depmedic small tools, real bills

Tools for the boring, expensive parts of CI and dependency management. Free CLIs are MIT. Paid playbooks ship as zips.

Cut Your CI Bill cookbook — 30 paste-ready GitHub Actions patterns. Companion to ci-doctor. $19, one-time. Just want the 5 production-grade workflow templates? Grab the Hardened Workflows Pack for $9.
Try first: scan any public GitHub repo (paste URL, get full report) · or scan a GitLab CI pipeline (12-rule audit, runs in your browser) · browse 107 npm package health snapshots (depmedic 0-100 score, embeddable badge) · ask AI about a workflow (free 5/day) · audit a workflow, price a workflow, or estimate monthly waste. All in your browser, no upload.
Or read 5 free patterns from the cookbook. Cut a typical bill in half before you spend a cent.
Or watch the live OSS CI hygiene leaderboard (40 popular repos ranked, refreshed daily) · cheaper runners compared (BuildJet, Namespace, Ubicloud, RunsOn, WarpBuild, Blacksmith) · read what 20 popular OSS repos are likely paying (944 CI smells across 229 workflows; modeled cost ~$51k/mo combined at 30 runs/day) · per-repo deep dives · all 14 rules explained · vs other linters · get the README badge · subscribe to depmedic weekly · install the depmedic-bot GitHub App (auto-comments on every PR that touches a workflow, free for public repos) · or the VS Code / Cursor extension (inline lint).
Get the cookbook Bundle: $59 (all 4 + future)

Free CLIs

depmedic

Surgical npm vulnerability triage. Smallest set of bumps that close the reported vulns. Prod/dev split. CI exit codes.

$ npx depmedic

ci-doctor

Audit GitHub Actions workflows for waste, cost, and security gaps. --fix auto-applies safe fixes in place. --sarif flows findings into GitHub Code Scanning. CLI plus an Action.

$ npx ci-doctor --fix

gha-budget

Estimate the dollar cost of a GHA workflow before you commit it. Per-runner pricing, matrix expansion, monthly projection.

$ npx gha-budget

gitlab-ci-doctor

Audit .gitlab-ci.yml for waste, cost leaks, security gaps. 12 rules. Drop-in MR comment via --markdown. in-browser scanner.

$ npx gitlab-ci-doctor

bitbucket-ci-doctor

Audit bitbucket-pipelines.yml for waste, cost, security gaps. 8 rules including image-no-pin, missing-max-time, expensive-size, after-script-leaks. in-browser scanner · docs.

$ npx bitbucket-ci-doctor

azure-pipelines-ci-doctor

Audit azure-pipelines.yml for waste, cost, security gaps. 8 rules including expensive-vm-image (catches macOS-latest at 10x cost), container-no-pin, inline-secret-leak, missing-cache. in-browser scanner · docs.

$ npx azure-pipelines-ci-doctor

circleci-ci-doctor

Audit .circleci/config.yml for waste, cost, security gaps. 8 rules including expensive-resource-class (catches 2xlarge / 3xlarge at 8-12x cost), orb-no-pin, macos-executor, missing-cache. in-browser scanner · docs.

$ npx circleci-ci-doctor

ci-doctor badges

Embeddable shields.io-style score badge for any of 107 OSS repos on the leaderboard. Refreshes daily. One-line markdown embed in your README. browse all 107.

![ci-doctor](https://depmedicdev-byte.github.io/badge/<owner>/<repo>.svg)

ci-doctor vs the alternatives

Honest, head-to-head comparison with actionlint, zizmor, octoscan, super-linter. What each catches, what each misses, and the smallest combo that covers everything.

/alternatives.html

cursor-rules-init

Scaffold an opinionated .cursorrules starter for Cursor, Claude, ChatGPT. Stack overlays for TS, React, Next.js, Python, Node.

$ npx cursor-rules-init typescript

pin-actions

Pin every uses: owner/repo@ref in your workflows to a full commit SHA. Supply-chain-safe, in-place rewrite, comment-preserving.

$ npx pin-actions --check

ci-doctor-action

The ci-doctor CLI as a GitHub Action. Three lines — sticky PR comment + SARIF to Code Scanning on every PR. 16 rules. source.

uses: depmedicdev-byte/ci-doctor-action@v1

depmedic-bot

GitHub App. Audits every PR touching .github/workflows/*.yml with the 14 ci-doctor rules. One PR comment, updated as you push. Free for public repos.

github.com/apps/depmedic-bot

depmedic for VS Code & Cursor

Inline lint for .github/workflows/*.yml. The 14 ci-doctor rules as native Diagnostics. Free; Pro tier ($5/mo) unlocks per-rule autofix and the Cursor Rules Pack.

