ShipCheckAbout ShipCheck
An open-source, zero-dependency command-line tool that gives a project a pre-launch report card — built for people shipping fast with AI who don't want to miss the boring-but-critical things.
How it works
Run npx shipcheck in your project. It walks your files once (respecting
.gitignore), runs eight independent checks — secrets, dependencies, environment
config, security headers, build artifacts, SEO, accessibility and project hygiene — scores the
result into a grade, and prints it. Add --fail-on high to gate CI, or
--format sarif for GitHub code scanning.
Local by design
ShipCheck never makes a network request and never writes to your project. Your code never leaves your machine — which is rather the point of a tool that hunts for leaked secrets. It has zero runtime dependencies; it's just Node's standard library.
Not a substitute for real review
ShipCheck catches common, high-signal mistakes — it is not a full security audit, penetration test, or a guarantee. Treat a clean report as "I didn't ship the obvious stuff broken," not "this is bulletproof." Always test in a real browser and review anything that handles money, auth, or personal data.
Open source & extensible
MIT-licensed on GitHub. Each check is a ~30-line module — adding one is trivial (see CONTRIBUTING). PRs welcome.
Made by Copper Bay Labs
One of a family of free developer tools. See more at Copper Bay Labs. Want your app reviewed or hardened for you? Copper Bay Tech can help.