Pre-launch scanner for AI-built apps

Drop in a repo. Get back the ten things that will sink your launch.

Shipcheck reads your public GitHub repo the way a senior engineer would: looking for the security holes, missing tests, abandoned auth flows, and embarrassing comments your AI coding tool shipped at 2am. Plain English. Specific files. Ranked by what'll actually hurt you.

Scan my repo for $9 See a sample report
4,200+ repos scanned 90 sec avg scan time 10 ranked findings
shipcheck.io / report / 7f3a2c
github.com/you/launchpad
Scanned 4 minutes ago, 247 files
B-
Ship-ready
Hardcoded API key in lib/db.tsHigh
No rate limiting on /api/signupHigh
CORS open to wildcard originHigh
Auth flow missing logout endpointMedium
Zero test coverage on paymentsMedium
AI placeholder text in 3 routesLow
A look inside Shipcheck
app.reposcanner.com / today
Shipcheck dashboard preview
The problem

Your AI shipped 4,000 lines. Now which ones embarrass you?

You vibe-coded a working app in a weekend. The screens look great. The signup flow works on Chrome on your laptop. You are about to push to ProductHunt or send the link to a recruiter or charge a credit card with it. And somewhere in those 4,000 lines is a hardcoded Stripe key, an unsanitized SQL query, a webhook that anyone on the internet can post to, and three TODO comments that say "fix before prod."

The existing audit tools were not built for this. SonarQube wants you to install a daemon, configure Maven, and read a 60-tab dashboard. Snyk speaks a dialect of engineer that assumes you've shipped to production for ten years. GitHub's security tab tells you a transitive dependency from 2019 has a CVE, but does not tell you that you are storing user passwords in plaintext in your Postgres seeds file.

Shipcheck is the audit you wish a senior engineer would do for you over coffee. Plain English. Ranked by what will actually break you on launch day. Specific files, specific lines, with a one-paragraph explanation a non-engineer can act on. Nine dollars a scan, ninety seconds to run, no install required.

Developer at code workstation late at night
The audit your AI coding tool quietly skipped, before you ship to your first paying customer.
How it works

Four steps, ninety seconds, one PDF.

1

Paste a repo URL

Public GitHub repos only for now. We don't ask for OAuth, we don't store your code, we read the public tree.

2

We scan in 90 seconds

Static analysis plus a Claude-driven semantic pass that looks for things linters miss: leaked secrets, half-finished auth, fake placeholders.

3

You get a report

Ten ranked findings. Each one names the file, the line, the risk in plain English, and the fix in one sentence.

4

You ship a fix

Most findings are 5 to 30 minutes of work. Re-scan free for 24 hours to confirm you closed them.

Every Shipcheck report names the file. Always.

No "your auth flow could be better." Instead: app/api/auth/login/route.ts · line 42 with one paragraph of plain-English explanation and one sentence of fix. If the finding doesn't tell you exactly what to change, we mark it incomplete and don't charge you.

01

Security holes

The stuff that gets you on the front page of Hacker News for the wrong reason.

  • Hardcoded API keys, tokens, secrets in committed code
  • Unverified webhooks, SSRF risks, open CORS configurations
  • SQL injection patterns, unsanitized user input flowing to queries
  • Auth flows missing rate limits, logout, or token expiry
02

Code quality

Not style nitpicks. The stuff that actually breaks when traffic shows up.

  • Routes with zero error handling that throw 500s on edge cases
  • Database queries with no indexes on hot lookup paths
  • Memory leaks, unclosed handles, infinite-recursion patterns
  • Dependencies with known critical CVEs in your direct tree
03

UX gaps

What your AI tool forgot to finish before declaring victory.

  • Forms with no validation, no loading states, no error UI
  • Empty states that say "TODO: design empty state"
  • Mobile breakpoints that visibly broke and never got tested
  • Placeholder Lorem Ipsum or "your text here" left in production routes
04

Hiring disqualifiers

For technical recruiters reviewing candidate work, the stuff that says "no."

  • Commit history showing a single AI-generated push, no iteration
  • Commented-out code blocks, dead routes, console.log debugging left in
  • README that does not match what the app does
  • Tests that exist but pass without testing anything (false-green)
Who it's for

Three audiences, one honest mirror.

