Stop shipping secrets to production.
One command scans your built site for live API keys, exposed source maps, and stray .env / .git files — then blocks the deploy before any of it reaches your CDN.
What it catches
Secret scanners check your git history. shipcheck checks the thing users download.
The built artifact is where leaks actually escape — a wrong env at build time, a bundler misconfig, one cp -r too many. Every finding is redacted in the output and ships with a concrete fix.
Leaked secrets
Live credentials baked into your JS, HTML, or config — matched by format, filtered by entropy to keep noise down.
Exposed source maps
The .map files and sourceMappingURL tags that hand attackers your original, un-minified source — comments and all.
Stray files
Things that should never sit in a public folder. shipcheck flags them by name, even when they're binary.
One exit code
A deploy gate, not another dashboard.
Add one line to CI. shipcheck runs against your build output and exits non-zero the moment it finds something above your threshold — so the pipeline stops before the artifact ever reaches production.
No account, no agent, no data leaves your runner. It's a binary that reads files and returns a number.
Wants findings inline on the PR? It speaks SARIF — pipe it straight into GitHub code-scanning.
Pricing
Free for you. Licensed for your company.
The full CLI and every detector are free for personal and open-source work. A commercial license covers running shipcheck in a for-profit team's pipeline.
Personal projects and anything open-source.
- Full CLI, all detectors
- JSON output & exit codes
- Runs offline, zero deps
- Commercial use in CI
- Custom patterns & allowlist
For a company shipping to production behind the gate.
- Everything in Free
- Commercial use in CI/CD
- Custom secret patterns
- Per-repo allowlist config
- SARIF / code-scanning
For teams that want findings in their security tooling.
- Everything in Team
- SARIF output
- GitHub code-scanning integration
- Priority support
- Unlimited repos