Security scan for AI-built apps

Built your app with AI?
Find out what it's leaking.

ShipSafe scans apps built on Lovable, Bolt, Replit, or Cursor — then tells you, in plain English, exactly what a hacker could do and how to fix it. Free scan in minutes.

Read-only · No credit card for the free scan

A vulnerable app, caught and fixed — the way ShipSafe reads your code.
8 attack categoriesFull git historyLive-site probingPlain-English report

The problem

AI writes code fast. It doesn't write it safe.

The same tools that let you ship an app in a weekend also leave the door unlocked — secrets sitting in your code history, database tables anyone can read, payment confirmations a stranger can fake. You can't see it. A hacker can. ShipSafe finds it first, and hands you the fix in words you actually understand.

What we check

Eight ways an AI-built app gets breached.

These are the mistakes AI code generators make most — the ones attackers look for first.

🔑

Leaked passwords & keys

We scan your entire code history for API keys, database passwords, and secret keys that got committed — even ones you thought you deleted.

🌐

Secrets exposed to visitors

Some keys are meant for your server only. We catch the ones that accidentally ship to every visitor's browser, where anyone can grab them.

🚪

Unlocked back doors

We find actions — like deleting data or changing accounts — that anyone can trigger without logging in.

🪪

Peeking at other people's data

We look for places where one logged-in user could load another user's private records just by changing a number in the URL.

📦

Risky building blocks

Your app is built on open-source packages. We check them against a live vulnerability database and flag the dangerous ones.

🛡️

Weak website protections

On your live site we check the security settings that block common attacks like clickjacking and cookie theft.

🗄️

Publicly readable database

If you use Supabase, we test what a random visitor can read from your database — a very common and very serious mistake.

💳

Fakeable payments & uploads

We check that payment confirmations can't be forged and that file uploads can't be abused to attack your app.

How it works

Three minutes of yours. A hacker's-eye view of your app.

01

Paste your repo

Drop in your GitHub link. Add your live URL and database key for a deeper scan — both optional.

02

We scan it like an attacker

We read your whole code history and probe your live site across 8 categories of the most common AI-code mistakes.

03

Read it in plain English

You get a clear grade and a fix-it list anyone can follow — every issue with a real-world scenario and the exact fix.

Your report

A grade, and a plain-English fix for every hole.

We grade your app A to F on a formula we show you — no black box. Every finding leads with what it means and what could actually happen, then opens into the exact technical fix for whoever does the work.

  • One clear letter grade, with the math shown
  • Every issue: plain English, a real scenario, the fix
  • Found secrets shown masked — we never store them raw
  • Honest “not assessed” labels — we never fake a pass
F
Sample report
3 critical · 2 high
example
Critical · leaked key

A password to your database is sitting in your code history.

What could happen: anyone who finds it can read, change, or delete every one of your customers' records — no login required.

The fix: rotate the key, then scrub it from your history. We show you every command.

Illustrative — your real report is generated from your code.

Simple pricing

The scan is free. Pay only when you want the full fix-it list.

Full report

$149 once

  • Every issue we found
  • Plain-English explanation + real scenario
  • Exact fix instructions for each
  • Option to book a fix call
Start with a free scan

Retainer

$399/mo

We watch it, we fix it

  • Ongoing monitoring as you ship
  • We fix the critical issues for you
  • A standing line to a security engineer

Questions

Is my code safe with you?+

Yes. We only read your code — we never change it. If you give us a token for a private repo it must be read-only, it's stored encrypted, it's never written to any log, and we delete it whenever you ask.

Do I need to be technical?+

No. Every finding is written in plain English with a concrete example of what could go wrong. There's a separate 'technical detail' section your developer — or an AI tool — can use to fix it.

How long does a scan take?+

Usually a minute or two. You paste your GitHub repo link and watch the progress right in your browser.

What do I get for free?+

Your overall grade, the number of critical and high issues, and one full critical finding. The full report — every issue and its fix — is a one-time $149.

Stop guessing whether your app is safe.

Paste your repo and get a plain-English security grade in minutes. Free, read-only, no card.