Security scan for AI-built apps
Built your app with AI?
Find out what it's leaking.
ShipSafe scans apps built on Lovable, Bolt, Replit, or Cursor — then tells you, in plain English, exactly what a hacker could do and how to fix it. Free scan in minutes.
Read-only · No credit card for the free scan
The problem
AI writes code fast. It doesn't write it safe.
The same tools that let you ship an app in a weekend also leave the door unlocked — secrets sitting in your code history, database tables anyone can read, payment confirmations a stranger can fake. You can't see it. A hacker can. ShipSafe finds it first, and hands you the fix in words you actually understand.
What we check
Eight ways an AI-built app gets breached.
These are the mistakes AI code generators make most — the ones attackers look for first.
Leaked passwords & keys
We scan your entire code history for API keys, database passwords, and secret keys that got committed — even ones you thought you deleted.
Secrets exposed to visitors
Some keys are meant for your server only. We catch the ones that accidentally ship to every visitor's browser, where anyone can grab them.
Unlocked back doors
We find actions — like deleting data or changing accounts — that anyone can trigger without logging in.
Peeking at other people's data
We look for places where one logged-in user could load another user's private records just by changing a number in the URL.
Risky building blocks
Your app is built on open-source packages. We check them against a live vulnerability database and flag the dangerous ones.
Weak website protections
On your live site we check the security settings that block common attacks like clickjacking and cookie theft.
Publicly readable database
If you use Supabase, we test what a random visitor can read from your database — a very common and very serious mistake.
Fakeable payments & uploads
We check that payment confirmations can't be forged and that file uploads can't be abused to attack your app.
How it works
Three minutes of yours. A hacker's-eye view of your app.
Paste your repo
Drop in your GitHub link. Add your live URL and database key for a deeper scan — both optional.
We scan it like an attacker
We read your whole code history and probe your live site across 8 categories of the most common AI-code mistakes.
Read it in plain English
You get a clear grade and a fix-it list anyone can follow — every issue with a real-world scenario and the exact fix.
Your report
A grade, and a plain-English fix for every hole.
We grade your app A to F on a formula we show you — no black box. Every finding leads with what it means and what could actually happen, then opens into the exact technical fix for whoever does the work.
- ✓ One clear letter grade, with the math shown
- ✓ Every issue: plain English, a real scenario, the fix
- ✓ Found secrets shown masked — we never store them raw
- ✓ Honest “not assessed” labels — we never fake a pass
3 critical · 2 high
A password to your database is sitting in your code history.
What could happen: anyone who finds it can read, change, or delete every one of your customers' records — no login required.
The fix: rotate the key, then scrub it from your history. We show you every command.
Illustrative — your real report is generated from your code.
Simple pricing
The scan is free. Pay only when you want the full fix-it list.
Full report
$149 once
- ✓ Every issue we found
- ✓ Plain-English explanation + real scenario
- ✓ Exact fix instructions for each
- ✓ Option to book a fix call
Retainer
$399/mo
We watch it, we fix it
- ✓ Ongoing monitoring as you ship
- ✓ We fix the critical issues for you
- ✓ A standing line to a security engineer
Questions
Is my code safe with you?+
Yes. We only read your code — we never change it. If you give us a token for a private repo it must be read-only, it's stored encrypted, it's never written to any log, and we delete it whenever you ask.
Do I need to be technical?+
No. Every finding is written in plain English with a concrete example of what could go wrong. There's a separate 'technical detail' section your developer — or an AI tool — can use to fix it.
How long does a scan take?+
Usually a minute or two. You paste your GitHub repo link and watch the progress right in your browser.
What do I get for free?+
Your overall grade, the number of critical and high issues, and one full critical finding. The full report — every issue and its fix — is a one-time $149.
Stop guessing whether your app is safe.
Paste your repo and get a plain-English security grade in minutes. Free, read-only, no card.