78+ Rules|3 Platforms|2 Advanced Engines

Ship with confidence.
Not rejections.

Compliance-first scanning for iOS, Android, and Web with layered analysis: built-in rule engine plus optional CodeQL and Semgrep, live policy sync, confidence scoring, and CI-ready outputs.

Get started free See how it works
pip3 install oncecheck

Every finding tells you what's wrong, which rule it violates, and how to fix it.

oncecheck scan ./my-project
oncecheck v1.0.0 — scanning...
Platform
iOS
Rules
76 checked
Time
0.34s
Status
Complete
Findings
FAIL
IOS-SEC-001 — ATS disabled globally
Fix: Remove NSAllowsArbitraryLoads or set to NO.
WARN
IOS-PRIV-002 — Camera without usage desc
Fix: Add NSCameraUsageDescription to Info.plist.
INFO
SUPPLY-DEP-001 — Outdated SDK detected
Fix: Update to latest stable versions.
Summary:1 FAIL1 WARN1 INFO
FAIL — blocks submission
WARN — review recommended
INFO — best practice
// ───

One command. Full coverage.

See what oncecheck catches before your next submission.

Rule Coverage
WEB-*
27 rules
IOS-*
22 rules
AND-*
19 rules
CROSS-*
8 rules

App Store Guidelines, Play Store policies, OWASP Top 10, GDPR, CCPA, PCI-DSS, COPPA, HIPAA

Auto-Detection
$ oncecheck scan .
detecting project...
Found Info.plist
Found *.xcodeproj
→ Running iOS + Common rules
Export Formats
$ oncecheck scan --format json
$ oncecheck scan --format sarif
$ oncecheck scan --format text

SARIF 2.1 for GitHub/VS Code. JSON for automation. Exit codes for CI/CD.

Advanced Engines
$ oncecheck scan --analysis-mode hybrid
Semgrep adapter detected
CodeQL adapter detected
compiler-grade mode available with strict fail-fast option
Interactive Browser
$ oncecheck scan --browse
┌ Findings ──────────────────┐
IOS-SEC-001 ATS disabled
IOS-PRIV-002 Camera desc
SUPPLY-DEP-001 Old SDK
└ ↑↓ navigate · enter ────┘
Runtime Step States
scan pipeline
policy sync → auth → quota → detect → scan → report

Real-time animated status while work is actually running, including engine installation and policy freshness checks.

// ───

Three steps to compliant.

1

Install

pip3 install oncecheck
2

Scan

oncecheck scan ./my-app
3

Ship

0 failures — ready to submit
// ───

Start free. Upgrade for full compliance depth.

Choose what you need now and scale when your release workflow demands more depth.

oncecheck plans
$oncecheckplans--billing
 
planstarter
$0 /month
For early project checks
├─+35 compliance rules
├─+3 scans per day
├─+iOS, Android & Web scanning
├─+Heuristic engine
├─+Auto-detection
├─All 78+ rules
├─Unlimited scans
├─Advanced engines (CodeQL + Semgrep)
└─JSON, SARIF & text export
$ Get started free
* RECOMMENDED
planteam
$39 /month
For teams shipping frequently
├─+All 78+ compliance rules
├─+Unlimited scans
├─+Advanced engine orchestration
├─+Compiler-grade strict mode
├─+Live policy sync + impact view
├─+Confidence thresholds + suppressions
├─+iOS, Android & Web scanning
├─+JSON, text & SARIF export
├─+Benchmark gates for CI
└─+Priority support SLA
$ Upgrade to Team
+No credit card required
+Cancel anytime
+Policy-backed references in findings
// ───

Common questions.

Is the free plan actually free?+
Yes. Starter is free with 35 rules and 3 scans/day. Team unlocks full rule coverage, unlimited scans, SARIF export, and CI-focused workflows.
What frameworks and languages are supported?+
Oncecheck auto-detects iOS, Android, and Web projects from project structure and runs platform-specific plus common rules. It supports modern mobile/web stacks including Swift, Kotlin/Java, and JS/TS-based web apps.
How do advanced engines work?+
You can run heuristic-only, advanced-only, or hybrid scans. Advanced mode uses local CodeQL/Semgrep when installed; hybrid combines them with built-in scanners. In strict compiler mode, scans fail fast if required engines are unavailable.
Can I use it in CI and security tooling?+
Yes. Oncecheck supports machine-readable outputs including SARIF (Team) for code-scanning workflows and CI gating. You can run scans non-interactively and enforce fail conditions in pipelines.
How current are the compliance rules?+
The CLI supports live policy sync and policy freshness checks at runtime. You can enforce fresh policies in strict workflows and review policy-impact changes from the Rules tools.
Does it upload source code?+
No source code upload is required for scanning. Analysis runs locally. Network calls are used for auth/quota checks and optional policy sync or engine installation flows.
Does a passing scan guarantee approval?+
No. Scan results are advisory — they catch common compliance issues but don't constitute legal advice or certification. App store reviews consider factors beyond automated scanning.
// ───

Ready to ship with confidence?

Stop guessing if your app meets compliance requirements. Find out in under a second.

pip3 install oncecheck
Get started free