AgenticCLI
▮ shipguardis a free local release gate for AI-built apps — 5 security checks in 2s.$ npm i -g @agenticcli/shipguard
▮ v0.4.0 — live on npm

The security gate for AI-built apps.

Your agent ships fast. ShipGuard checks faster — in under 2 seconds, before deploy.

One command scans the code Claude Code, Cursor and Codex wrote for the mistakes they make most — hardcoded secrets, broken auth, Supabase RLS left off, unverified payment webhooks. Free, unlimited, and 100% local — your code never leaves your machine.

$npx @agenticcli/shipguard scan
view on GitHub →

free forever no account, no upload works with Claude Code, Cursor, Codex, Copilot, Lovable

Claude Code wrote this. ShipGuard caught it.

──[ ▮ ]── the 5 checks

Five checks. Every one matters.

Deterministic rules for the high-risk patterns AI agents get wrong most often — the exact failure modes of a Next.js + Supabase app built at 2am.

secrets

hardcoded keys, .env committed, secrets leaking into client bundles

auth

missing route guards, exposed admin routes, Supabase RLS off, Firebase open reads

payments

unverified Stripe & Razorpay webhooks, client-side pricing, no idempotency

database

destructive migrations, DROP / TRUNCATE, raw SQL injection

deployment

debug mode in prod, CORS wildcard, missing env, disabled security headers

──[ ▮ ]── one scan, one fix

Every finding ships with the fix.

Not an alert queue to triage. The line, the rule, and the exact change — then a deterministic verdict you (or your agent) can act on.

- const key = "sk_live_4f8aBc92xK…"+ const key = process.env.STRIPE_KEY // shipguard: payments:hardcoded-key · critical
exit 0 → ship itexit 1 → blocked

the cost

One leaked key can drain a Stripe account before lunch.

Agents don't know which secrets are dangerous, or which routes need a guard. ShipGuard does — deterministically, in about two seconds, before any of it reaches production.
gate it → npx shipguard scan

──[ ▮ ]── 30 seconds to your first gate

Run it in 30 seconds.

01 install

$ npm i -g @agenticcli/shipguard

One command. No account, no config to start.

02 scan

$ shipguard scan

Runs 100% locally. Findings to stdout in ~2s.

03 ship or fix

$ exit 0 / exit 1

Deterministic exit codes. Wire into CI or a pre-push hook.

──[ ▮ ]── pricing

Free to gate. Pay only for deeper rules.

The core scan is free and unlimited, forever — metering the gate would punish the behavior we want. No credit card, no account required.

freeavailable now
$0forever

The gate runs free on every push — for every solo builder and agent.

  • unlimited local scans
  • 5 cloud scans/mo
  • all 5 check categories
  • deterministic exit codes
  • --json for CI & agents
  • your code never leaves your machine
get started free
prolaunching soon
$29per month · flat

One flat price. No seats. 100 cloud scans/mo. Or $19/mo billed annually, save 34%.

  • everything in free
  • 100 cloud scans/mo
  • pro rule set — 176+ patterns
  • Supabase RLS & Firebase deep checks
  • custom policy files
  • --strict CI gate
  • priority rule updates
  • email support
join the waitlist

──[ ▮ ]── faq

Frequently asked

Does my code leave my machine?
Never. Every scan runs locally in your terminal — no code, file contents, or paths are transmitted anywhere. Pro rules are loaded into memory for the scan and discarded after. Local-first is the architecture, not a marketing line.
Isn't this just another linter?
No. Linters check style and syntax — a hardcoded key is valid JavaScript, so they stay silent. ShipGuard checks consequence: is this webhook actually verifying signatures, is RLS actually on, is this admin route actually guarded — and refuses with a non-zero exit code when it isn't.
Does it work with my stack?
Yes. ShipGuard is tool-agnostic across Claude Code, Cursor, Codex, Copilot, Windsurf and Lovable output, and tuned for the Next.js + Supabase / Firebase apps that ship to Vercel. Add it to a deploy script or pre-push hook in one line.
How is this different from Snyk or Semgrep?
Those are security platforms built for teams with a security engineer to configure rules and triage alerts. ShipGuard is a release gate for individual builders and agents: one command, free local tier, a binary go/no-ship verdict, focused on the five things agents get wrong most. Use it as your first gate, not your only gate.

▮ pro launching soon

Get notified when Pro ships.

200+ detection patterns, Supabase RLS & Firebase deep checks, custom policy files. Early access for waitlist members.