About Our Scanning Methods

User-Agent: ShipCheck-Scanner/1.0 (+https://shipcheckhq.com/about-scanning; security@shipcheckhq.com)

All our scanning requests use this identifiable user-agent. If you see this in your logs, it means someone with domain verification scanned your site through ShipCheck.

What We Scan For

🔒 Security Issues

  • Exposed API keys in client-side code
  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • Insecure cookie configurations
  • Open redirect vulnerabilities
  • IDOR (Insecure Direct Object Reference) issues
  • Cross-site scripting (XSS) vulnerabilities via OWASP ZAP
  • SQL injection vulnerabilities via OWASP ZAP

💳 Payment Security

  • Stripe test keys in production bundles
  • Webhook signature verification
  • Missing pricing pages
  • Broken payment flows

🔐 Authentication

  • Rate limiting on login endpoints
  • Protected route validation
  • Session cookie security
  • OAuth configuration issues

🔑 Repo Secrets Scanning (Builder & Pro)

  • Committed API keys and tokens (Stripe, AWS, GitHub, etc.)
  • Hardcoded passwords and database credentials
  • Private keys (RSA, SSH, PGP)
  • Cloud provider credentials and service account keys
  • .env files and configuration secrets checked into source

Connect via GitHub App (read-only) or upload a ZIP. We never store your source code.

Scanning Process

STARTER Scans (Free)

Passive analysis only. We inspect HTTP headers, analyze page content, and check for exposed files. No active probing or payload injection. Typically completes in 10-15 seconds.

DEEP Scans (Paid)

Includes everything in STARTER plus active security testing: rate limit probes, authentication tests, IDOR checks, and OWASP ZAP injection testing. May take 60-120 seconds.

Repo Secrets Scans (Builder & Pro)

Clones your repository (via GitHub App or ZIP upload), scans all files for committed secrets using pattern matching and entropy analysis, then deletes the clone immediately. Results show masked previews only. Typically completes in 15-45 seconds.

Rate Limits & Safety

  • Default 2 requests/second to any domain during scanning
  • Burst to 10 req/s only during rate-limit tests (limited to ~30 requests total)
  • Maximum 1 scan per domain per hour regardless of plan
  • Hard timeouts: 30s (Free), 120s (Builder), 300s (Pro)
  • Auto-backoff on 429/503 responses or slow response times

Privacy & Data Handling

We do NOT store:

  • Full response bodies from your application
  • Complete API keys or secrets
  • Session tokens or user data
  • Stack traces or error details

We DO store:

  • Redacted evidence snippets (e.g., "sk_live_...R8F9")
  • SHA-256 hashes of responses for reproducibility
  • Request metadata (URL, status code, timing)
  • Scan consent records with timestamp and IP

For Repo Secrets Scanning specifically:

  • We do not store your source code — repos are cloned to a temporary directory and deleted after scanning
  • We do not store full secret values — only masked previews (first/last 4 characters)
  • We do store fingerprint hashes of findings for ignore rule matching
  • Private repo access is read-only through the GitHub App and can be revoked from your GitHub settings at any time

Questions or Concerns?

If you have questions about our scanning methods or believe your domain was scanned without authorization, contact us immediately: