Question 1

What is ShipSafe?

Accepted Answer

ShipSafe is the independent verifier for AI-built apps. The tool that built your app can't grade its own work, so ShipSafe checks it from the outside: it reads your code and probes your deployed app the way a stranger on the internet would, then proves what is actually exposed, in plain English. Built for apps made with Cursor, Lovable, Bolt, v0, and Replit. Paste a GitHub URL or a live URL and get a report in minutes.

Question 2

How does ShipSafe work?

Accepted Answer

ShipSafe verifies your app two ways. It reads your code (or GitHub repo) for logic-level bugs like inverted auth and missing ownership checks, and it probes your deployed app from the public internet the way an attacker would: missing security headers, secrets leaked into the browser bundle, database tables and storage readable with no login, and IDOR across two test accounts. Every finding comes with the proof and a plain-English fix.

Question 3

Is ShipSafe free?

Accepted Answer

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $9 for a one-time AI audit; Growth ($19/month) and Shield ($39/month) add continuous monitoring plus the CLI, MCP server, and GitHub Actions so you can scan from your terminal, your AI editor, and CI.

Question 4

What vulnerabilities does ShipSafe detect?

Accepted Answer

ShipSafe detects IDOR (Insecure Direct Object References, proven across two real accounts), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets (and whether a leaked key still works right now), SQL injection, cross-site scripting (XSS), CSRF, and the data-exposure bugs that dominate AI-built apps: Supabase tables, Storage buckets, and database functions, plus Firebase databases, that a stranger can read with no login. It proves these from the public internet, not just by reading code. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Question 5

Is Cursor safe?

Accepted Answer

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

Question 6

How is ShipSafe different?

Accepted Answer

The tool that built your app can't independently vouch for it, and a code-only scanner can't see what's exposed on the live internet. ShipSafe is the independent verifier: it reads your code and probes your deployed app from the outside, proving leaked keys that still work, database tables and storage readable by anyone, and IDOR across two real accounts, with the receipt. It is specifically tuned for the patterns Cursor, Lovable, and Bolt generate.

Syntax	Meaning
secrets/aws-access-key	Suppress this rule ID
rule-id # reason	Suppress with a documented reason
# comment	Comment line (ignored)
(empty line)	Ignored

Tune it. Without the YAML cult.

.shipsafe.yml

Full Example

Config Options

rules.include

rules.exclude

exclude

severity

.shipsafeignore

Managing rules via CLI

Ignore File Format

Supported File Types

Tips