AI ships fast.Not safely.
Twenty checks. Sixty seconds. One score. Know what's in your codebase before your customers do.
Your linter doesn't know what AI just wrote.
Hardcoded secrets
API keys, database passwords, and tokens committed straight to source. AI doesn't know what's sensitive — and your reviewer didn't read every line.
Zero test coverage
AI generates application code, rarely tests. Your codebase compiles, the demo works, and there's nothing to catch what breaks tomorrow.
Vulnerable dependencies
AI pulls in packages without checking CVEs. Known vulnerabilities sit in your tree, waiting. You wouldn't know unless something started leaking.
Scan. See. Fix.
Install and scan
One line on macOS or Linux. The CLI runs locally, scans 20 checks concurrently, and finishes in under 60 seconds on most repos.
See your score
A 0–100 health score with an A–F grade. A Brief is generated locally and shared via link — clear enough to start the right conversations.
Get the review
Our engineers review every finding, every file, coupling matrices, complexity per function. You receive a remediation roadmap prioritized by impact.
20 checks. 5 categories. One number.
Each check runs independently, scores 0–100, and feeds into a weighted overall score. The one no one else ships: Semantic Duplication — catches functions that do the same thing written differently.
Secret scanning
Detects hardcoded API keys, tokens, and passwords via gitleaks.
SecurityDependency audit
Checks for known CVEs across Go, JavaScript, Python, Rust, and Java dependency trees.
SecurityError handling
Unchecked errors in Go, bare excepts in Python, empty catches in JS and Java.
SecurityInfrastructure
Audits Dockerfiles, Kubernetes manifests, and Terraform configs for security issues.
SecurityScripts
Audits shell scripts for security vulnerabilities and unsafe patterns via ShellCheck.
SecurityTest presence
Measures test-to-code ratio and finds untested directories.
TestingComplexity
Cyclomatic complexity per function across Go, Python, JS, and Java.
ComplexityLine count
Flags oversized files that are hard to read, review, and maintain.
ComplexityFunction length
Flags overlong functions that pack too much into one place and resist review.
ComplexityParameter count
Spots functions with too many parameters — a sign of tangled responsibilities.
ComplexityNesting depth
Detects deeply nested control flow that's hard to follow and easy to break.
ComplexitySemantic duplication
Catches functions that do the same thing written differently. Embedded LLM — code never leaves your machine.
ComplexityCoupling
Finds files that always change together — hidden dependencies in your codebase.
MaintainabilityDuplication
Detects copy-pasted code blocks across the entire codebase.
MaintainabilityDead code
Unused functions, exports, and variables — scaffolding AI generates but never cleans up.
MaintainabilityTODO density
Flags high TODO/FIXME density — deferred work signalling incomplete implementations.
MaintainabilityMagic numbers
Spots hardcoded numeric literals scattered through logic instead of named constants.
MaintainabilityImport graph
Surfaces circular imports, high fan-in/fan-out, and god packages.
MaintainabilityHotspots
Ranks files by change frequency from git history. Volatile files are risky files.
Change RiskAI stack detection
Detects which AI tools shaped your codebase — Copilot, Cursor, Claude Code, and more.
Change RiskEvery PR. Auto-scanned.
Drop a ten-line GitHub Action into your repo. Inline annotations on the diff, a sticky PR comment summarising new findings, and a pass/fail check tied to your fail-on policy.
10 free runs over 30 days. No credit card.
Possible API key committed to source.
Return value of
db.query() not checked.Watch your code health improve over time.
Sign up free and every scan is saved to your dashboard. Upgrade and each scan becomes a point on a trend line — so you see issues caught before they merge, and regressions the moment a score drops, across every repo and your whole team.
Saved scan history
Free accounts keep every Brief in one place. No more screenshotting a score before it scrolls out of your terminal.
Progress over time
A trend line per repo across every metric. Show leadership the score climbing — prevention, not a pile of debt.
Regression alerts
Get told the moment a score drops or a new severe finding lands — on any repo, on every PR, before it ships.
What we found in 5,299 scans.
Scan in sixty seconds.
No account required. The CLI is local-first — only file paths, git metadata, and code metrics are uploaded if you opt in.
Field notes on AI-written code.
"Too many findings, and I don't know where to start"
The first time a friend ran ik on his own code, his feedback wasn't about accuracy — it was 'this is a wall of findings and I have no idea what to fix first.' He was right. Here's how we turned 15 checks into one grade you can read in a second, and a remediation list that puts the file you should open next at the top.
Read the piece →We never get your codebase — just metadata. And you can keep even that local.
A code scanner asks for a lot of trust: you're pointing it at your source. So here's exactly what ik does and doesn't send. Your source code never leaves the machine — uploads carry findings and metadata, not file contents — secret values are masked before they're stored, the AI runs locally, and if you want zero upload, local-only scanning is one setting away.
Read the piece →False green: the scariest bug in a code scanner
A scanner that crashes is annoying. A scanner that reports '0 problems' when it actually did nothing is dangerous — it manufactures false confidence. Three times this year, ik silently skipped a check and called it a pass. Here's how each one happened, and the rule we now scan ourselves by.
Read the piece →