Free npm scanner

Shipcheck CLI scans AI-built apps before launch.

A defensive static scanner for JavaScript, TypeScript, AI-app, and MCP-server repos built with Lovable, Bolt, Replit, Cursor, v0, Base44, Supabase, Firebase, Stripe, and AI APIs.

Open npm Marketplace Action MCP server Registry listing MCP launch check Free MCP self-check Sample report Demo repo Request review

$ npx --yes shipcheck-cli .
Shipcheck report: /work/ai-app
Score: 72/100
Status: fail (threshold: high)
Findings: 1 high, 2 medium, 1 low, 0 info

[HIGH] Public frontend env var looks private
[MEDIUM] Stripe webhook lacks visible signature check
[MEDIUM] Supabase usage lacks RLS evidence

Install

Run it from any JS or TS project root.

Open Marketplace listing

npx --yes shipcheck-cli .

npx --yes shipcheck-cli . --format markdown > shipcheck-report.md

npx --yes shipcheck-cli . --format sarif > shipcheck.sarif

npx --yes --package shipcheck-mcp shipcheck-mcp

- uses: TateLyman/shipcheck-action@v1
  with:
    format: sarif
    output: shipcheck.sarif
    fail-on: medium
    strict: true

See the demo repo code scanning alerts for a small AI-app fixture.

Checks

Focused on the launch failures AI app builders keep hitting.

Secrets and env boundaries

Flags private-looking keys, public frontend env names that look sensitive, service-role references, and local environment-file hygiene issues.

Payments and webhook safety

Looks for Stripe webhook handlers without visible signature verification and highlights payment paths that need a human review before launch.

Database rule evidence

Checks for Firebase rules and Supabase RLS policy evidence so a generated app does not quietly ship with weak data boundaries.

Debug and test leftovers

Finds routes and files that look like debug, seed, reset, mock, or test shortcuts before they become production exposure.

AI cost guardrails

Warns when repos use AI APIs without obvious rate limits, quotas, throttling, or usage controls around expensive calls.

Release readiness

Catches missing CI, missing lockfiles, missing README depth, risky scripts, loose dependency versions, and TypeScript config gaps.

Code scanning handoff

Exports SARIF so teams can upload Shipcheck findings into GitHub code scanning instead of leaving them buried in a CI log.

MCP agent access

Runs as an MCP server so AI coding agents can scan authorized local repos and return text, Markdown, JSON, or SARIF reports.

MCP launch metadata

Flags missing mcpName, missing server.json, unpinned MCP registry versions, absent install config, and unclear tool-safety notes.

Why now

Generated apps made shipping easier. The review gap moved closer to production.

Paid cleanup path

Vibe-coding security research is current

The Cloud Security Alliance published a 2026 research note on AI-generated code security and vibe coding risks.

Cloud Security Alliance note

Credentials in web apps are still a live issue

Recent research on exposed API credentials found web-specific exposure vectors, including JavaScript-originated leaks.

Keys on Doormats paper

Security gates for generated code are emerging

Academic work is already proposing security gate frameworks specifically for AI-generated code.

VibeGuard paper

When the scan finds something

Use the free report yourself, or turn it into a fixed-scope rescue.

Self-serve

Run Shipcheck, export markdown, and feed the findings back into your coding workflow with the remediation notes.

Manual risk check

$99

Send the repo or report for a human pass across auth, data rules, env boundaries, Stripe, deploy config, and the first paid user flow.

Pay after scope confirmation

Rescue sprint

$299+

Fix the highest-value blocker first: exposed config, payment webhook issue, deploy failure, database rule gap, or broken production flow.

Defensive use only

Run Shipcheck on repos you own or are authorized to inspect.

Send report