Vibe-coder shipping AI-built app
The vibe-coder
Shipping AI-built apps every weekend

You shipped six apps last quarter, all of them mostly working, none of them audited. You don't read your own code line by line because that is what the AI was for. You need a fast, cheap, honest sanity check before the launch tweet goes live.

Indie founder launching weekend project
The indie founder
First paid product, real money on the line

Stripe is wired up and you're about to charge a real credit card. You have the mortal fear that you have left a webhook unverified or an admin route unauthenticated. Nine dollars and ninety seconds to know.

Recruiter reviewing candidate code
The technical recruiter
Reviewing 30 candidate repos this week

You're not a senior engineer. You can't tell whether a portfolio repo is impressive or a one-shot AI copy-paste. Shipcheck gives you a one-page pass-fail with ranked specifics, so you can spend interview time on the candidates whose code earned it.

Sample report

A real scan, lightly redacted, actually shipped a fix.

This is what a typical Shipcheck report looks like. Ten findings, ranked, each one in language you can act on without a senior engineer translating.

github.com/redacted/launch-portal

B-
High · 1
Stripe webhook signature is not verified

Your /api/webhooks/stripe route accepts any POST body and trusts it as a real Stripe event. Anyone on the internet can hit it and mark an order as paid. This is the single highest-severity issue in this scan.

app/api/webhooks/stripe/route.ts · line 18
High · 2
Admin dashboard route has no auth

The /admin route renders without checking if the visitor is logged in or has admin role. Anyone who guesses the URL sees user list, revenue, and the delete-account button.

app/admin/page.tsx · entire file
Medium · 3
Password reset tokens never expire

Tokens are minted but the expires_at column is never set. A token leaked once is valid forever. Add a 1-hour expiry on token creation and a check on consumption.

lib/auth/reset.ts · line 42
Low · 4
Three "TODO: write copy" placeholders in pricing page

The /pricing route renders the literal string "TODO: write feature comparison here." Visitors will see this. Replace before any link goes public.

app/pricing/page.tsx · lines 88, 102, 117
Developer reviewing report on phone
"I scanned my own repo at 9pm the night before launch. It found three high-severity issues I would have shipped. Best nine dollars I've spent this year."
Marcus T., shipped his first paid SaaS in March
Pricing

Pay-per-scan, or unlimited for the price of lunch.

Most founders run two scans a month, one before launch and one after the first round of fixes. The unlimited plan is for shops shipping a new repo every other week.

What you get
Shipcheck $9
Snyk Team
SonarCloud Pro
Per-scan price
$9 / scan
$25/dev/mo
$10/dev/mo + setup
Unlimited monthly
$49/mo
$150+/mo
$100+/mo
Plain-English explanations
Default
Engineer dialect
Engineer dialect
Setup time
Zero
15 to 60 min
30+ minutes
Free re-scan window
24 hours
N/A
N/A
Hiring-disqualifier checks
Yes
No
No
One scan, $9, no subscriptionPay once, get the report. Re-scan free for 24 hours after fixes.
Run a $9 scan
FAQ

The five things everyone asks first.

Do you store my code?
No. We clone the repo into ephemeral storage, run the scan, generate the report, and delete the working tree. We keep the report itself for 90 days so you can re-read it. No third-party training, no data resale, no exceptions.
Does it work on private repos?
Public repos only at launch. Private repo support is coming with our $49/mo plan and uses a GitHub App with read-only access. We never store your code, only the diff fingerprints we need to skip already-scanned files.
What languages do you cover?
JavaScript, TypeScript, Python, Ruby, Go, and Rust today. Java and PHP are on the roadmap. The Claude-powered semantic pass works on any language but the static analysis is best on the ones above.
Is this just running ChatGPT on my code?
No. We combine deterministic static analysis (proven open source linters and security tooling) with a Claude pass that catches semantic issues like half-finished auth or placeholder copy that no linter sees. The output is ranked, deduplicated, and tested against false positives.
How is this different from GitHub's security tab?
GitHub tells you about CVEs in your dependencies. We tell you about the secrets you committed, the auth flow you forgot to finish, the webhook anyone can hit, and the placeholder text in your pricing page. Different jobs. We complement, not replace.

Scan it before they do.

Nine dollars. Ninety seconds. Ten ranked findings. Most launches ship with one or two of them open. Don't be most launches.

Run my first scan, $9 Read a sample report