# Derek Bouchard, Senior Product Manager at Fieldline (B2B SaaS, 160 ppl) — read of Shipcheck, May 12 2026

> Eight years in product, four years shipping solo side projects in Next.js and Supabase using Cursor and Claude. Three launches in the past year, zero security audits. Six-year-old who wakes up at 6am, which means my coding window is 9pm to midnight and I am always slightly exhausted when I push to prod.

## How I got here

Someone in a Hacker News thread titled "what do you do before you post to ProductHunt" linked this. The thread was mostly people arguing about whether AI-coded apps should be posted at all, which I skimmed past. The link stood out because the anchor text was just "this" with no explanation. I clicked mostly out of curiosity about what "this" even was.

## What I clicked first

The hero copy stopped me. Specifically: "looking for the security holes, missing tests, abandoned auth flows, and embarrassing comments your AI coding tool shipped at 2am." The "2am" is doing a lot of work there and it works. That is exactly when I push things. The specificity of the sample report graphic right below it -- the one showing "Hardcoded API key in lib/db.ts" -- is the thing that made me actually scroll instead of closing the tab. A fake but plausible file path is worth more than ten bullet points of features.

## Where I paused

The comparison table. Not because it's a bad table -- it's a reasonable table -- but because the Snyk and SonarCloud columns are being compared on "Plain-English explanations" where Shipcheck wins with "Default" and the others get "Engineer dialect." That framing is accurate, and I've bounced off Snyk's dashboard before, but it made me wonder: is this thing actually doing real static analysis or is it mostly running the repo through Claude and asking it to be nice about what it finds? The page mentions "a Claude-driven semantic pass" which is either honest or damning depending on what that actually means. I paused here for a while. I am not sure they answered the question.

## What I distrusted

The testimonial. "Marcus T., shipped his first paid SaaS in March." That is the most minimal attribution I have seen on a product page in a year. No last name, no company, no repo, no link to the thing he shipped. "Best nine dollars I've spent this year" sounds like something a founder wrote for themselves and then decided Marcus T. would say it. The 4,200 repos scanned number feels a bit too round and is listed without any context for when the counter started. If it's been running two weeks and hit 4,200 that's impressive. If that's a lifetime number over two years it's pretty thin. No way to know.

Also: "If the finding doesn't tell you exactly what to change, we mark it incomplete and don't charge you." That is a bold claim and I notice it appears exactly once on the page in small print without any explanation of what "incomplete" means mechanically or how disputes work.

## What would convince me

A real repo scan with a repo I can actually visit. The "lightly redacted" sample report is interesting but I can't verify it's real. If they linked to a public GitHub repo -- even a throwaway demo repo they built -- and showed me the exact PDF output from scanning it, I would trust the product more than any testimonial. I want to see what a B+ looks like versus a D. Right now I only see "B-" and don't know what the scale means or whether it's useful signal.

One concrete integration detail would also help. The page says "We don't ask for OAuth, we don't store your code, we read the public tree." Great. But what about private repos? Is that ever coming? If I shipped something and immediately set the repo to private after launch, is Shipcheck useless to me going forward? The page says "Public GitHub repos only for now" but doesn't address the obvious follow-up.

## What I'd ask in an email reply

1. The Claude semantic pass -- what's the actual prompt structure? I'm not asking for IP, I'm asking whether this is "send the whole repo to Claude and ask it to find problems" or something more structured with targeted checks per finding category. That distinction matters for whether findings are reliable or hallucinated.

2. What's the false positive rate in practice? If I get ten findings and three of them are noise, that's annoying but workable. If it's six, I'm not re-scanning.

3. Is there any plan for private repos via a GitHub App with repo-specific permissions, or is the public-only constraint a permanent product decision?

## Verdict: on-the-fence

The page communicates the problem clearly and the sample report is the most convincing part of it. But I want to know whether the Claude pass is reliable or whether I'm paying nine dollars for a well-packaged hallucination, and the page does not answer that.

---
*Memo by skeptic persona, generated 2026-05-12. Studio breaks own self-grading loop.*
