Skip to main content

Applier of fine source code fixes since 2025

Project description

Ick

Ick is a polyglot tool for bundling best practices as versioned, runnable rules and checking any number of repos against them — with or without auto-fixes.

Full documentation at https://ick.readthedocs.io.

The problem

Best practices don't live in one place. They're scattered across:

  • pre-commit hooks that have to be wired up in every repo individually
  • CI workflows that also have to be added to every repo individually
  • central automation (secrets scanners, security audits) that runs on your infrastructure but whose results developers can't easily reproduce locally
  • wiki pages and style guides that developers have to remember to consult
  • one-off shell scripts that only the author runs

Ick isn't trying to replace any of those things. It's a single locus for storing those checks and fixes as well as ones that don't fit neatly into any of those boxes. It still respects distributed principles: rules are versioned in a repo, developers can run them locally on their own machines, and no single repo has to opt in for you to get started.

[!TIP] Concrete example: You want to run zizmor on every repo that has GitHub Actions workflows. Your options today are to add it as a pre-commit hook in every repo, add it as a workflow in every repo, or remember to run it yourself. With ick, you write one rule in a central rules repo and run it against any repo you want. No per-repo configuration required. And when the next security scanner comes along, you update the rule once.

When something looks wrong, developers can run ick locally to reproduce the result and debug what the rule is seeing — no waiting for CI, no digging through logs on a remote system.

When a best practice evolves — say, a new scanner ships, or a deprecated API needs to be removed — you can answer "which of my repos are already compliant, and which ones still need work?"

The traditional dev loop looks like this:

    /----------------\  push  /----------------\
    |  code          |------->|  integrate     |
    |      build     |        |     test       |
    |          test  |        |        deploy  |
    \----------------/        \----------------/

       inner loop                 outer loop

but that discounts the big-picture software maintenance stuff that healthy projects ought to do, and commonly forget (or accomplish with one-off scripts) on a longer term basis. For that we really ought to keep track of things that aren't "right now" and aren't "today" but are "important, yet not urgent".

    /----------------\  push  /----------------\  stable  /==================\
    |  code          |------->|  integrate     |--------->| tech debt week   |
    |      build     |        |     test       |          |  quantified proj |
    |          test  |        |        deploy  |          |   bootcamp tasks |
    \----------------/        \----------------/          |    deprecations  |
                                                          \==================/
       inner loop                 outer loop                 planning cycle

Ick manages and runs rules to help you keep track of that third loop across as many repos as you need.

Elevator pitch

ick looks at your source code and gives you an evaluation against a set of rules. Those rules might come from a central team at your work, or a trusted friend, or they might be ones you maintain yourself (like my hobbyhorse, "text files must end with a newline").

Rules don't have to fix anything. A rule that just checks — and exits with a status code to signal "needs work" — is a first-class citizen. You can add the auto-fix later, or never. Checks can be written in any language and can target any language: a shell one-liner, a Python script, a Go binary, a Docker image — whatever tool fits the job.

If you're ever tempted to make a one-off shell script, or create a scripts/release-check.sh that you run once in a while, then ick is the loose automation framework you're looking for. Ick makes that kind of work easier to scale past a couple of repos.

Rules run in parallel by default. For a repo with many rules, ick fans them all out at once, re-running only the rules whose inputs changed. This is uncommon in tools of this kind and matters a lot when your ruleset grows.

Ick also has the explicit goal of being able to scale from low-risk, easy changes ("text files should end with a newline") to medium changes ("you should drop Python 3.6 support and sync your GitHub Actions matrix") to large ones ("here's the beginning of a refactor to enable testcontainers") or even ones that involve external state. The effort to write rules should be roughly proportional to how complex they are -- easy things should be easy (and fast!), but it's OK for hard things to still be hard.

Who is ick for?

  • Central teams with opinions. For example, at a company, there might be a security team, a language team, or a platform team — and they all might want to publish rules that say "here's what compliant looks like" without having to touch every repo themselves.
  • Projects with opinions. Say your ML project has decided to only bless a certain model or license.
  • Developers with multiple repositories they want to keep looking similar.
  • Developers with hobby horses, who are stricter about things others don't (yet) care about.

Changelog

v0.11.0 (June 9, 2026)

  • File name patterns in inputs= settings now match more intuitively. If the pattern has no slash, it will match anywhere in the project. With a slash, the pattern must match the full relative path from the root of the project. Previously, a pattern with no slash would match anywhere if it started with a wildcard star (such as *.py), but without the wildcard, only a file in the root of the project would match.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ick-0.11.0.tar.gz (335.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ick-0.11.0-py3-none-any.whl (50.5 kB view details)

Uploaded Python 3

File details

Details for the file ick-0.11.0.tar.gz.

File metadata

  • Download URL: ick-0.11.0.tar.gz
  • Upload date:
  • Size: 335.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ick-0.11.0.tar.gz
Algorithm Hash digest
SHA256 3b3d34b1e00ee7fc3dd8403d2a5cf31a762e680efae73759fb4df1fb6094c235
MD5 65b229e0e75cfd6cbff07dc64ba66c13
BLAKE2b-256 2922e031368e906e5af3c2f7cdfa186b2638fb106da9ee4f5f01a7d6eb8ce80d

See more details on using hashes here.

Provenance

The following attestation bundles were made for ick-0.11.0.tar.gz:

Publisher: build.yml on advice-animal/ick

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ick-0.11.0-py3-none-any.whl.

File metadata

  • Download URL: ick-0.11.0-py3-none-any.whl
  • Upload date:
  • Size: 50.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ick-0.11.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4504c5cf0cd1ff3d46da56f136736989641ebf47d9fed2d0f9095e3fe7df19c8
MD5 81c9c03adab0b858409268aef9ec4f31
BLAKE2b-256 814e1c1dc7e61c76e497b447db8f97c055381e357a3657af00c1c8dd013b1e1b

See more details on using hashes here.

Provenance

The following attestation bundles were made for ick-0.11.0-py3-none-any.whl:

Publisher: build.yml on advice-animal/ick

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page