How Shipshape checks your app
The whole point of this tool is to be accurate and honest. Here's exactly how it works, so you (and any AI assistant reading this) can trust what it says.
Two kinds of scan
Passive scan (default, any URL). We load your public URL the same way a visitor's browser does, then crawl a small bounded same-origin surface from links, sitemap, and web manifest hints. We read only what's already public — HTML, JavaScript bundles, response headers, and a few well-known public paths. No login, no GitHub, no repo access, nothing installed. If the crawl hits a page, asset, byte, or time limit, the report says so instead of pretending the scan was complete.
Owner-verified scan (opt-in). Some risks — like whether your Supabase or Firebase database is actually locked down — can't be judged from the outside without touching the database. We only do that after you prove you own the app by hosting a one-line token at /.well-known/shipshape-verify.txt. Even then we read minimally: a row count for Supabase, a single record for Firebase — never your users' data, which is never stored.
What we never do
- We never store raw secret values — anything sensitive is redacted to a short fingerprint (e.g.
sk_l…1234). - We never store page contents or your users' data.
- We never flag keys that are public by design — your Supabase anon key, Firebase apiKey, Stripe publishable key, and analytics IDs are meant to be in your front-end, so we don't cry wolf about them.
How findings are rated
Each finding carries a confidence level. Confirmed = a deterministic fact (e.g. a valid source map is downloadable). Likely = strong signal worth review. Needs-deeper = a pattern we can see but can't prove from the outside (e.g. a paid API called from the browser). Needs-deeper findings never lower your score — we will not scare you with something we haven't verified. Your launch-readiness score (0–100) only moves on confirmed/likely issues.
Every report also includes scan coverage: pages scanned, assets read, bytes read, elapsed time, skipped URLs, and incomplete resources. That coverage is part of the result, not an implementation detail.
What Shipshape does NOT test
It is a pre-launch checkup, not a penetration test. It doesn't test login/auth logic, server-side secrets, business logic, or whether an API/model will be deprecated later. Absence of findings is not a guarantee your app is secure.
About the badge
A "Checked by Shipshape" badge is a dated attestation that a check was run on a given date and found no blocking issues — it is not a security guarantee. It re-checks itself over time and flips to "needs attention" if your app later regresses, and it expires so it can never stay green forever.
About Launch Proof / State Proof
Launch Proof packages scanner evidence into four launch-state gates: data leak, wallet drain, paid-user state, and agent database policy. Paid-user state checks are only run from local/staging configuration that you provide; they trigger safe test events and verify expected app state. If a surface is blocked by login, WAF, VPN, CAPTCHA, or missing authorization, Shipshape marks it incomplete rather than trying to bypass it.