shipshape

Find what your AI‑built app leaks before your users do.

Paste your live URL. Shipshape reads only what any visitor can see. It never logs in, never stores your secrets, and gives you dated proof you're ready to ship.

https://
Read-only · we never store your secrets · ~30s, no signup
A pre-launch checkup, not a pentest. We show the evidence and redact your secrets.
my-ai-app.onrender.comscan #a91f
LAUNCH VERDICT
Hold. Fix before you ship.
HOLD
Data
BLOCK
Wallet
PASS
Paid
INCMP
Agent-DB
PASS
✕ CRITICALconfirmed
Your Supabase service key is exposed in the page
sk_live_▮▮▮▮▮▮1f4a
report_hash3f9a·c21e·7b04
coverage38 pages · 9.4s
mode● read-only · signed

Four launch gates

Data Gate

exposed secrets & customer data

Catches a Supabase service_role key sitting in your client JS, where any visitor could read or edit your whole database.

Wallet Gate

runaway bills & abused API keys

Flags an OpenAI key called straight from the browser, so a stranger can run paid requests on your account.

Paid-State Gate

does paying unlock the right thing

Confirms a Stripe checkout actually flips the user to paid, instead of charging them and unlocking nothing.

Agent-DB Gate

unsafe AI-written database changes

Reviews AI-generated SQL for a table left with no row-level security, exposed to every logged-in user.

How it works

1

Scan

Point Shipshape at your live URL. Every finding shows what we saw, why it matters, and redacted proof.

2

Fix

Each finding ships a paste-ready prompt for Cursor, Lovable, Bolt, or v0. Apply it, then re-scan to verify.

3

Prove

Clear the gates and mint a dated Launch Certificate, verifiable at a public link you can share.

A black-box "you're clean" isn't proof. This is.

Re-scan clean and Shipshape mints a dated, redacted Launch Certificate. It says what passed, what failed, and what wasn't tested — verifiable at a public link.

Dated and signed, with a chain-of-custody report hash
Redacted, so it proves we looked without exposing a key
An attestation that a check ran — never a guarantee
LAUNCH CERTIFICATE
✓ CLEARED
my-ai-app.onrender.com
Checked Jun 18, 2026 · all four gates passed
DATA
WALLET
PAID
AGENT-DB
report_hash3f9a·c21e·7b04·d8f1
verify…/verify/a91f
Dated · redacted · verifiable. Not a guarantee.

Free to find. Cheap to prove.

The scan and the verdict are free. Pay only when you want the fixes or ongoing watch.

Free Scan
$0no signup

Paste a URL, see every finding and your launch verdict.

Scan my app
START HERE
Fix Pack
$7one-time

Copy-paste fixes for your builder, before and after snippets, and a re-scan.

Scan, then fix
Monitoring
$5/mo, magic-link

Weekly re-scans and an alert if a new critical issue appears.

Watch my app

Need deeper proof? Launch Proof Snapshot $19 · Review $49 · Fix + Proof $99

Request a Launch Proof review →
Validation-phase intake. If checkout is not configured, you will not be billed; we will follow up by email.

Straight answers

Does Shipshape need my code or GitHub repo?

No. Shipshape scans your deployed, public URL read-only — exactly what any browser can see. No repo access, no file upload, no login.

Is the Launch Certificate a security guarantee?

No. It attests that a dated check ran and which gates passed. It is not a pentest, certification, or guarantee — and the certificate says so itself.

Can I just ask ChatGPT instead?

ChatGPT can list what to check. Shipshape checks your actual live app and returns concrete redacted evidence, a verdict, and the exact fix to paste back into your builder.

What happens to surfaces behind a login?

We mark them "not checked" rather than guess or try to bypass them. Deeper database checks run only after you verify ownership.

Also runs in your editor and CI.
WebCLIMCPGitHub Action See integrations →

Ship with proof, not crossed fingers.

https://
Read-only · we never store your secrets · ~30s, no signup