Deterministic. Local-first.

Keep AI-assisted code up to your standards.

Catch secrets, duplicate code, security smells, and maintainability regressions before they reach human review. Source analysis runs locally. The same rules run in VS Code, the iris CLI, hooks, and CI.

0
capabilities
0
languages
0
bytes leave your machine
cancel-order-modal.tsx - Iris CodeHEALTH 72/100
src / checkout
session.ts94
handlers.ts88
cancel-order...72
legacy.ts61
migrate.ts38
src / config
keys.ts!
38export function cancelOrder(id) {
39 const retry = await fetch(url, { timeout: 30000 })
complexity 6/10 - function exceeds budget · Iris Code
40 const token = "ghp_a83x0Pf2Le..."
hardcoded secret - GitHub token · blocks push
41 console.log('cancelling', id) // magic value
42}
Analysis15Configuration7Enforcement3CLI9Languages4

Know what's wrong
before review starts.

Open a file and Iris Code scores it instantly - functions, complexity, secrets, and every smell pinned to a line. Free covers analysis; Pro adds the whole-repo view.

Per fileFree

One number, recomputed on every save.

Complexity, code smells, security patterns, type safety, and secrets - weighted into a single 0-100 score.

0HEALTH
Complexity64
Type safety91
Smells70
Secrets0 left
Pro - Workspace

The whole codebase in one view.

Aggregate stats, ranked files, and unused packages across the repo.

Repo health0 / 100
Files scored0
Below threshold0 files
Unused packages0
Free

Hardcoded secrets

Suspicious names plus known token formats - caught the moment you save.

14  const API_TOKEN = "ghp_a83x..."
15  const password = "hunter2"
Free

Code smells and TypeScript

Console logs, magic numbers, TODOs, any, and missing return types.

console.log x 4warn
magic numbers x 3warn
any usage x 2block
Free to Pro

Trend tracking

2 snapshots on Free; unlimited history on Pro to chart long-range health.

Try a threshold
before you commit to it.

Scan read-only against five presets, watch the fail count change, and apply the one that fits. One .irisconfig.json drives diagnostics, hooks, and CI for the whole team.

Gate PreviewFree

Cycle presets, see what fails.

iris gate-preview
70threshold
2 of 528 files would fail this gate.
Configuration

One config, same rules everywhere.

Commit it once - a one-line presetId gets you started; custom limits take over on Pro.

Free
.irisconfig.json
1{
2 "presetId": "balanced",
3 "minHealthScore": 80,
4 "enforce": {
5 "prePush": true,
6 "maxSecrets": 0
7 },
8 "overrides": {
9 "src/legacy/**": { "min": 60 }
10 }
11}

Nothing broken
gets past the line.

Secrets and sub-threshold files stop at the pre-push and build hooks - before they ever ship. The same gate runs locally and in CI.

Score - Gate - Hook

From signal
to guardrail.

Set the bar once. The hook scores changed files and stops the ones that fall short - and any leaked secret - at the door.

2
secrets caught
1
push blocked
<1s
per file
Pro

Git pre-push hook

Block any push that falls below your health threshold.

Pro

Build hook

Stop JS, Go, and Python builds before they run.

Pro

Push-blocked counter

Monthly and total pushes blocked, plus health delta since Pro.

Free for analysis.
Pro for enforcement.

Gate Preview, file scoring, secrets detection, and preset configs are free forever. Pro turns signal into a gate.

Local
in-process
Network
account, lookups + events
Code upload
never for analysis
Free
$0/ month
forever
Install Free
  • File analysis - health, complexity, functions
  • TypeScript metrics, code smells, and security patterns
  • Hardcoded secrets detection
  • Inline diagnostics, status bar and Code Lens
  • Gate Preview (read-only posture check)
  • iris check, secrets, report (CLI)
Pro
Pro
$6/ month
14-day trial by request - no credit card
Request free trial
  • Everything in Free
  • Workspace and folder analysis with drilldown
  • Git pre-push and build hook enforcement
  • Custom enforcement limits and scoring weights
  • Config Studio and Dependents with CVE scan
  • iris gate, deps, cve, sbom, todos, hook (CLI)
See full feature comparison

Pricing adjusts by region when available.

