Scores

The rules

The ranking

How the 128 were chosen

Pattern

See where you land We scored 6,195 public GitHub repos at 128 YC-backed dev tools companies on four rules. The median scored 21 out of 100; no company cleared 80. Apollo took the top spot at 71. But the most interesting thing isn't the scores. It's the pattern in the data: of the 44 companies that enable branch protection on most of their repos, only 2 block unchecked merges. CI passes most often, branch protection next, and required checks and CODEOWNERS almost never. 209 of 6,195 repos pass all four (3.4%); 1,398 pass two or three (22.6%); the remaining 4,588 (74.1%) pass zero or one. Column key: BP = branch protection, Chk = required checks, CO = CODEOWNERS, CI = CI workflow. Each percentage is the share of an org's scanned repos that pass that rule. Score is the weighted aggregate (0-100).

Sortable version with per-company scorecards: codatus.com/blog/only-2-of-128-yc-backed-dev-tools-companies-block-unchecked-merges/. The starting universe of 549 companies is the union of YC's developer-tools (532) and devops (50) tags, pulled from yc-oss.github.io and deduplicated on slug. We narrowed from there: The cohort includes two publicly-traded YC alumni: Amplitude (Winter 2012, rank 41, score 31) and PagerDuty (Summer 2010, rank 49, score 29). GitLab (Winter 2015) passed the earlier filters but drops at the public-footprint step; their GitHub footprint is two forked repos because they host on gitlab.com. Something jumped out while we were scoring the cohort: branch protection passes for a real chunk of the dataset, but required checks barely register. To see how this plays out, we plotted each company on both: branch protection pass rate on one axis, required checks pass rate on the other. Three of the four quadrants have companies in them. The top-left is empty: required checks attach to a protected branch, so the configuration can't exist. The top-right is the rare exception. Of the 44 companies with branch protection on most of their repos, only 2 also require a check: Apollo (BP 74%, Chk 58%) and Formance (BP 96%, Chk 61%). That leaves 42 in the bottom-right. They enable branch protection on most of their repos without requiring any check. Every change opens a PR; nothing has to pass for the PR to merge. Supabase is the extreme case (BP 100%, Chk 22%). The bottom-left holds the remaining 84 companies. Branch protection isn't enabled on most of their repos, so there's no workflow to gate. The pattern is clear across the cohort: most companies have either no gate or a workflow that doesn't enforce anything. The 128 companies in the leaderboard are public-scan results. Install Codatus on your own GitHub org for a full scan, private repos included. Templates let you quickly answer FAQs or store snippets for re-use. as well , this person and/or - Has branch protection. The default branch requires a pull request before changes can land. Median pass rate across the 128: 33%.- Has required checks. At least one check (status check, workflow, code scan, or deployment) must succeed before a merge. Median: 2%.- Has CODEOWNERS. A CODEOWNERS file exists at .github/, the repo root, or docs/. Median: 2%.- Has CI workflow. A recognized CI configuration is committed to source. Median: 45%. - Operating companies. Companies whose YC status reads "Inactive" or "Acquired" were removed. Companies marked "Public-on-stock-market" were kept; they're still operating dev tools businesses, just at different scale. 142 dropped. 407 remaining.- Mature batches. Batches Winter 2024 and later were removed. Companies that recently entered YC haven't been around long enough to have settled engineering practices. 166 dropped. 241 remaining.- Verified GitHub org. We matched each company to a GitHub organization via homepage links and GitHub search, requiring either a domain match or an exact name match to avoid mis-attributions. 47 dropped. 194 remaining.- Non-trivial public footprint. We required at least 10 active (non-fork, non-archived) public repos per org. 66 dropped. 128 remaining.