Skip to main content
67% of the AI-built apps we scanned had critical vulnerabilities

Ship fastShip safe.

Cursor wrote the auth. Lovable built the API routes. You shipped on Friday, and you are not a security person. The tool that built it can't grade its own work. We check from the outside and show you what's exposed, free.

Catches exposed API keys and more

No card. No catch.·2 minutes. Seriously.·We delete your code after. Every time.

Your live dashboard. Every scan, in plain English.

Tuned for code from

180+ apps scanned·4 builders studied

LovableBolt.newCursorv0ReplitWindsurfClaudeChatGPTCopilotDevin
What we catch

Different tools. Different apps. The same four holes.

2,417

findings filed · 500+ repos · methodology

Exposed Secrets

Your Stripe key, pasted straight into the code. It's on GitHub now. It's there forever.

sk_live_51N4xq…belongs in .env

1 in 3

scans find a live key sitting in the open

Missing Auth

Cursor built the admin page and skipped the lock. Anyone who types /admin is your newest admin.

/admin → opens. no login asked.one missing line

67%

of AI-built apps ship at least one

Injection

Your search box works fine, until someone types a command instead of a name. Then it answers with your whole database.

' OR 1=1 -- typed into your login boxlogs in as anyone

No. 3

on the OWASP list, two decades running

Exposed Data

Lovable wired up Supabase and left the door open. A stranger reads your users table straight from the internet, no login, no app, just a URL. Same story with Firebase and storage buckets.

GET /rest/v1/users → 200, rows returnedturn on RLS

Proven

we read it from the public internet, not a guess

The math
$4,450,000

what one breach costs

$19

what catching it first costs

One of these is a rounding error. The other ends companies.

Translation Layer

Other scanners speak CVE. We speak English.

Other tools say

CWE-89: SQL injection in user-input handler.

We say

A stranger can read your entire database by typing into a search box.

Other tools say

Apply parameterized queries to remediate the threat vector.

We say

Copy the fix into Cursor. Paste. Done in 30 seconds.

Other tools say

Schedule an enterprise security posture assessment.

We say

Paste your GitHub URL. 2 minutes. $19 for the full audit.

Three steps. Done.

Nothing to install, nothing to configure, no security team to hire. The whole loop fits between two sips of coffee.

Start a scan
  1. 01

    Paste your GitHub URL

    Drop the link. We scan, then delete everything. Nothing stored, ever.

  2. 02

    AI audits every file

    190+ checks in under 2 minutes. What a $5k pen test finds, minus the wait.

  3. 03

    Fix what matters

    Plain-English findings, plus copy-paste fixes for Cursor. Done in minutes.

Ask ShipSafe
Is this actually a problem?
ShipSafe

Yes. Line 57 hardcodes your database password right in the source, so anyone who opens your repo can read it and connect to your database. Move it into an environment variable — I'll hand you the exact change to paste into Cursor.

Every finding explained in plain English — ask follow-ups.

▸ MEASURED IN PUBLIC

We grade our own scanner in public.

Every check measured against 1,147 real test cases — every miss counted, methodology open. Most security tools won't show you this.

191
automated checks
93%
precision — real findings, not noise
84%
caught by the AI deep scan
1,147
test cases, every miss counted

Not just JavaScript. Dedicated checks for 11 languages — JavaScript, TypeScript, Python, PHP, Ruby, Go, Java, C#, Swift, Kotlin, and Rust — plus an AI review that reads any language.

See the full benchmark

Set it once. Stay protected.

A single scan is a snapshot. This never blinks.

  • Every pull request checked before it can merge
  • Findings in plain English, fix included
  • A security badge your customers can verify

Included with Growth and Shield. Prefer the command line? There's a CLI too.

Scan as your agent writes

ShipSafe checks the code your AI writes, as it writes it, right inside Cursor, Claude Code, and Claude Desktop. No copy-paste, no leaving the editor.

CursorClaude CodeClaude Desktopvia MCP
01

Your agent writes code

Cursor, Claude Code, whatever you build with.

02

It scans the change, in-loop

One tool call. Secrets, injection, broken auth, vulnerable deps.

03

You get the exact fix

Plain English, the fix included. Re-scan to confirm it's gone.

Set it up in a minute. Included with Growth and Shield.

From found to fixed

Every finding comes with the fix

No security skills needed. Copy our fix, paste it, done.

Criticalsrc/lib/stripe.ts:12

Your payment keys are visible in your code

Anyone with repo access can charge your customers and empty your Stripe balance.

Your fix prompt

Move the Stripe secret key out of src/lib/stripe.ts (line 12). Put it in an environment variable instead: add STRIPE_SECRET_KEY to .env.local, read it with process.env.STRIPE_SECRET_KEY, and make sure .env.local is in .gitignore. Then rotate the old key in the Stripe dashboard. It's already exposed.

Paste into Cursor, Lovable, Bolt, or Claude. They all understand it.

Not every flag is a real fire

Scanners flag plenty of things that aren't real risks. Those are called false positives, and most tools bury you in them.

CriticalReal issue

Live Stripe key in the browser

lib/stripe.ts:4

Real. Anyone can read it and charge cards as you.

HighFalse positive
dismissed

Secret in a NEXT_PUBLIC_ var

.env.example:2

Not real. A placeholder in an example file.

ShipSafe sorts real from noise in plain English, and gets sharper every time you confirm a call.

