@shiproof/cli
v0.1.0
Published
Shiproof pre-flight CLI: scan an iOS project for mechanical App Store rejection causes before you submit.
Downloads
117
Maintainers
Readme
@shiproof/cli
Pre-flight your iOS project for the high-frequency mechanical App Store rejection causes — privacy manifest gaps, required-reason APIs, missing PII usage descriptions, and metadata problems — before you submit. Deterministic, high-precision, runs fully offline.
The CLI is the I/O layer around @shiproof/preflight-engine:
it walks a directory, parses PrivacyInfo.xcprivacy, Info.plist, and metadata into a
snapshot, runs the pure engine, and prints findings.
Install
# one-off, no install
npx @shiproof/cli .
# or install globally
npm install -g @shiproof/cli
shiproof .Requires Node ≥20.
Usage
shiproof [path] [options]Options:
--json Output machine-readable JSON
--min-severity=LEVEL Only show findings at LEVEL or above (error|warning|info)
--fail-on=LEVEL Exit non-zero when a finding at LEVEL or above exists (default: error)
-h, --help Show this helpExamples:
shiproof ./MyApp # human-readable report, fails on errors
shiproof ./MyApp --json # machine-readable for CI
shiproof ./MyApp --min-severity=warning --fail-on=warningExit codes
| Code | Meaning |
| ---- | --------------------------------------------- |
| 0 | Clean — no findings at or above --fail-on. |
| 1 | One or more findings at or above --fail-on. |
| 2 | Usage error (bad flag or bad severity value). |
This makes it drop-in for CI: a non-zero exit fails the job.
What it scans
Walking path, the CLI parses and checks:
PrivacyInfo.xcprivacy— required-reason API declarations.Info.plist— PII usage descriptions, bundle id, version, export compliance.shiproof.metadata.json— App Store metadata (placeholder text, other-platform mentions, privacy-policy URL).
Binary plists are rejected with a note; convert to XML (plutil -convert xml1).
CI / GitHub Action
For pull requests, use the GitHub Action wrapper
(packages/action) which runs this CLI on every PR and writes the
report to the job summary.
Opt-in corpus reporting
The CLI can optionally report a build fingerprint to an Shiproof backend
(--report-url, with $SHIPROOF_API_KEY, --app-id, --submission-id). This is
strictly opt-in, off by default, and never changes the exit code — the checker
always works fully offline. The API key is read only from the environment, never from a
flag, so it can't leak into process listings. Run shiproof --help for the full list.
License
MIT.
