GitHub - BhaveshThapar/Shiproof · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
BhaveshThapar
Shiproof
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>10 Commits<br>10 Commits
.github/workflows
.github/workflows
packages
packages
.gitignore
.gitignore
.prettierignore
.prettierignore
.prettierrc.json
.prettierrc.json
LICENSE
LICENSE
README.md
README.md
eslint.config.js
eslint.config.js
package-lock.json
package-lock.json
package.json
package.json
tsconfig.base.json
tsconfig.base.json
tsconfig.json
tsconfig.json
View all files
Repository files navigation
Shiproof Pre-flight
Catch the mechanical App Store rejection causes before you submit — on every pull<br>request, in under 10 minutes to install, no account migration.
This is the free, open-source wedge of Shiproof: a deterministic rules<br>engine that flags the high-frequency, mechanical rejection causes Apple's automated<br>review keeps catching in 2026:
Required-reason APIs used without a matching PrivacyInfo.xcprivacy declaration<br>(UserDefaults, file timestamp, system boot time, disk space, active keyboards).
Missing PII usage descriptions in Info.plist (camera, location, contacts,<br>tracking, and more) that crash the app and get it rejected.
Metadata problems : placeholder text, broken URLs, missing privacy policy,<br>other-platform mentions.
Every check is deterministic and high-precision — no LLM, no network, no telemetry in<br>this package. It either found a real, citable problem or it didn't.
Packages
Package<br>What it is
@shiproof/preflight-engine<br>Pure rules engine. Takes a parsed project snapshot, returns findings. Fully unit-tested.
@shiproof/cli<br>shiproof CLI. Scans a directory, runs the engine, prints findings (human or --json).
packages/action<br>The GitHub Action wrapper that runs the CLI on every PR.
The deterministic engine is intentionally a standalone OSS package so the free Action<br>and the paid Shiproof backend share one engine and one test suite, while the<br>corpus / prediction / appeal logic stays in a separate private codebase.
Use it as a GitHub Action
# .github/workflows/preflight.yml<br>name: Shiproof pre-flight<br>on: [pull_request]<br>jobs:<br>preflight:<br>runs-on: ubuntu-latest<br>steps:<br>- uses: actions/checkout@v4<br>- uses: BhaveshThapar/Shiproof/packages/action@v0.1.0<br>with:<br>path: .<br>fail-on: error
Use it as a CLI
npx @shiproof/cli . # scan the current directory<br>npx @shiproof/cli ./MyApp --json # machine-readable output<br>npx @shiproof/cli . --fail-on=warning
Exit codes: 0 clean, 1 findings at/above --fail-on, 2 usage error.
Optional: report builds to a Shiproof backend
The checker works fully offline. If you also use the paid Shiproof backend, the<br>CLI can report each build's fingerprint at pre-flight so the backend can later<br>learn which fix resolved a rejection. It's strictly opt-in and never changes the<br>exit code:
--submission-id=">SHIPROOF_API_KEY=... SHIPROOF_REPORT_URL=https://api.your-shiproof \<br>npx @shiproof/cli . --app-id=asc-app-id> --submission-id=version-id>
The API key is read only from the environment (never a flag). Nothing is reported<br>unless --report-url, the API key, --app-id, and --submission-id are all set.
Optional: metadata linting
Drop an shiproof.metadata.json at your project root (or export it from App Store<br>Connect) to lint your listing copy too:
"description": "Scan and organize your receipts.",<br>"releaseNotes": "Bug fixes.",<br>"privacyPolicyUrl": "https://example.com/privacy",<br>"supportUrl": "https://example.com/support"
Develop
npm install<br>npm run build # tsc -b across the workspace<br>npm test # build + Node's test runner (zero extra deps)<br>npm run typecheck
Requires Node 20+. MIT licensed.
About
No description, website, or topics provided.
Resources
Readme
License
MIT license
Uh oh!
There was an error while loading. Please reload this page.
Activity
Stars
stars
Watchers
watching
Forks
forks
Report repository
Releases
v0.1.0
Latest
Jun 20, 2026
Packages
Uh oh!
There was an...