Find what your AI‑built app leaks before your users do.

Paste your live URL. Shipshape reads only what any visitor can see. It never logs in, never stores your secrets, and gives you dated proof you're ready to ship.

https://
Read-only · we never store your secrets · ~30s, no signup
A pre-launch checkup, not a pentest. We show the evidence and redact your secrets.
your-app.comscan #a91f
LAUNCH VERDICT
Hold. Fix before you ship.
HOLD
Data
BLOCK
Wallet
PASS
Paid
INCMP
Agent-DB
PASS
✕ CRITICALconfirmed
Your Supabase service key is exposed in the page
sk_live_▮▮▮▮▮▮1f4a
report_hash3f9a·c21e·7b04
coverage38 pages · 9.4s
mode● read-only · signed

Four launch gates

Data Gate

exposed secrets & customer data

Catches a Supabase service_role key sitting in your client JS, where any visitor could read or edit your whole database.

Wallet Gate

runaway bills & abused API keys

Flags an OpenAI key called straight from the browser, so a stranger can run paid requests on your account.

Paid-State Gate

does paying unlock the right thing

Confirms a paid checkout actually flips the user to paid, instead of charging them and unlocking nothing.

Agent-DB Gate

unsafe AI-written database changes

Reviews AI-generated SQL for a table left with no row-level security, exposed to every logged-in user.

How it works

1

Scan

Point Shipshape at your live URL. Every finding shows what we saw, why it matters, and redacted proof.

2

Fix

Each finding ships a paste-ready prompt for Cursor, Lovable, Bolt, or v0. Apply it, then re-scan to verify.

3

Prove

Clear the gates and mint a dated Launch Certificate, verifiable at a public link you can share.

A black-box "you're clean" isn't proof. This is.

Re-scan clean and Shipshape mints a dated, redacted Launch Certificate. It says what passed, what failed, and what wasn't tested — verifiable at a public link.

Dated and signed, with a chain-of-custody report hash
Redacted, so it proves we looked without exposing a key
An attestation that a check ran — never a guarantee
LAUNCH CERTIFICATE
✓ CLEARED
your-app.com
Checked Jun 18, 2026 · all four gates passed
DATA
WALLET
PAID
AGENT-DB
report_hash3f9a·c21e·7b04·d8f1
verify…/verify/a91f
Dated · redacted · verifiable. Not a guarantee.

Free to find. Cheap to prove.

The scan and the verdict are free. Pay only when you want the fixes or ongoing watch.

Free Scan
$0no signup

Paste a URL, see every finding and your launch verdict.

Scan my app
START HERE
Fix Pack
$7one-time

Copy-paste fixes for your builder, before and after snippets, and a re-scan.

Scan, then fix
Monitoring
$5/mo, magic-link

Weekly re-scans and an alert if a new critical issue appears.

Watch my app

Want a human expert to review it before launch? Request a Launch Review — we reply with scope + a quote.

Request a Launch Review →
A human expert review — we reply with the scope and a quote. You are not charged here.

Straight answers

Does Shipshape need my code or GitHub repo?

No. Shipshape scans your deployed, public URL read-only — exactly what any browser can see. No repo access, no file upload, no login.

Is the Launch Certificate a security guarantee?

No. It attests that a dated check ran and which gates passed. It is not a pentest, certification, or guarantee — and the certificate says so itself.

Can I just ask ChatGPT instead?

ChatGPT can list what to check. Shipshape checks your actual live app and returns concrete redacted evidence, a verdict, and the exact fix to paste back into your builder.

What happens to surfaces behind a login?

We mark them "not checked" rather than guess or try to bypass them. Deeper database checks run only after you verify ownership.

Why you can trust this scan

We hold ourselves to the same scan.

① We scan ourselves

Run Shipshape against Shipshape, live — see our own report, grade, and gates.

② Read-only & honest

We never log in, attack, or store your secrets — only a redacted fingerprint as proof. And we tell you exactly what we did not test.

③ Accuracy benchmark

We publish how often we're right on a known corpus — false negatives shown, not hidden.

Also runs in your editor and CI.
WebCLIMCPGitHub Action See integrations →

Ship with proof, not crossed fingers.

https://
Read-only · we never store your secrets · ~30s, no signup