Shipmoor

Community CLI

Shipmoor Team
May 20, 2026
4 min read

Shipmoor Community CLI is a free local command-line tool for pre-merge AI code integrity checks. It scans Python, TypeScript, JavaScript, and Go changes before merge, emits deterministic JSON and SARIF, and runs without a cloud account.

The Community CLI is intentionally local-first:

  • No telemetry.
  • No hidden history database.
  • No cloud login.
  • No sudo install requirement.
  • No enterprise policy, audit, or hosted dashboard features.

Install

Install the CLI with one command:

curl -fsSL https://shipmoor.dev/install-community-cli.sh | bash

The installer detects macOS or Linux, selects the matching CPU architecture, verifies the downloaded archive checksum, and installs the executable to:

~/.shipmoor/bin/shipmoor

If that directory is not on your PATH, the installer prints the exact shell export line to add.

Verify the install:

shipmoor version

Quickstart

From a repository you want to scan:

shipmoor init
shipmoor scan .

shipmoor init creates .shipmoor.yaml and adds .shipmoor/ to .gitignore. The default scan prints a concise terminal summary and returns a gate-friendly exit code.

Scan Inputs

Scan a whole repository or a single file:

shipmoor scan .
shipmoor scan src/foo.py

Scan Git changes:

shipmoor scan --changed
shipmoor scan --staged
shipmoor scan --diff main...HEAD

Scan an agent-produced patch:

shipmoor scan --patch agent.patch

Patch and diff scans parse changed line ranges, scan whole changed files for context, and classify findings as introduced, existing, or unknown.

Output Formats

Human-readable output is the default:

shipmoor scan .

Write deterministic JSON:

shipmoor scan . --json --output shipmoor.json

Write SARIF for GitHub code scanning:

shipmoor scan . --sarif --output shipmoor.sarif

When --json or --sarif writes to stdout, stdout contains only machine-readable JSON. Diagnostics go to stderr.

CI Gate

Use --fail-on to decide when the scan should block:

shipmoor scan . --fail-on critical
shipmoor scan . --fail-on high
shipmoor scan . --fail-on medium
shipmoor scan . --fail-on none

Exit codes are stable:

CodeMeaning
0Scan succeeded and did not exceed the threshold.
1Scan succeeded and exceeded the threshold.
2Usage or configuration error.
3Unexpected scan failure.

GitHub Actions

This workflow runs Shipmoor on changed files, writes SARIF, and uploads it to GitHub code scanning:

name: Shipmoor

on:
  pull_request:
  push:
    branches: [main]

jobs:
  shipmoor:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Install Shipmoor Community CLI
        run: curl -fsSL https://shipmoor.dev/install-community-cli.sh | bash
      - name: Run Shipmoor
        run: |
          "$HOME/.shipmoor/bin/shipmoor" scan --changed \
            --sarif --output shipmoor.sarif \
            --markdown-summary "$GITHUB_STEP_SUMMARY" \
            --fail-on high
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: shipmoor.sarif

Configuration

Shipmoor looks for .shipmoor.yaml by default. A minimal configuration looks like this:

schema_version: 1
languages:
  enabled:
    - python
    - typescript
    - javascript
    - go
ignore:
  - .shipmoor/
rules:
  disabled: []
  severity_overrides: {}
thresholds:
  fail_on: high
diff:
  only_introduced: true
output:
  default_format: human

Disable a rule:

rules:
  disabled:
    - python.placeholder.empty_body

Override severity:

rules:
  severity_overrides:
    python.quality.mutable_default: high

Scan with an explicit config:

shipmoor scan . --config .shipmoor.yaml

Rule Discovery

List available rules:

shipmoor rules
shipmoor rules --json

Explain a finding from a JSON report:

shipmoor explain <finding-id> --from shipmoor.json

Installer Controls

Pin a version:

SHIPMOOR_VERSION=0.1.0 curl -fsSL https://shipmoor.dev/install-community-cli.sh | bash

Use the staging channel:

SHIPMOOR_CHANNEL=staging curl -fsSL https://shipmoor.dev/install-community-cli.sh | bash

Install to a custom user-writable path:

SHIPMOOR_INSTALL_DIR="$HOME/bin" curl -fsSL https://shipmoor.dev/install-community-cli.sh | bash

Uninstall:

rm -f ~/.shipmoor/bin/shipmoor

Scope Boundary

Community CLI covers local scanning, deterministic output, patch and Git diff input, SARIF export, and CI-friendly exit behavior.

Enterprise policy, organization baselines, audit logs, RBAC, hosted APIs, dashboards, IDE integrations, and assisted remediation belong to Shipmoor’s pro product surface, not the Community CLI.

Last updated on May 20, 2026

Was this article helpful?

Your response is saved on this device.