Post-session audit for AI-generated code. Cost. Heat. Security. One command.
brew install tejgokani/tap/shipcheck
Every existing tool does one thing:
- Token monitors show cost but know nothing about your code
- Security scanners scan code but know nothing about your session
- None of them combine both. None run automatically.
shipcheck does all three — cost, heatmap, security — in a single offline pass that runs after every session.
Reads session logs from Claude Code, Cursor, and Codex. Shows what you spent, where you spent it, and what cache savings you got.
Correlates git history with session timestamps to show which files your agent kept touching and retrying — the files that are costing you the most time and tokens.
Deterministic AST-based rules built specifically for AI-generated code failure patterns. Not generic SAST rules. Rules for things AI actually does wrong:
- Hardcoded API keys (OpenAI, Anthropic, Stripe, Supabase, SendGrid, and 40+ more)
NEXT_PUBLIC_exposing backend secrets to the browser- SQL queries built with string concatenation
Access-Control-Allow-Origin: *applied to "fix" CORSverify=Falseapplied to "fix" SSL errors- Supabase
service_rolekey in frontend code - JWT secrets set to
"secret"or placeholder values
brew install tejgokani/tap/shipcheckcurl -fsSL https://shipcheck.space/install.sh | shWindows: download
shipcheck_0.1.0_Windows_x86_64.zipfrom GitHub Releases, extract, and add to your PATH.
| Platform | File |
|---|---|
| macOS (Apple Silicon) | shipcheck_0.1.0_Darwin_arm64.tar.gz |
| macOS (Intel) | shipcheck_0.1.0_Darwin_x86_64.tar.gz |
| Linux arm64 | shipcheck_0.1.0_Linux_arm64.tar.gz |
| Linux x86_64 | shipcheck_0.1.0_Linux_x86_64.tar.gz |
| Windows x86_64 | shipcheck_0.1.0_Windows_x86_64.zip |
All assets: github.com/tejgokani/ShipCheck/releases/latest
git clone https://github.com/tejgokani/shipcheck
cd shipcheck
go build -o shipcheck .shipcheck # full audit — cost + heatmap + security
shipcheck --html # generate HTML report and open in browser
shipcheck --json # JSON output for CI pipelines
shipcheck scan --sec # security scan only
shipcheck scan --cost # cost + burn only
shipcheck scan --heat # heatmap only
shipcheck report # open the last HTML report
shipcheck init # install post-session hooks--dir, -d directory to scan (default: current)
--since only include sessions since (e.g. 24h, 7d)
--fail-on exit 1 if findings >= severity: critical|high|medium
--depth git history depth for heatmap (default: 50)
--no-session skip session log analysis
--no-security skip security scan
--no-heatmap skip heatmap
--quiet print score only (0-100)
--format tui|json|html (default: tui)
shipcheck initThis installs a post-session hook so shipcheck runs automatically after every Claude Code or Cursor session. Prints a warning if your score drops below 70.
# .github/workflows/shipcheck.yml
name: shipcheck
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install shipcheck
run: curl -fsSL https://get.shipcheck.dev | sh
- name: Run audit
run: shipcheck --json --fail-on highCLEAN 90–100 No critical or high findings
GOOD 70–89 Minor issues only
REVIEW 50–69 Some concerning patterns
RISKY 30–49 Multiple high severity findings
DANGER 0–29 Critical issues found
| Tool | Session logs | Cost tracking |
|---|---|---|
| Claude Code | ✓ | ✓ |
| Cursor | ✓ | ✓ |
| Codex (OpenAI) | ✓ | ✓ |
| Gemini CLI | coming soon | coming soon |
| Aider | coming soon | coming soon |
Go, TypeScript, JavaScript, Python, Rust, YAML, JSON, .env files
shipcheck runs 100% offline. Your code never leaves your machine. No API keys required. No telemetry. No update checks at runtime.
See CONTRIBUTING.md. The most impactful contribution is adding new security rules — each one helps every vibe coder who installs shipcheck.
MIT — free to use, modify, and distribute.
Built because every AI coding session deserves a receipt.