Local-first code scanner

AI ships fast.Not safely.

Twenty checks. Sixty seconds. One score. Know what's in your codebase before your customers do.

Go · Python · TypeScript Java · Rust · JavaScript macOS · Linux
ik run
my-startup-app
34
/ 100
Grade F
Line countno issues12ms
!Secret scanning14 findings1.2s
!Dep audit23 findings890ms
!Error handling9 findings280ms
Infrastructureno issues55ms
The problem

Your linter doesn't know what AI just wrote.

Hardcoded secrets

API keys, database passwords, and tokens committed straight to source. AI doesn't know what's sensitive — and your reviewer didn't read every line.

Zero test coverage

AI generates application code, rarely tests. Your codebase compiles, the demo works, and there's nothing to catch what breaks tomorrow.

Vulnerable dependencies

AI pulls in packages without checking CVEs. Known vulnerabilities sit in your tree, waiting. You wouldn't know unless something started leaking.

How it works

Scan. See. Fix.

01

Install and scan

One line on macOS or Linux. The CLI runs locally, scans 20 checks concurrently, and finishes in under 60 seconds on most repos.

02

See your score

A 0–100 health score with an A–F grade. A Brief is generated locally and shared via link — clear enough to start the right conversations.

03

Get the review

Our engineers review every finding, every file, coupling matrices, complexity per function. You receive a remediation roadmap prioritized by impact.

See the full flow
What we check

20 checks. 5 categories. One number.

Each check runs independently, scores 0–100, and feeds into a weighted overall score. The one no one else ships: Semantic Duplication — catches functions that do the same thing written differently.

Secret scanning

Detects hardcoded API keys, tokens, and passwords via gitleaks.

Security

Dependency audit

Checks for known CVEs across Go, JavaScript, Python, Rust, and Java dependency trees.

Security

Error handling

Unchecked errors in Go, bare excepts in Python, empty catches in JS and Java.

Security

Infrastructure

Audits Dockerfiles, Kubernetes manifests, and Terraform configs for security issues.

Security

Scripts

Audits shell scripts for security vulnerabilities and unsafe patterns via ShellCheck.

Security

Test presence

Measures test-to-code ratio and finds untested directories.

Testing

Complexity

Cyclomatic complexity per function across Go, Python, JS, and Java.

Complexity

Line count

Flags oversized files that are hard to read, review, and maintain.

Complexity

Function length

Flags overlong functions that pack too much into one place and resist review.

Complexity

Parameter count

Spots functions with too many parameters — a sign of tangled responsibilities.

Complexity

Nesting depth

Detects deeply nested control flow that's hard to follow and easy to break.

Complexity
Unique to inkode

Semantic duplication

Catches functions that do the same thing written differently. Embedded LLM — code never leaves your machine.

Complexity

Coupling

Finds files that always change together — hidden dependencies in your codebase.

Maintainability

Duplication

Detects copy-pasted code blocks across the entire codebase.

Maintainability

Dead code

Unused functions, exports, and variables — scaffolding AI generates but never cleans up.

Maintainability

TODO density

Flags high TODO/FIXME density — deferred work signalling incomplete implementations.

Maintainability

Magic numbers

Spots hardcoded numeric literals scattered through logic instead of named constants.

Maintainability

Import graph

Surfaces circular imports, high fan-in/fan-out, and god packages.

Maintainability

Hotspots

Ranks files by change frequency from git history. Volatile files are risky files.

Change Risk

AI stack detection

Detects which AI tools shaped your codebase — Copilot, Cursor, Claude Code, and more.

Change Risk
CI integration

Every PR. Auto-scanned.

Drop a ten-line GitHub Action into your repo. Inline annotations on the diff, a sticky PR comment summarising new findings, and a pass/fail check tied to your fail-on policy.

10 free runs over 30 days. No credit card.

● Open feat: add user invite endpoint
i inkode-bot commented just now
Score 58 / 100 (Grade D) · 4 new findings on this PR
Secret detected · src/config/db.ts:14
Possible API key committed to source.
Unchecked error · src/handlers/invite.ts:47
Return value of db.query() not checked.
inkode / scan — Failing after 32s
CI / unit tests — Passing
CI / typecheck — Passing
Your dashboard

Watch your code health improve over time.

Sign up free and every scan is saved to your dashboard. Upgrade and each scan becomes a point on a trend line — so you see issues caught before they merge, and regressions the moment a score drops, across every repo and your whole team.

Saved scan history

Free accounts keep every Brief in one place. No more screenshotting a score before it scrolls out of your terminal.

Progress over time

A trend line per repo across every metric. Show leadership the score climbing — prevention, not a pile of debt.

Regression alerts

Get told the moment a score drops or a new severe finding lands — on any repo, on every PR, before it ships.

Sign up free See plans
By the numbers

What we found in 5,299 scans.

38%
of first-time scans landed in D or F.
3.2×
the rate of committed secrets in AI-marked repos.
<60s
to scan most repos end-to-end, locally.
Read the research →
Get started

Scan in sixty seconds.

No account required. The CLI is local-first — only file paths, git metadata, and code metrics are uploaded if you opt in.

Terminal · macOS & Linux
# one-line install
$ curl -fsSL https://inkode.co/install.sh | sh
$ cd your-project && ik init
$ ik run
macOS & Linux·arm64 & amd64·Download manually