One command after every session. shipcheck audits what your AI spent, which files it hammered, and every security issue it quietly introduced.
AI moves fast. shipcheck makes sure that speed doesn't quietly break your security posture or burn through your budget.
Token-accurate cost tracking from local session logs. No API key, no cloud, no guesswork.
AI agents with high churn in auth or DB files are a red flag. shipcheck surfaces it instantly so you know which files need an extra review.
All deterministic — no LLM, no hallucinations
Works fully offline. Reads local logs only.
Concurrent worker pool. Even large repos scan fast.
Run shipcheck init once. After every Claude Code or Cursor session, your score prints automatically — no thinking required.
Pipe JSON output with --json and fail the build when your score drops below your threshold. One GitHub Actions step.
Every rule is a regex or AST check — not an LLM prompt. Fast, predictable, auditable. No false-positive roulette.
Generic api_key / api_secret literals. AI pastes them inline instead of reading from env.
Detects sk-proj- and sk- patterns in any source file.
Flags sk-ant-api03- keys that AI agents sometimes echo back into code.
Catches sk_live_ keys. Test keys (sk_test_) are safely ignored.
Service role JWTs give full DB access. Flags eyJ… tokens near service_role context.
Catches jwt.Sign(claims, []byte("secret")) and similar obvious placeholder keys.
Detects SG.xxx.xxx pattern in any source file.
Flags postgres://user:pass@host/db inlined in source code.
Detects ghp_ tokens AI copies from example configs.
AI defaults to f-strings and template literals in SQL. Catches injection vectors in Go, JS, Python.
Flags eval(userInput) and similar patterns.
Detects shell=True and os.system() — AI defaults to the unsafe form.
Catches Access-Control-Allow-Origin: * — AI's go-to CORS fix.
Flags verify=False — AI adds this to silence SSL errors.
Catches DEBUG=True left in production scaffolding.
Backend secrets exposed via NEXT_PUBLIC_ in Next.js env files.
Flags // TODO: add auth — AI-deferred security that never ships.
20 known AI-invented names (@anthropic/sdk, react-auth-hooks…) with correct alternatives.
Checks pinned versions against 15 bundled high-impact CVEs. Zero network calls.
Catches sudo, chmod 777, curl|sh in package.json scripts.
macOS, Linux, Windows. No runtime to install, no daemon to manage, no cloud account to create.
Use Homebrew or the curl one-liner. Verify with shipcheck --version.
Navigate to any project and run shipcheck. It auto-detects Claude Code, Cursor, and Codex session logs.
Run shipcheck init once. From now on your score prints automatically after every AI session — nothing to remember.
Use shipcheck --html to generate a full audit report, or --json to feed it into your CI pipeline.
Star our repo to motivate our team to bring you more amazing ideas.