# Marcus Tran, Staff Engineer at Fieldnotes (Series A, ~60 people) — read of Repo Scanner, June 16 2026

> Nine years in backend, day job is Fieldnotes (climate data tooling), I build small SaaS things on weekends during my daughter's nap window. She's two. I have maybe 90 minutes of focus time on a good Saturday.

## How I got here

I Googled "find misconfigured permissions before shipping node app" because I pushed something to staging last week and our security scan in CI flagged an SSRF vector I had completely missed. Not a breach, but close enough to make me paranoid. This page came up third. The first two were SonarQube docs and a Medium post from 2021.

## What I clicked first

"AS AN INDIE DEVELOPER, YOU CAN'T CATCH EVERY SECURITY GAP IN YOUR CODE." That line landed because it's just true. No posturing, no "10x your velocity." It named the actual feeling. I kept reading.

Then it said "Repo Scanner finds the misconfigurations and permission rules that usually ship unnoticed." That's exactly what I searched for, so I scrolled faster than I normally do.

## Where I paused

The stats block. "5K+ Repositories Scanned" and "40% Avg. Tech Debt Found." I stopped because those numbers felt real enough to trust, and then thirty seconds later I read: "Honest disclosure: we don't have live customers on this idea yet."

So. Where did 5,000 repositories come from? Was that a beta? Internal testing? That disclosure completely retroactively poisoned the stats for me. Not because I think they're lying, but because I genuinely don't know what those numbers mean now.

## What I distrusted

The whole page performs as a product page and then reveals it's a pitch deck for building a product. That's a strange bait. I clicked in thinking I could sign up for something. The "Get Started Free" button in the nav implies a live tool. But the actual ask is either $5 for a strategy doc or $99-$199 for a "code starter."

Also: the hero says "FOR DEVELOPERS WHO SHIP SOLO" and feature number three is "Team-Ready Reports" with "live dashboards with your team." That flip happened in about 200 words. Pick one.

"Year-1 take-home (Fermi) $8,500" is buried in there and if I'm a potential buyer of the idea kit, that number is doing a lot of damage to my motivation. They're honest to include it. But $8,500 is below minimum wage for most of the US, and they're asking me to spend 8-12 weeks on an MVP to get there.

## What would convince me

If this were a real live tool, I'd want one actual scan output. Not a screenshot, a real report from a public repo. Scan rails/rails or something I can verify. Show me what the "misconfigurations" section actually looks like. Not a wireframe, not a feature list.

If it's an idea kit (which is what it apparently is), I'd want to see one person who bought the $99 kit and shipped something. A single tweet from an actual person with a link to their product. That's it. One data point from outside the factory.

## What I'd ask in an email reply

1. The page says 5K repositories scanned but also says there are no live customers yet. Can you explain what those 5K scans were against and when they happened?

2. "Finds misconfigurations and permission rules" -- is this static analysis of the code itself, or does it require running the app and observing behavior? Because those are very different things for a solo dev.

3. If I pay $99 for the code starter, am I getting something I can actually deploy, or is it a scaffold I still have to architect from scratch?

## Verdict: on-the-fence

The pain framing is genuinely good, probably the best opener I've read for a dev tool in a while. But the page is doing two jobs at once and succeeding at neither. I'm not sure if I'm being sold a product or recruited to build one, and by the time I figured that out, the trust I gave the opening had mostly drained.

---
*Memo by skeptic persona, generated 2026-06-16. Studio breaks own self-grading loop.*
