AI Assessment
VERDICT
The package appears production-safe from a security and dependencies standpoint, but lacks essential documentation and testing infrastructure that would normally accompany a production release.
TOP RISKS
→ High cyclomatic complexity (CCN 31) was flagged in install/create_package_body.sql, indicating one or more functions or procedures with complex control flow that may be difficult to maintain and test.
→ No README file detected—users cannot easily understand the package purpose, installation instructions, or usage.
→ No tests detected—there is no evidence of automated test coverage for the package functionality.
→ Duplicated code block (15 lines) in install/create_package_body.sql:432 suggests maintenance burden and potential inconsistency risks.
WHAT TO FIX FIRST
Refactor the high-complexity functions in install/create_package_body.sql to reduce cyclomatic complexity below 15. This single change would improve maintainability and likely unlock multiple quality gates. After that, add a README to unblock adoption.
ADDITIONAL CONTEXT
No security, credential, or dependency vulnerabilities were detected. The medium findings are predominantly best-practices gaps: missing README, LICENSE, and tests. The low findings (no .gitignore, CI/CD, SECURITY.md, CODEOWNERS) are standard repository metadata that would strengthen governance but are not blocking.
Verify the complexity flagging in your actual SQL code to confirm it is not a false positive specific to SQL analysis rules.
Category Breakdown
Findings(12 in 9 groups)
Tip: 5 low-severity findings are style suggestions, not security risks.
This function is extremely complex (complexity score: 31). It likely has hidden bugs that are hard to find, and AI coding tools will struggle to modify it correctly.
In install/create_package_body.sql, there's a function with cyclomatic complexity of 31 (should be under 15). Break it down: 1. Identify the different things this function does (each if/else branch, each loop) 2. Extract each logical step into its own smaller function with a clear name 3. The main function should read like a high-level description of the process 4. Each new function should do ONE thing and be easy to understand on its own 5. Aim for functions with complexity under 10
Your project has no README file. People (and AI tools) can't understand what your app does, how to set it up, or how to use it.
Create a README.md file in your project root with: 1. Project name and a one-line description of what it does 2. How to install/set up the project (prerequisites, npm install, env vars) 3. How to run it (dev server, build, test commands) 4. Brief explanation of the tech stack 5. Keep it simple — a good README is better than a perfect one you never write
Your project has no license file. Without one, nobody can legally use, modify, or contribute to your code — even if it's public on GitHub.
Add a LICENSE file to your project root: 1. For open source: create a file called LICENSE and paste the MIT License text (most popular for open source) 2. For private/commercial: add a LICENSE file stating "All rights reserved" and your copyright 3. Choose a license at https://choosealicense.com if you're unsure 4. Add the license type to your package.json: "license": "MIT"
Your app has no automated tests. You won't know if a code change breaks something until real users complain. This is the #1 reason apps break after updates.
Your project has no test files. Add basic tests: 1. Install a test framework: npm install -D vitest (or jest) 2. Create a __tests__ folder or add .test.ts files next to your source files 3. Start by writing tests for your most important functions — the ones that handle money, auth, or user data 4. Add a "test" script to your package.json: "test": "vitest" 5. Run tests with: npm test
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In install/create_package_body.sql at line 432, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
Your project might be uploading sensitive files (like .env with passwords, node_modules, or build files) to GitHub. A .gitignore file prevents this.
Create a .gitignore file in your project root: 1. Create a file called .gitignore 2. Add these essential entries: node_modules/ .env .env.local dist/ .next/ *.log 3. Visit gitignore.io and generate one for your tech stack for a more complete version 4. If sensitive files were already committed, remove them from git tracking with: git rm --cached <file>
Your project has no automated checks (CI/CD). Code goes straight to production without any safety net — no tests run, no linting, no security checks.
Add a CI/CD pipeline to your project: 1. Create .github/workflows/ci.yml in your project 2. Add a basic workflow that runs on push and pull requests 3. Include steps for: install dependencies, run linter, run tests, build 4. Start simple — even just running 'npm test' on every push catches a lot of bugs 5. You can use ShipScanner's GitHub Action for automated code quality checks
Your project is missing a recommended best practice. Following best practices makes your project more professional, maintainable, and easier for others to contribute to.
Your project is missing: "No SECURITY.md file". Please add this to follow software development best practices. This improves project maintainability, collaboration, and professionalism.
Your project is missing a recommended best practice. Following best practices makes your project more professional, maintainable, and easier for others to contribute to.
Your project is missing: "No CODEOWNERS file". Please add this to follow software development best practices. This improves project maintainability, collaboration, and professionalism.
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmnbds6vh000pif04jcoqnqwv)