Skip to main content
aislop is published to npm, Homebrew, and PyPI. Every channel installs the identical aislop and aislop-mcp commands. Pick the channel that fits your stack — or run without installing at all using npx aislop@latest scan.

Requirements

aislop requires Node.js 20 or later. You can check your version with node --version. The Homebrew install pulls Node as a dependency automatically; the pipx install requires Node to already be on your PATH.

npm, Yarn, pnpm, and Bun

Install aislop as a project dev dependency or as a global binary, depending on how you plan to use it. 
npx aislop@latest scan
After a local dev-dependency install, run aislop via your package manager: 
npx aislop scan
yarn aislop scan
pnpm aislop scan
bunx aislop scan
Use npx aislop@latest scan to always run the latest published version without managing a local install. This is the recommended approach for one-off scans and CI pipelines where you want automatic updates.

Homebrew

Install aislop on macOS or Linux via the official tap: 
brew install scanaislop/tap/aislop
Equivalent two-step form if you prefer to tap separately: 
brew tap scanaislop/tap
brew install aislop
Homebrew installs Node.js as a runtime dependency if it is not already present. Upgrade aislop with: 
brew upgrade aislop
More details: scanaislop/homebrew-tap

pipx (Python environments)

For Python-centric projects or environments where pipx is your standard tool installer: 
pipx install aislop
pipx keeps aislop in an isolated virtual environment so it never conflicts with your Python dependencies. Plain pip install --user aislop also works. Both options still require Node.js on your PATH because aislop’s analysis engines run on Node. Upgrade with: 
pipx upgrade aislop
More details: aislop on PyPI

GitHub Packages

aislop is also published as @scanaislop/aislop on GitHub Packages. Use this channel when your organisation’s security policy requires packages to be sourced from GitHub’s registry: 
npm install --save-dev @scanaislop/aislop --registry=https://npm.pkg.github.com

Bundled tooling

aislop ships the following tools as package dependencies or bundled binaries — you do not need to install them separately:
ToolPurposeLanguages
oxlintLintingTypeScript, JavaScript
BiomeFormatting + lintingTypeScript, JavaScript
knipDead code + unused depsTypeScript, JavaScript
ruffLinting + formattingPython
golangci-lintLintingGo
expo-doctorFramework checksExpo / React Native
ruff and golangci-lint are downloaded as binaries during npm install (or equivalent). To skip binary downloads — for example in air-gapped environments or when you want to manage these tools yourself — set the environment variable before installing: 
AISLOP_SKIP_TOOL_DOWNLOAD=1 npm install

External tools

Some engines depend on tools that must already be installed on your machine. These are not bundled because they require language toolchains to be present anyway.
ToolRequired forInstall guide
gofmtGo formattingShips with the Go toolchain
govulncheckGo dependency auditgo install golang.org/x/vuln/cmd/govulncheck@latest
cargo + clippyRust linting + formattingrustup.rs
rubocopRuby formatting + lintinggem install rubocop
phpcs + php-cs-fixerPHP formatting + lintingphp-cs-fixer docs
If an external tool is missing, aislop skips the corresponding engine and notes it in the scan output. Scores for projects in those languages will be lower than they would be with full engine coverage. Run aislop doctor to see exactly which engines are available on your system.

Verify your installation

After installing, confirm everything is working: 
aislop version          # print the installed version
aislop doctor           # check which engines can run in this project
aislop doctor reports on each engine’s availability, flags any missing external tools, and shows the language coverage for the current directory.

Show your score badge

Once you have a score, display it in your README: 
npx aislop@latest badge    # generate badge markdown for your repo

[![aislop](https://badges.scanaislop.com/score/<owner>/<repo>.svg)](https://scanaislop.com)

Next steps

Quickstart

Run your first scan, read your score, and add a CI gate in four steps.

Configuration

Tune score thresholds, override rule severity, and manage project-wide ignores.