who were laid off and are on the job hunt. We were all quite surprised to learn that LinkedIn does not have a "view jobs only at companies where I have connections", so I built
Article URL: https://simedw.com/2025/06/23/introducing-spegel/
In late 2024, I had to set up a new Stripe account because I incorporated my company in a different country. Turns out it's not as simple as just changing the country in a dropdown, you have to st
Article URL: https://www.mdpi.com/2313-4321/10/3/118
Comments URL: https://news
