# AgenticCLI / ShipGuard > AgenticCLI builds local-first release tooling for the agentic era. AI coding > agents ship faster than any review can keep up; ShipGuard gates what they > produce — deterministically, locally, in seconds. Site: https://agenticcli.dev Contact: via GitHub issues · founders@agenticcli.dev ## What ShipGuard Is ShipGuard is a local-first release gate CLI for AI-generated code. It runs 5 check modules against your project files locally in seconds. No code, file contents, or paths ever leave your machine. - Install: `npm i -g @agenticcli/shipguard` (or `npx @agenticcli/shipguard scan`) - Checks (5 modules): secrets, auth, payments, database, deployment - Exit codes: 0 = safe to ship · 1 = blocked (critical findings, requires --strict) · 2 = config/degraded · 3 = runtime error - Machine-readable output: `shipguard scan --json` - CI: `shipguard scan --changed` (requires git history; use fetch-depth: 0) - Config: optional shipguard.yaml (ignore globs, per-rule off switches) - Pricing: Free tier — unlimited local scans + 5 cloud scans/mo, no account required. Pro — $29/mo (or $19/mo annual), unlimited local scans + 100 cloud scans/mo, adds 200+ patterns, custom policy files, and Supabase RLS / Firebase deep checks. - Privacy: no code, file contents, or paths are ever transmitted. Telemetry is anonymous (verdict, duration, version) and can be disabled. ## The 5 Check Modules 1. **secrets** — hardcoded API keys (OpenAI sk-proj-*, Anthropic sk-ant-*, Stripe sk_live_*, AWS/GCP/GitHub tokens) and committed .env files. Rule IDs: hardcoded_secret · exposed_env 2. **auth** — unprotected admin, dashboard, billing, and account routes in Next.js App Router, Express, and Fastify. Rule IDs: public_admin_route · auth_route_without_guard 3. **payments** — Stripe/Razorpay webhooks missing signature verification, client-side payment secrets, missing idempotency. Rule IDs: payment_webhook_without_signature_check · payment_client_side_secret 4. **database** — destructive SQL in migration files: DROP TABLE, DROP COLUMN, TRUNCATE, DELETE without WHERE, drizzle-kit push in production scripts. Rule IDs: db-drop-table · db-drop-column · db-truncate · db-delete-without-where · db-alter-drop · db-push-in-scripts · db-schema-without-migration 5. **deployment** — CORS wildcards, source maps in production, Docker root user, unpinned images, Vercel broad rewrites, missing security headers. Rule IDs: deployment_cors_wildcard · deployment_source_maps_exposed · deployment_docker_root_user · deployment_docker_unpinned_image · deployment_vercel_broad_rewrite · deployment_vercel_missing_headers ## Canonical Agent Command ``` npx @agenticcli/shipguard scan --changed --strict --json ``` - `--changed` — scans only git-changed files (requires fetch-depth: 0 in CI) - `--strict` — sets exit code 1 on any blocking finding - `--json` — machine-readable output on stdout; see /llms-full.txt for schema ## Exit Code Contract | Code | Meaning | |------|---------| | 0 | Safe — no blocking findings (or --strict not used) | | 1 | Blocked — `--strict` flag AND at least one finding with blocking:true | | 2 | Config/degraded — pro rules unavailable, files skipped, scan incomplete | | 3 | Runtime error — scan itself failed | ## For AI Agents After generating or editing code: 1. Run: `npx @agenticcli/shipguard scan --changed --strict --json` 2. Parse the JSON output. If exit code is 1, fix all findings where `blocking:true`. 3. If exit code is 2, the scan ran with incomplete results — note this in your response. 4. Re-scan until exit 0, then proceed. Privacy: code never leaves the machine. Free tier: zero network calls during scan. Telemetry (anonymous verdict + duration) can be disabled with SHIPGUARD_TELEMETRY=0. ## Links - Full integration guide + --json schema: https://agenticcli.dev/llms-full.txt - Comprehensive agent integration page: https://agenticcli.dev/for-ai-agents - A2A agent card: https://agenticcli.dev/.well-known/agent.json - Agent skills index: https://agenticcli.dev/.well-known/agent-skills/index.json - MCP server card (planned V2): https://agenticcli.dev/.well-known/mcp/server-card.json - Free rules catalog: https://agenticcli.dev/shipguard/rules.json - API catalog (RFC 9727): https://agenticcli.dev/.well-known/api-catalog - Docs: https://agenticcli.dev/shipguard/docs - npm: https://www.npmjs.com/package/@agenticcli/shipguard ## Key Pages - / — AgenticCLI brand hub - /shipguard — ShipGuard product home - /for-ai-agents — comprehensive integration guide for AI agents - /shipguard/docs — quick start, CI integration, configuration - /shipguard/pricing — Starter (free) · Pro $29/mo (or $19/mo annual) ## Positioning Honesty ShipGuard is a first gate, not a full security audit. For dependency scanning / SCA, use a dedicated security platform alongside it.