ShipCheck Documentation
Learn how to verify ownership, run production readiness scans, and interpret findings with confidence.
Getting Started
Start by creating a site entry from your dashboard and entering the production URL you want monitored. ShipCheck validates URL format, stores the project under your account, and prepares it for ownership verification.
To verify ownership, download the verification token file from the dashboard and upload it to the root of your web server. Once that file is accessible publicly, run verification and ShipCheck confirms domain control before deep scan features are enabled.
After verification, trigger your first scan from the site detail view. You can choose standard scan profiles immediately, and higher plans unlock deeper scans with broader checks and more detailed remediation context.
Completed scans appear in your report history, where each issue links to severity, impact, and practical fixes. Use this as your deployment readiness checklist before each release.
Scan Categories
Security: Tests transport security, headers, cookie/session risks, and common exploit surfaces. Findings prioritize vulnerabilities that can lead to account compromise or data exposure.
Payments: Evaluates payment form safety, webhook hardening, and common checkout misconfigurations. This category helps reduce fraud exposure and billing outages in production.
Auth: Reviews login flow protections, session handling, and access control boundaries. It highlights places where authorization rules are missing, weak, or inconsistent.
SEO: Checks metadata, crawlability, canonical consistency, and indexation blockers. The goal is to keep your site discoverable while preserving content quality signals.
Performance: Measures load path bottlenecks and expensive assets that affect responsiveness. The report focuses on optimizations with practical impact on user experience.
Uptime: Tracks availability and response behavior over time. Alerts surface reliability regressions early so you can fix incidents before users report them.
Understanding Your Report
Every scan produces an overall grade from A to F, where A indicates strong readiness and F indicates high production risk. Grades combine issue severity, category coverage, and unresolved critical items.
Each finding also has a severity label: Critical, High, Medium, Low, or Info. Prioritize Critical and High first, then use lower severities as backlog improvements.
If you believe a result is inaccurate, use false-positive reporting on the finding. That feedback helps improve rule quality and reduces recurring noise in future scans.
Verification
ShipCheck verifies ownership with a unique token file. Download the generated file and place it at your site root so it can be fetched directly by URL.
Once the file is published, run verification from the dashboard. A successful check confirms you control deployment for that domain and unlocks protected scan workflows.
Plans & Limits
Free
1 scan per week
Builder
$19/month
30 scans per month
Pro
$39/month
Unlimited scans, Team access, API access
Repo Secrets Scanning (Builder & Pro)
Connecting GitHub
From the Repositories dashboard, click "Connect GitHub" to install the ShipCheck GitHub App. The app requests read-only access to your repository contents. Once installed, your repos appear automatically and can be scanned on demand.
ZIP Upload
Prefer not to connect GitHub? Upload a ZIP archive of your repository instead. ShipCheck extracts the contents, runs the secrets scan, and deletes the archive immediately after processing.
What Appears in Your Report
Repo scan results appear as a "Secrets" category at the top of your scan report. Each finding includes: the file path, a masked preview of the secret (e.g., sk_live_...R8F9), the secret type (API key, token, password, private key), severity, and a recommended fix.
Fix Flow
For each finding: (1) rotate the leaked credential immediately, (2) move the secret to an environment variable, (3) add the file pattern to .gitignore, (4) rescan to verify it's resolved.
False Positives & Ignore Rules
If a finding is a false positive (e.g., a test fixture or example key), you can create an ignore rule from the finding detail view. Ignored findings use a fingerprint hash and won't appear in future scans unless the underlying content changes.
Privacy Guarantees
ShipCheck never stores your source code. Repository contents are cloned into a temporary directory, scanned, and deleted immediately. We store only masked previews and fingerprint hashes for findings. Private repo access is read-only through the GitHub App and can be revoked at any time from your GitHub settings.
Database Posture (Deep Scan)
Deep Scans include a database version posture check for common engines: PostgreSQL, MySQL, MongoDB, and Redis. If version data is available in HTTP responses, ShipCheck reports the detected engine and version, whether it's Supported / Near EOL / End of Life, and whether it's behind the latest security patches.
If ShipCheck can't detect your database version (no version strings found in HTTP responses), the report will show Not Assessed — we detect versions passively from your site's responses, not by connecting to your database.
What Gets Checked
- Engine detection (PostgreSQL, MySQL, MongoDB, Redis)
- Version lifecycle status (Supported, Near EOL, End of Life)
- Patch level compared to latest available patch for your major version
What's NOT Checked
This is version posture only. It does not inspect database roles, permissions, schema rules, or configuration settings. It does not connect to your database directly.
How Findings Appear
End of Life databases generate a Critical finding. Near-EOL databases generate a High finding. Behind-patch databases generate a Medium finding. These count toward your Security grade.
Skills Pack
The ShipCheck Skills Pack is a collection of 17 production-tested skills for AI coding assistants. It turns your AI agent into a deployment engineer with enforced quality gates, structured incident response, and automated security scanning.
What's Included
- Build Standards — coding standards, deploy gates, security scan requirements
- Deploy Script — automated deploy pipeline with runtime auto-detection
- Feature & Triage Playbooks — turn bugs and feature requests into structured build plans
- Incident Response — structured incident handling from detection to postmortem
- Performance & Infrastructure Playbooks — diagnose regressions, plan scaling
- Agent Failure Postmortem — root-cause analysis when AI builds go wrong
- And 11 more operational skills
Installation
Download the Skills Pack from your dashboard (Builder+). Copy the pack into your repo root and tell your AI agent: "Install this skills pack." The agent handles placeholder replacement, deploy script setup, and validation automatically.
Updates
When new skills or improvements are released, your agent can check for updates via the version check API. Download the latest version from your dashboard, or use a scoped Skills Pack download key from Settings → API Keys for terminal updates.
API Reference
ShipCheck provides a REST API for Pro plan users to integrate security scans into CI/CD pipelines, deploy scripts, and custom tooling. The API supports triggering scans, polling for completion, and retrieving full reports programmatically.
FAQ
How long does a scan take?
Most scans finish in a few minutes depending on site size and selected profile.
Can I scan staging URLs?
Yes, as long as you can complete ownership verification for that environment.
Do scans modify my site?
No. ShipCheck performs read-only checks and does not alter content or deployment settings.
How often should I rescan?
Run scans before major releases and after infrastructure or auth changes.
Can I export reports?
Yes. From the scan results page, use the download button to save a markdown report. Pro plan users can also fetch reports programmatically via the API in JSON or AI-readable markdown format.
Where do I report a false positive?
Open the finding details in a report and use the false-positive action tied to that check.