← Learn

Is Shipshape legit? What it does and doesn’t do

Shipshape is a passive pre-launch checkup for AI-built apps. Here is exactly what it checks, what it never does, and why it won’t false-flag your public keys.

Shipshape is a passive pre-launch checkup for apps built with AI tools like Lovable, Bolt, Replit, Cursor, and v0. You paste your public URL and it reads only what any web browser can already see — then it flags leaked secrets, downloadable source code, exposed files, and missing protections, and gives you copy-paste fixes for your AI builder.

What it checks

• Real, dangerous secret keys shipped to the browser (e.g. a Supabase service_role key, a live Stripe secret key, cloud/API keys).
• Publicly downloadable source maps (your original source code).
• Exposed files like /.env and /.git.
• Missing security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).

What it deliberately does NOT do

• It is not a penetration test and makes no security guarantee. Absence of findings ≠ secure.
• It does no active attacks, no logins, no writes, no brute-forcing — read-only, like SSL Labs.
• It never returns your raw secret values — only a redacted fingerprint as proof.
• It never calls your app "safe" or "compliant."

Why it won’t cry wolf

The biggest problem with naive scanners is false alarms. Some keys are public by design — a Supabase anon key, a Firebase apiKey, a Stripe publishable pk_ key, Google Analytics IDs. Shipshape has an allowlist for these and will tell you they’re fine rather than scaring you. It only makes an accusatory, "critical" claim when the evidence is deterministic.

→ Run a free scan

FAQ

Is Shipshape a penetration test?
No. It is a passive, read-only checkup of what your app already exposes publicly. It is not a pentest and not a security guarantee.

Will it flag my Supabase anon key or Firebase apiKey?
No. Those are public by design. Shipshape recognizes them and reassures you instead of flagging them.

Does it store my secrets?
No. It never returns raw secret values — only a redacted fingerprint as proof, and it does not store the secret.

Related questions

• Supabase anon key vs service_role key: which is safe to expose?
• Is the Firebase apiKey a secret? (No — and here’s why)
• Can I just ask ChatGPT to check my app’s security?
• The vibe-coder’s pre-launch checklist (Lovable, Bolt, Replit, v0)