AI Assessment
VERDICT
Based on automated scanner findings, this project shows decent security hygiene but lacks production-readiness due to missing testing infrastructure, undocumented dependency vulnerabilities, and absent governance files. The C grade reflects moderate-risk gaps rather than active security threats.
TOP RISKS
→ Two dependency vulnerabilities were flagged in src-tauri/Cargo.lock: GHSA-wrw7-89jp-8q8g in glib@0.18.5 and CVE-2026-25727 in time@0.3.39. The scanner detected these as medium-severity issues.
→ No tests detected across the repository. The scanner flagged complete absence of test infrastructure, which prevents verification that fixes work as intended.
→ High cyclomatic complexity detected in src-tauri/src/lib.rs:36 (CCN 15) and src-tauri/src/hotkey.rs:114, suggesting these functions are difficult to test and maintain.
→ Three SVG assets were flagged as missing title attributes, creating accessibility issues.
→ No LICENSE, SECURITY.md, or CODEOWNERS files detected, indicating missing governance and legal documentation.
WHAT TO FIX FIRST
Address the dependency vulnerabilities in src-tauri/Cargo.lock. Update glib and time to patched versions. This blocks the most direct security exposure and would improve the Dependencies score significantly.
Secondary priority: Add test coverage. The "no tests detected" finding suggests establishing a testing framework would catch regressions and provide the biggest quality improvement relative to effort.
REMINDER: Verify the flagged CVE-2026-25727 against your actual codebase—the year 2026 suggests this may be a scanner misconfiguration or false positive. Cross-check against official vulnerability databases.
Category Breakdown
Findings(25 in 14 groups)
Tip: 18 low-severity findings are style suggestions, not security risks.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Svg Without Title". Please review and fix this according to best practices. The linter rule lint/a11y/noSvgWithoutTitle this as a problem — look up the rule for guidance on the correct fix.
A package your app depends on (glib) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency glib in src-tauri/Cargo.lock has a known vulnerability (GHSA-wrw7-89jp-8q8g: glib@0.18.5). Update it to a patched version: 1. Run: npm update glib (or yarn upgrade glib) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (time) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency time in src-tauri/Cargo.lock has a known vulnerability (CVE-2026-25727: time@0.3.39). Update it to a patched version: 1. Run: npm update time (or yarn upgrade time) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Your project has no license file. Without one, nobody can legally use, modify, or contribute to your code — even if it's public on GitHub.
Add a LICENSE file to your project root: 1. For open source: create a file called LICENSE and paste the MIT License text (most popular for open source) 2. For private/commercial: add a LICENSE file stating "All rights reserved" and your copyright 3. Choose a license at https://choosealicense.com if you're unsure 4. Add the license type to your package.json: "license": "MIT"
Your app has no automated tests. You won't know if a code change breaks something until real users complain. This is the #1 reason apps break after updates.
Your project has no test files. Add basic tests: 1. Install a test framework: npm install -D vitest (or jest) 2. Create a __tests__ folder or add .test.ts files next to your source files 3. Start by writing tests for your most important functions — the ones that handle money, auth, or user data 4. Add a "test" script to your package.json: "test": "vitest" 5. Run tests with: npm test
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Format". Please review and fix this according to best practices. The linter rule format this as a problem — look up the rule for guidance on the correct fix.
This function is overly complex (complexity score: 15). It likely has hidden bugs that are hard to find, and AI coding tools will struggle to modify it correctly.
In src-tauri/src/lib.rs at line 36, there's a function with cyclomatic complexity of 15 (should be under 15). Break it down: 1. Identify the different things this function does (each if/else branch, each loop) 2. Extract each logical step into its own smaller function with a clear name 3. The main function should read like a high-level description of the process 4. Each new function should do ONE thing and be easy to understand on its own 5. Aim for functions with complexity under 10
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Use Template". Please review and fix this according to best practices. The linter rule lint/style/useTemplate this as a problem — look up the rule for guidance on the correct fix.
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In src-tauri/src/hotkey.rs at line 102, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
Your project has no automated checks (CI/CD). Code goes straight to production without any safety net — no tests run, no linting, no security checks.
Add a CI/CD pipeline to your project: 1. Create .github/workflows/ci.yml in your project 2. Add a basic workflow that runs on push and pull requests 3. Include steps for: install dependencies, run linter, run tests, build 4. Start simple — even just running 'npm test' on every push catches a lot of bugs 5. You can use ShipScanner's GitHub Action for automated code quality checks
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmn73gnap000vic04ua36i1jh)