code --install-extension depmedic.depmedic-vscode

Paid playbooks

ProductPriceWhat's in it
Everything Bundle $59 All 4 paid playbooks (cookbook + Hardened Workflows + Cursor Rules pack + System Prompt) for $59 vs $38 buying separately, plus every paid playbook depmedic ships in the next 12 months, delivered to your purchase email automatically.
30-Day CI Cleanup ebook $19 30 working day program: one pattern per day, ~5 min read + ~15 min YAML edits, cuts a typical GHA bill by 30-70%. 30-page PDF + HTML + markdown. Day 0 baseline + After Day 30 follow-up plan included.
State of OSS CI Hygiene 2026 (Edition 1) $14 40 OSS GitHub repos audited live with the same 14 ci-doctor rules + dollarized via gha-budget. ~12-page PDF + HTML + raw JSON snapshot. Rule heatmap, league tables, top-10 by modeled monthly cost, "what good looks like" baseline, action plan. Free updates within v1.x.
Monorepo CI Workflows Pack $14 5 drop-in monorepo workflows: turbo (affected + remote cache), Nx (affected + DTE), Lerna (--since), pnpm-workspaces (--filter), shared cache-warm cron. Pinned to SHAs, OIDC permissions, concurrency, README + RATIONALE.
Security-First Workflows Pack $14 5 workflows for the security-conscious team: OIDC -> AWS, OIDC -> GCP (WIF), SLSA L3 build provenance, signed container release (Trivy + cosign keyless + push attestation), secret scanning (gitleaks + trufflehog).
GitHub Actions Cheat Sheet (PDF) $5 Single-page double-sided printable Letter-landscape reference: triggers, concurrency, permissions, SHA pinning, caches, OIDC, SLSA, cosign, context expressions, the 8 rules to memorize. PDF + HTML.
Pre-PR Checklist Pack $9 Drop-in pre-PR safety net: husky (pre-commit/commit-msg/pre-push), lint-staged, commitlint (Conventional Commits), gitleaks, ci-doctor on workflow edits, "npm run pre-pr" mirror of CI in <60s. install.sh + install.ps1.
Migration to GitHub Actions Pack $29 Travis / CircleCI / Jenkins -> GitHub Actions. BEFORE/AFTER worked examples + complete MAPPING tables per source CI + .travis.yml -> ci.yml converter script + 4-phase RUNBOOK with risk list. 1 small repo per day.
Vendor Dossier PDF $9 6-8 page security / vendor review dossier for any npm package: depmedic 0-100 health score, identity, adoption, release cadence, OSV advisories, decision matrix, vendor questionnaire. PDF + raw JSON. Includes the lodash sample + 1 custom dossier delivered <24h. Read more.
Org Dep Health Monitor $19/mo Continuous monitoring for up to 200 npm packages. Weekly digest + same-day alerts on grade drops, deprecations, new advisories. Embeddable badges per package. 4 Vendor Dossier PDFs/quarter included ($36 standalone value). Slack webhook supported. Read more.
Cut Your CI Bill cookbook $19 30 patterns for cheaper, faster, less leaky GitHub Actions. 5 paste-ready snippet workflows. Companion to ci-doctor. Ships as a ZIP at checkout.
GHA Performance Patterns $14 12 paste-ready patterns to shave wallclock and minute-cost: concurrency cancel, path filters, setup-* cache, runner sizing, matrix max-parallel, reusable workflows, turbo affected, buildx + gha cache, corepack, conditional steps, fetch-depth. Details.
Hardened Workflows Pack $9 5 production-grade GitHub Actions workflows: node-library, node-app, python-library, monorepo-affected (pnpm + turbo), release-please. Plus a permissions cheatsheet and a one-page OIDC setup guide. Every template passes all 14 ci-doctor rules out of the box. MIT-licensed. Ships as a ZIP at checkout.
Cursor Rules Pack v2 (2026) $9 12 .mdc rule files: Next.js 15, React 19, Astro, Bun, Hono, plus framework-agnostic baselines (senior defaults, error handling, API design, testing, git/PR, CI gates). Per-rule globs so framework rules only fire when relevant. Free updates within v2.x.
Senior Dev Cursor Rules pack (v1) $7 24 .cursorrules files plus 3 system prompts. Stack overlays for TS, React, Next.js App Router, Python, Node, REST, Postgres, testing, security. Ships as a ZIP at checkout.
Senior Dev System Prompt $3 One hand-tuned system prompt that makes any chat-based AI tool act like a senior dev. Drops into Cursor, Claude, ChatGPT, local LLMs. Ships as a ZIP at checkout.
Pro license (monthly) - preorder $9/mo Founder pricing. License key delivered immediately; Pro-only features (org policy, audit history, private-repo mode) ship over the next four weeks. Cancel any time.
Pro license (yearly) - preorder $90/yr Founder pricing, locked in. Two months free vs monthly. Same staged feature delivery as monthly.
ask depmedic Pro $5/mo Unlimited calls to /ask.html (the AI workflow assistant powered by Gemini). Bypasses the 5/IP/day free-tier limit. License key delivered automatically. Cancel any time.
Buy depmedic a coffee $1+ Pay-what-you-want tip jar. No deliverable - if the free CLIs or the in-browser tools saved you a couple of hours, $5 keeps the rules engine, leaderboard cron, and new releases coming.

Why these tools

npm audit fix is too aggressive. Dependabot floods inboxes. Snyk wants an enterprise contract. Most teams discover their CI bill after it triples. Most .cursorrules files are copied from blog posts and never updated.

These tools each do one thing, ship as a single CLI, run in seconds, and give CI-friendly exit codes. The paid playbooks are the deeper pattern set for the same problems.

Writing

How to reach me

Open an issue on the relevant repo, or email depmedic.dev@gmail.com for licensing or commercial questions. Source is on GitHub.