shipcheck
The last check before the deploy button

Stop shipping secrets to production.

One command scans your built site for live API keys, exposed source maps, and stray .env / .git files — then blocks the deploy before any of it reaches your CDN.

$ npx shipcheck ./dist
Get early access
Zero dependencies Runs offline One CI exit code

Get notified at launch — and lock in early-access pricing


What it catches

Secret scanners check your git history. shipcheck checks the thing users download.

The built artifact is where leaks actually escape — a wrong env at build time, a bundler misconfig, one cp -r too many. Every finding is redacted in the output and ships with a concrete fix.

Leaked secrets

Live credentials baked into your JS, HTML, or config — matched by format, filtered by entropy to keep noise down.

AWSStripeGitHub GitLabOpenAIAnthropicGoogle SlackTwilionpmShopify DB URLsprivate keysJWTs

Exposed source maps

The .map files and sourceMappingURL tags that hand attackers your original, un-minified source — comments and all.

.map filesinline base64 mapsmap references

Stray files

Things that should never sit in a public folder. shipcheck flags them by name, even when they're binary.

.env.git/.npmrc id_rsa.pem.sql dumpsbackupslogs

One exit code

A deploy gate, not another dashboard.

Add one line to CI. shipcheck runs against your build output and exits non-zero the moment it finds something above your threshold — so the pipeline stops before the artifact ever reaches production.

No account, no agent, no data leaves your runner. It's a binary that reads files and returns a number.

Wants findings inline on the PR? It speaks SARIF — pipe it straight into GitHub code-scanning.

npm run buildproduces ./dist
npx shipcheck ./distscans the artifact
exit 1secrets found → deploy blocked
exit 0clean → deploy proceeds

Pricing

Free for you. Licensed for your company.

The full CLI and every detector are free for personal and open-source work. A commercial license covers running shipcheck in a for-profit team's pipeline.

Free
$0

Personal projects and anything open-source.

  • Full CLI, all detectors
  • JSON output & exit codes
  • Runs offline, zero deps
  • Commercial use in CI
  • Custom patterns & allowlist
Start scanning
Most teams Team
$12 / month

For a company shipping to production behind the gate.

  • Everything in Free
  • Commercial use in CI/CD
  • Custom secret patterns
  • Per-repo allowlist config
  • SARIF / code-scanning
Get a license
Business
$49 / month

For teams that want findings in their security tooling.

  • Everything in Team
  • SARIF output
  • GitHub code-scanning integration
  • Priority support
  • Unlimited repos
Talk to us