BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.

See what every code change actually did to your system

Structural impact analysis inside the AI coding loop, in your pipeline, or on any repo. Auth coverage, risk paths, dependency trust, and ecosystem intelligence.

We are early. Findings will sometimes be wrong. Your feedback shapes what we fix next.

Runs locally. Deterministic. Your code never leaves your machine.

Try a public repo Install Shoulder CLI
$ npm install -g @shoulderdev/cli
~/github.com/appsecco/dvna
$ shoulder trust
BASELINE: CRITICAL
30 routes analyzed · 7 reachable issues
/bulkproductslegacy — unsafe deserialization
req.files → serialize.unserialize()
Crafted payload may trigger code execution
/ping — command execution
req.body → exec()
Command execution on server
/bulkproducts — unsafe output
req.query → res.render()
Script execution in user browser
4 more issues · See full analysis →
Real analyses

See real impact

Vulnerable Node.js app 30 routes analyzed · 7 reachable issues Open analysis Malicious package Install script, obfuscation, and maintainer risk Open analysis Malicious commit Backdoored release flow and malicious code path Open analysis

Check a vulnerability or scan a GitHub repo

Paste a package, CVE, or GitHub URL

Highest-risk alerts
CRITICAL [email protected] — Raw socket usage paired with credential reads — possible TCP exfil bypass CRITICAL [email protected] — Bulk env-var sweep + shell exec at runtime — credential-stealer CRITICAL [email protected] — Cluster-model outlier: capability shape matches no known archetype, with install-time shell/network
Recent alerts across the ecosystem
CRITICAL [email protected] — Payload delivery from suspicious source: IOC URL + execution capability CRITICAL @qodly/[email protected] — Payload delivery from suspicious source: IOC URL + execution capability HIGH [email protected] — Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
BETA

What you can scan in beta today

Shoulder is in active development. These are the languages and ecosystems we support right now — everything else is on the roadmap.

Languages
  • JavaScript
  • TypeScript
  • Python
  • Go
Ecosystems
  • npm
  • PyPI
  • Go modules
What we are confident in today
  • Detecting auth removal and route exposure changes in JavaScript / TypeScript
  • Showing source → sink data flows on supported routes
  • Catching packages with active malware or critical alerts on npm and PyPI before install
  • Flagging dormant packages that suddenly change maintainers, add install scripts, or pull in new transitive risk
  • Detecting capability changes — shell, network, env-var sweeps, dynamic eval — introduced in new versions
  • Resolving version specs (e.g. ^4.2.0) to the release that actually installs, then checking that release against ecosystem intel
  • Surfacing install scripts, obfuscation, account age, and maintainer-risk signals on each dependency
What we are still learning
  • Coverage outside web frameworks and HTTP routes

Working on something else?

We are expanding language and ecosystem coverage with our design partners. If your stack is not in the list, work with us directly to shape what comes next.

Become a design partner

AI writes more code. Trust changes faster than humans can see.

AI increases output. It does not increase human review depth. The gap is where trust breaks.

What reviewers see
  • A diff, a renamed function, and a passing test
  • A few files changed inside a much larger system
  • Code that looks reasonable in isolation
What Shoulder computes
  • See when a private route becomes public
  • Know when auth coverage drops across your endpoints
  • Catch suspicious dependencies before they execute
  • Trace untrusted input to databases, shells, and eval

Less time spent guessing whether a change is scary. More certainty about what it actually changed.

How the engine works

When code changes, Shoulder rebuilds the system graph and computes the trust delta. Did new data reach the database? Was authentication bypassed? Did a suspicious dependency enter the request path? Inside the AI loop, in CI, or on demand.

Diff
System Graph
Trust Delta
Enforcement
One change, one trust delta

Removed auth from an export endpoint

A small diff can quietly turn an admin-only action into a public attack path. This is the gap Shoulder closes.

Diff

app.post('/admin/export', exportData) replaces app.post('/admin/export', requireAuth, exportData).

System graph

The route loses its auth guard and becomes reachable from an unauthenticated request path.

Trust delta

Auth coverage drops and a previously protected data export becomes a new public capability.

Enforcement

Flag the change before merge, show the exact route affected, and block the release until access control is restored.

You don't review AI output.

You verify what it actually did.

Ecosystem trust intelligence

Check any package against maintainer history, download anomalies, install scripts, and known malware signals.

shoulder scan --ecosystem
$ shoulder scan --ecosystem
Checking dependency: @shoulderdev/malware-demo
Install scriptdetected
Obfuscated codedetected
Account age3 days
Ecosystem alertmalicious
⚠ Do not install
See full briefing →

Know what every change actually did.

Know what every change actually did. Your code stays local. Deterministic results. Works with any model or human author.

Code stays local
Deterministic analysis
Same result every run
Works with any model or human author
Available via npm

Shoulder CLI

Know what every change actually did. Your code stays local. Deterministic results. Works with any model or human author.

Install CLI →
Live

Ecosystem Intelligence

Look up any vulnerability, package, or CVE. Evidence and structural context, not just a CVSS score.

Explore Ecosystem Intelligence →

Transparency builds trust

You can read how Shoulder works before you install it. We publish detection logic. We document every rule. We explain every decision.

Built by the team behind Katacoda

We built Katacoda, the interactive learning platform used by Red Hat, HashiCorp, and Kubernetes, and acquired by O'Reilly Media. Same team. Same approach: find the moment developers hesitate, remove the uncertainty.

Read the full story → Read the transparency report

Local-first. Deterministic. Works with any model or human author. Your code never leaves your machine.

Read the transparency report →
Work with us as a design partner

Understand what every change actually did to your system.

Install the CLI. Add it to your pipeline. Every change verified before it ships.

npm install -g @shoulderdev/cli
Install Shoulder CLI →
Local-first. Deterministic. Works with any model or human author. Your code never leaves your machine. CLI binaries are checksum verified.