AI code integrity
What is AI code integrity?
AI tools generate code faster than teams can review it. AI code integrity verifies that generated code is real, grounded, and safe to merge, before a reviewer spends time on phantom imports, hallucinated APIs, or placeholder logic.
AI code integrity is the discipline of verifying that code produced by AI coding agents is real, dependency-safe, and review-ready before it reaches merge.
It is not code review. It is not linting. It is not security scanning. It is the layer between agent output and human attention: the check that keeps fabricated agent output out of human review.
- No account
- No telemetry
- No source upload
- Python · TypeScript · JavaScript · Go
- --changed · --staged · --diff · --patch
- JSON · SARIF
- GitHub Actions
- No source upload
$ shipmoor scan --changed ✗ Needs work - 2 of 2 findings block reviewpackage.json detected · 2 files · gate high⊘ blocks the gate · ○ informational────────────────────────────────────────────────────────src/jobs/processor.ts · 1 ⊘ high :12 phantom import typescript.phantom_import Module '@acme/workflows' is imported but not declared in package.json. → Add '@acme/workflows' to dependencies, or remove the import.src/handlers/payment.ts · 1 ⊘ high :47 placeholder implementation typescript.placeholder.stub_handler Handler returns HTTP 200 but body is a hardcoded stub. → Implement the persistence step before merging, or remove the route.────────────────────────────────────────────────────────✗ gate fail · 2 high block at threshold "high" exit 1→ fix the 2 blockers, then re-run shipmoor scan --changed --fail-on high→ drill into one shipmoor explain SHM-a12f9c84d501ee27shipmoor scan --changed · two high-confidence findings from one agent run
Defining AI code integrity
AI code integrity means verifying that generated code is:
-
Real
Imports resolve. Packages exist. Methods are implemented. Endpoints are defined.
-
Grounded
The code implements the requested behavior, not a plausible-looking stub.
-
Dependency-safe
Every external reference matches the actual manifest and installed environment.
-
Review-ready
A human reviewer will not waste time invalidating fabricated APIs, phantom packages, or placeholder logic.
Integrity is about alignment between what the agent produced and what the codebase actually contains.
How agent-generated defects differ from human defects
Human developers make mistakes at the edge of understanding. AI agents make mistakes at the edge of context. When an agent cannot see the entire dependency graph, it infers one. When it cannot see an internal SDK surface, it constructs a plausible one. When asked to implement logic it cannot fully reason about, it produces a stub that looks complete.
- Plausible Syntactically valid and often type-safe.
- Systematic Recurring patterns across repositories and agents.
- Contextual Tied to missing project-specific knowledge.
- Expensive to review They require careful human inspection to invalidate.
Traditional tooling is not designed to catch these patterns.
The six characteristic AI code defect patterns
AI code integrity focuses on a small number of recurring failure modes. These are not random mistakes. They are structural artifacts of generative systems working with partial context.
- 01
Phantom imports
Imports of packages or modules that do not exist in the manifest or filesystem.
- 02
Hallucinated API calls
Method calls, client functions, or endpoints that are inferred but not implemented.
- 03
Placeholder implementations
Functions that return hardcoded success responses or TODO stubs instead of real logic.
- 04
Stub paths
Handlers that return 200 responses without executing required side effects.
- 05
Swallowed errors
Empty catch blocks or silent exception handlers that absorb failures.
- 06
Suspicious tests
Test suites that mock away real behavior or always pass without exercising the intended code path.
Why linters and PR review are the wrong layer
PR review is too late. Linting is too shallow. Integrity checks must run immediately after the agent finishes and before human review begins.
| Layer | What it checks | What it misses |
|---|---|---|
| Linter | Style, syntax, common anti-patterns | Whether an import exists in the real dependency graph |
| Type checker | Static type compatibility | Calls hidden behind loose types, generated mocks, dynamic clients, or incomplete local type surfaces |
| SAST | Known vulnerability signatures | Placeholder business logic and fabricated internal APIs |
| PR review | Human inspection after PR opens | The cost of reviewing generated artifacts that should never have existed |
| AI code integrity check | Generated-code grounding and dependency resolution | None of the above |
The timing problem
AI coding tools compress generation time. Review time does not compress at the same rate. Without integrity checks, reviewers are forced to:
Without integrity checks
- Validate that imports resolve
- Confirm that APIs exist
- Detect silent stub implementations
- Reconstruct intent from plausible but incorrect logic
With AI agent integrity
- Agent generates code.
- Integrity check validates grounding.
- Reviewer evaluates design and correctness, not fabrication.
AI code integrity restores the correct sequence.
How AI code integrity is enforced
An integrity workflow runs locally, immediately after the agent finishes. No account, no telemetry, no source upload.
# After your AI agent finishes
$ shipmoor scan --changed
# Or scan staged files
$ shipmoor scan --staged
# Export machine-readable findings for CI
$ shipmoor scan --changed --format sarif > shipmoor.sarifThe integrity scanner:
- Resolves imports against the actual manifest (
package.json,requirements.txt,go.mod) - Verifies API calls against discovered code surfaces
- Detects placeholder logic patterns
- Identifies silent error handling constructs
- Produces JSON or SARIF findings for CI
AI code integrity is not agent-specific
Teams increasingly use multiple AI coding tools. The defect patterns remain consistent across them. AI code integrity operates on the output, not the vendor.
- Cursor
- Claude Code
- Codex
- Copilot
- Aider
From individual habit to team policy
AI code integrity begins as a developer habit and scales upward without changing the underlying checks.
Developer habit
- Run a scan after agent output.
- Fix findings before pushing.
Team policy
- CI gates on high-severity integrity findings.
- SARIF uploads provide review evidence.
- Thresholds enforce consistency across repositories.
Organizational governance
- Proof that AI-generated code was validated before merge.
- Audit trails of findings.
- Enforceable policy without blocking developer velocity.
AI code integrity, before review starts.
AI coding agents accelerate production. Integrity checks prevent fabricated artifacts from reaching human review. The goal is not to replace review. The goal is to ensure that review begins with real, grounded code.
Run your first integrity scan
Install the Community CLI. Local, no account, no telemetry.
AI code integrity questions FAQs
Short answers for developers and engineering leaders evaluating the category.
Continue with
- Install the Community CLI Run your first integrity scan locally.
- How the scan works The deterministic engine, stage by stage, with diagrams.
- See pricing Community, Team, and Enterprise.
- Read the FAQ How Shipmoor compares to linters, SAST, and PR review.
- Workflow From agent output to review-ready change.