Pick your language.
Every ik check fires when it has a detector for the language
it sees. Here's exactly what each scanner does, which tools it shells out
to, and what it catches that AI tools love to slip past code review.
In-process gocyclo, govulncheck (with reachability), whole-program deadcode, errcheck for unchecked errors. Built-in go/parser import graph. testify detection. AST-accurate semantic-dup extractor.
In-process complexity via chamele. PMD for magic numbers / dead code / empty catches. osv-scanner for Maven & Gradle CVEs. JUnit / Spring AI / LangChain4j detection. Package-level import graph.
Maven · GradleIn-process complexity, function length, parameter count & nesting depth via chamele — no Roslyn analyzer needed. Semantic duplication via embedded LLM. Secrets, hotspots & duplication. (NuGet CVE audit not yet wired.)
.csproj · .NETIn-process complexity via chamele. cargo-audit for Cargo.lock CVEs (plus unmaintained / unsound crate warnings). Semantic duplication via embedded LLM. Hotspot & coupling from git history. Duplication via jscpd. Secrets via gitleaks.
CargoIn-process complexity via chamele. pip-audit for requirements.txt CVEs. vulture for dead code. pylint magic-value-comparison. Bare-except detection. pytest detection.
pip · pyprojectIn-process complexity via chamele — no ESLint config needed. npm audit for vulnerable deps. knip for unused exports. Empty-catch detection. jscpd duplication. Jest / Vitest / Mocha detection.
npm · pnpm · yarnWant the full check list?
20 checks across 5 categories, scored 0–100 with an A–F grade.