Terms of Service

You must own or have explicit authorization to scan any domain you submit to ShipCheck.

By using our scanning service, you confirm that:

• You own the domain being scanned, OR
• You have written authorization from the domain owner to perform security testing
• You understand ShipCheck will send HTTP requests to test security, performance, and configuration

You must own or have explicit authorization to scan any repository you submit to ShipCheck.

By connecting a GitHub account or uploading a repository archive, you confirm that:

• You own the repository being scanned, OR you have written authorization from the repository owner
• You understand ShipCheck will clone and analyze the repository contents for committed secrets
• Repository scanning is read-only — ShipCheck does not modify your code, create commits, or push changes
• Source code is deleted immediately after scanning and is never stored

Unauthorized repository scanning violates these terms. Abuse rules from the section below apply equally to repository scanning.

ShipCheck uses these testing methods:

• Passive analysis: HTTP header inspection, content analysis, asset detection
• Active security testing: Authentication probes, rate limit tests, injection checks (paid plans)
• OWASP ZAP integration: Automated XSS and SQLi testing (paid plans)
• IDOR probing: Tests for insecure direct object references

All requests use the user-agent: ShipCheck-Scanner/1.0 (+https://shipcheckhq.com/about-scanning; security@shipcheckhq.com)

Unauthorized scanning violates these terms and may violate applicable laws. If you believe your domain has been scanned without permission:

• Report it immediately to abuse@shipcheckhq.com
• We will investigate and suspend offending accounts within 1 hour
• Repeat offenders are permanently banned
• We maintain full audit logs of all scan consent and domain verification