A trust certificate for your codebase.
A free, offline CLI that scores the engineering signals that tell you whether to trust a repo — tests, secrets, isolation, claim-vs-reality, CI and audit discipline — and prints a portable certificate. Especially useful when AI wrote a lot of the code: that's exactly when you can't eyeball trust.
No install, no signup, fully offline. Also: pnpm dlx cejel . · bunx cejel .
Cejel isn't another point scanner competing with the one you already run — it's the open, portable certificate that aggregates them. Pipe in SARIF from Snyk, Semgrep, CodeQL, or any SAST tool, plus OpenSSF Scorecard, and get one shareable, rubric-scored certificate over all of them, with every contributing tool attributed.
# fold your existing scanner output into one score
npx cejel . --ingest semgrep.sarif --ingest scorecard.json
Tests, secret hygiene, isolation, dependency posture, and whether the code matches its claims.
PR traceability, CI and QA discipline, audit completeness — the signals of a repo that's actually run well.
Deterministic and conservative. It catches the expensive mistakes; it doesn't pretend to certify what it can't prove.
Writes report.json, a self-contained certificate.html, and a shareable badge.svg.
Cejel runs continuously on Barg Labs' own multi-product monorepo — the studio it was built inside — which it currently scores 3.1/4.0. We score ourselves before asking you to score yourself.