Twelve commands for
terminals and CI.

Single-file scans are free; the gate, deps audits, and directory scans unlock on Pro.

$ iris check src/checkout/cart.ts cart.ts 68/100 3 issues · complexity 7/10 ! line 42 function exceeds complexity budget ! line 88 magic number — extract a constant i line 91 TODO left in source
$ iris secrets --dir src src/config/keys.ts:14 GitHub token src/config/keys.ts:15 weak password literal no authentication required · nothing uploaded 2 secrets found — exit 1
$ iris security --dir src src/db/query.ts:22 SQL built by string concatenation src/utils/hash.ts:9 weak hashing (MD5) no authentication required · nothing uploaded 2 security smells found — exit 1
$ iris gate --staged --min 80 session.ts 94 handlers.ts 88 migrate.ts 38 keys.ts · 2 secrets gate failed — 2 of 6 below threshold (exit 1)
$ iris report --out iris-report.html scored 128 files · repo health 81/100 wrote iris-report.html (standalone) open it in any browser — no server needed
Get started

One line to install.

CLI, hooks, and the VS Code extension.

zsh
$ npm i -g @iris-code/cli▸ iris ready · run iris check
iris authFree
Sign in via browser or licence token. Stored at ~/.iris/credentials.
iris checkFree to Pro
Single-file scan is free. Directory, --staged, and --changed on Pro.
iris secretsFree
Hardcoded credentials, API keys, and tokens. No auth required.
iris securityFree
Eval usage, SQL injection, insecure RNG, weak hashing, and more. No auth required.
iris depsPro
Audit package.json, go.mod, requirements.txt for CVEs. Lockfile-aware and monorepo-aware.
iris cvePro
Same scan as deps, but exits 1 only at or above a --severity threshold. Built for CI gates.
iris sbomPro
Export a CycloneDX 1.5 SBOM across npm, Go, and Python. Fully offline.
iris todosPro
Collect every TODO, FIXME, and HACK comment across the codebase.
iris gatePro
Full enforcement gate. Exits 1 below threshold. Designed for CI.
iris reportFree
Export a standalone HTML health report to the current directory.
iris hookFree to Pro
Status check is free. Install/uninstall pre-push & build hooks on Pro.
iris configFree
init generates a config with a preset; validate checks an existing one.

Questions, answered
before you ask.

Local-first, predictable, and built to live in your editor for years - here's how it holds up.

Never for analysis. Scoring, secrets detection, smells, and the gate all run in-process on your device. Iris Code uses limited network requests for sign-in and licensing, dependency and advisory lookups, and product-use events. It never sends source code, file contents, or project structure for analysis, and you can disable optional product-use events in account settings.
TypeScript and JavaScript (.ts, .tsx, .js, .jsx, .mjs, and .cjs) get the full metric set, including TypeScript-specific type-safety signals where applicable. Go (.go) and Python (.py) are scored for complexity, smells, and secrets. Secrets detection runs across these supported source-file types.
Per-file analysis, secrets detection, Gate Preview, and the core CLI commands are free forever. Pro adds enforcement - the pre-push and build hooks, whole-workspace analysis, custom limits, and the dependency plus CVE scan. Free shows you the score; Pro lets you enforce it.
Files are scored incrementally on save in well under a second. The pre-push hook only scans changed files, so a typical push adds a beat - not a coffee break. The same engine powers the editor, CLI, and CI, so results never disagree.
Commit one .irisconfig.json to the repo. It drives editor diagnostics, local hooks, and the CI gate consistently for everyone. Start from a preset, use reasoned inline suppressions for accepted exceptions, and tighten the threshold as health improves.
No. Iris Code does not guess who or what wrote the code. It independently checks the result against deterministic rules for secrets, duplication, security smells, complexity, and maintainability, whether the code was written by a person, an AI assistant, or both.

Catch regressions before human review

Install Iris Code, set a threshold, and make every change answer to the same deterministic rules. Source analysis runs locally. The same rules run in VS Code, the iris CLI, hooks, and CI.

VS CodeCursorWindsurfVSCodiumVS CodeCursorWindsurfVSCodium