ShipCheck
⚓ Zero dependencies · nothing uploaded · MIT

Ship your vibe-coded app with confidence.

You built it fast with AI. Before you deploy, run one command and get a pre-launch report card — committed secrets, vulnerable deps, missing security headers, broken SEO and accessibility, all caught locally.

npx shipcheck

No install, no signup, no account. It reads your files and prints a report — that's it. Runs on Node 18+.

  ShipCheck — pre-launch report card  v1.0.0

    C  72/100
  1 critical · 2 high · 3 low

  Hard-coded secrets  (1)
     CRITICAL  AWS access key ID  src/config.js:14
        Hard-coded credentials can be extracted from your repo, bundle, or git history.
        → fix: Move it to an env var, .gitignore the file, and rotate the key.

  Environment & secrets config  (1)
     HIGH  Client-exposed secret  .env:3
        NEXT_PUBLIC_ vars are bundled into client JS and shipped to every visitor.

  ✓ Passed: Security headers, Build artifacts, Project hygiene

What it checks

🔑 Hard-coded secrets

API keys, tokens, private keys, connection strings & JWTs committed in source.

📦 Dependency health

Missing lockfile, unpinned versions, committed node_modules, abandoned & typosquatted packages.

🔒 Environment config

Committed .env, missing .env.example, secrets leaked via NEXT_PUBLIC_/VITE_.

🛡️ Security headers

Missing CSP, HSTS, X-Content-Type-Options, X-Frame-Options & Referrer-Policy in your deploy config.

🗂️ Build artifacts

Committed dist/build, shipped source maps, a deployed .git folder, editor junk.

🔎 SEO & metadata

Missing <title>, description, Open Graph tags, viewport, favicon, robots & sitemap.

♿ Accessibility

<img> without alt, icon buttons with no label, unlabeled inputs, missing lang.

🧹 Project hygiene

Missing README/LICENSE/.gitignore, incomplete package.json, leftover TODOs & debug logs.

Drop it into CI

Gate every push and get a report in the job summary:

# .github/workflows/shipcheck.yml
- uses: Dukotah/shipcheck@v1
  with:
    fail-on: high

Or run npx shipcheck --fail-on high directly, or emit --format sarif for GitHub code scanning.

View on GitHub → Read the docs

Why ShipCheck

Most of these checks live as separate web tools — you paste your code into one site, your headers into another, your token into a third. That's slow, and pasting a live secret into a random website is its own risk. ShipCheck folds the whole pre-launch checklist into one local command that lives in your workflow. It never makes a network request and never writes to your project.