Other scanners were built for security teams. You're a founder.

So we built the opposite.

Built for you

ShipSafe

The scanner for founders, not security teams

  • Reads across your codebase for IDOR, broken auth and ownership bugs
  • Plain English, with a copy-paste fix for your editor
  • Paste a GitHub URL. 2 minutes. Zero setup.
  • Tuned for the bugs Cursor, Lovable and Bolt ship
  • Flat $0–$49/mo. No per-seat contracts.

Everything else

Traditional scanners

Semgrep · Snyk · SonarQube · CodeQL

  • Speaks CWE and SARIF, not English
  • Built for a security team you don't have
  • Misses the logic bugs AI writes

Just asking the AI

ChatGPT · Claude

  • Only sees the snippet you paste
  • Reassures you instead of finding the hole
  • The model grading its own homework

What a scan actually catches.

The vulnerability patterns we find in AI-built apps, again and again. Plain English, no jargon.

A live payment key sitting in plaintext in the client bundle. Anyone who viewed source could charge cards.
Leaked live key
Bolt app
A database table with row-level security off. Every user's records readable with no login.
Open database
Lovable app
An admin dashboard that never checked whether you were signed in. Anyone could walk straight in.
Missing auth
Lovable app
A search box that piped what the user typed straight into a SQL query.
SQL injection
Cursor app
A service-role key bundled into the frontend. One key, full read and write to every user's data.
Server key exposed
Cursor app
An object ID in the URL you could increment to read another customer's invoice.
IDOR
Replit app
A role check done only in the browser. Flip one value in dev tools and you're an admin.
Frontend-only auth
Cursor app
A storage bucket left public. Customer uploads downloadable by anyone with the link.
Public storage
Replit app
Login credentials sent to the backend unencrypted over plain HTTP.
Plaintext credentials
Bolt app
FAQ

Got questions?

Do I need to be a security person to understand the report?
No, that is the whole point. Instead of cryptic codes like CWE-319, ShipSafe explains every finding in plain English: what is wrong, why it matters, and exactly how to fix it. Reports include copy-paste fix prompts you can drop straight into Cursor or Lovable.
Do I need a credit card for the free scan?
No. The free scan needs zero payment info, just sign in and paste your repo or live URL. You get real checks and a plain-English report free, with no trial timer and no expiry.
Is the free scan enough, or is it crippled to make me pay?
The free scan runs real pattern-based checks and shows you the actual findings, not a locked count. It catches the obvious things like exposed secrets and config issues. The paid AI audit adds the checks that patterns physically cannot do: authentication logic, Supabase RLS, IDOR, and business-logic flaws. A clean free scan is a good sign, not a guarantee, which is why the deeper checks exist.
Is ShipSafe a scam or a shakedown?
Fair question to ask of any security tool. You see the actual findings on your own app for free, before you pay or enter a card. If it finds nothing, ShipSafe says so. Severity is not inflated, and every finding comes with the proof so you can verify it yourself. ShipSafe only makes point-in-time, evidence-based claims, never guarantees.
What do you do with my code and keys? Do you store them or train AI on them?
Your code is fetched, analyzed in memory, and deleted immediately after the report; ShipSafe does not store your source. The AI analysis runs through Anthropic's Claude API, which does not train on the data sent to it. The only thing kept is the security report itself, and you can delete it.
When ShipSafe finds a problem, does it fix it, and who checks the AI's fix?
ShipSafe gives you the exact fix to paste back into your builder, and on paid plans it can open a pull request with the fix. Then you re-scan, and ShipSafe independently re-verifies that the specific issue is actually closed. That is the point of an independent verifier: the tool that wrote the fix should not be the one that certifies it.
What does the verification badge actually promise?
The badge is an evidence-based attestation that your app passed ShipSafe's checks as of a specific date, and it links to a public verification page anyone can check. It is not a guarantee or insurance. Because your app changes every time you re-prompt it, the badge self-expires and stays valid only while you keep re-verifying, on a 45-day rolling window. It is an honest, dated 'checked from the outside' signal, not a forever-safe stamp.
How is ShipSafe different from GitHub security, Snyk, or Supabase's built-in advisor?
Those check one layer: Dependabot and Snyk check dependencies for known CVEs, and Supabase's advisor checks its own config. ShipSafe checks the app you actually shipped, end to end, and probes it live from the outside, proving leaked keys that still work, data readable with no login, and IDOR across two accounts, with the receipt. It is independent and tuned for the patterns Cursor, Lovable, and Bolt generate.
My builder already scanned it. Doesn't Lovable / Cursor / Claude Code check security for me?
Use those, they help, but they are the platform grading its own homework, and they each have real limits. A builder's built-in scan is static and runs before you publish, so it never checks the app once it is live; an in-editor AI review typically looks only at the code you just changed, not the whole app you already shipped; and none of them reason about the running app the way an outsider can. The deeper point is independence: the same AI that wrote your code is not the right one to certify it, which is exactly why Lovable itself brought in an outside firm for its own security checks. ShipSafe is that outside check, across whatever mix of tools you built with, and it gives you a public verification page you can actually show a customer, not just a note in your editor.

Every day you wait is a day exposed.

30 seconds to find out what actually shipped. Full AI audit for $19, less than a lunch out.

Start free, no card needed. Shipping with a team? Growth covers every push.

Find Out Now. It's Free
Takes less than 2 minutes·No credit card needed·Plain-English results