The structural scan is the free core of Shipmoor. It checks a change for the high-confidence failure modes agents introduce and emits human, JSON, and SARIF output from the same run. This page covers how to point it at the right code.
Scan the whole project
shipmoor scan .shipmoor scan <path> resolves your project context from the repository or manifest root, even when the path you give is a subdirectory. Inside a git worktree it uses the git root; outside git it walks up to the nearest .shipmoor.yaml, .shipmoor.yml, pyproject.toml, package.json, requirements*.txt, or go.mod.
Scope to what changed (recommended)
In an agent workflow you usually want to scan only what the agent just touched. Four scopes do that:
shipmoor scan --changed # staged + unstaged working-tree changes
shipmoor scan --staged # only what's staged
shipmoor scan --diff main...HEAD # a git range
shipmoor scan --patch agent.patch # a patch file the agent producedWhy scope matters. A full-repo
shipmoor scan .on a project whose third-party dependencies aren’t installed can surface a lot of phantom-import noise from code you didn’t write. Scoping to the change keeps the scan focused on the agent’s work — which is what an agent loop or a PR gate actually cares about.
Supported languages
Shipmoor scans Python, TypeScript, JavaScript, and Go changes. Manifest discovery runs downward from the resolved root, so both root manifests and nested package manifests contribute to dependency resolution.
Reading the result
Shipmoor leads with a one-line verdict, groups findings by file with blockers first, and names the next command to run:
✗ 1 blocker · scanned 7 changed files (python, typescript)
core/aether.ts
[critical] hallucinated_api · line 42
Calls queue.flushPending() — no such method exists on the symbol.
[high] phantom_import · line 3
Imports 'fast-retry', missing from the manifest and lockfile.
api/checkout.py
[high] stub_path · line 88
Returns success while the real persistence side effect is missing.To understand any rule, run shipmoor explain <rule> — see Findings & rules.
Output and gating
Add --json, --sarif, and --output for machine output, and --fail-on <severity> to make the scan exit non-zero when findings cross a threshold. See Output formats & exit codes and Gating & policy.
Next
- Findings & rules — what each finding means.
- Claim Check — add
--intentto check the change against its task (IC). - GitHub Actions — run the same scan as a CI gate.