ShipSafe is the independent verifier for AI-built apps. The tool that built your app can't grade its own work, so ShipSafe checks it from the outside: it reads your code and probes your deployed app the way a stranger on the internet would, then proves what is actually exposed, in plain English. Built for apps made with Cursor, Lovable, Bolt, v0, and Replit. Paste a GitHub URL or a live URL and get a report in minutes.

How does ShipSafe work?

ShipSafe verifies your app two ways. It reads your code (or GitHub repo) for logic-level bugs like inverted auth and missing ownership checks, and it probes your deployed app from the public internet the way an attacker would: missing security headers, secrets leaked into the browser bundle, database tables and storage readable with no login, and IDOR across two test accounts. Every finding comes with the proof and a plain-English fix.

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $9 for a one-time AI audit; Growth ($19/month) and Shield ($39/month) add continuous monitoring plus the CLI, MCP server, and GitHub Actions so you can scan from your terminal, your AI editor, and CI.

What vulnerabilities does ShipSafe detect?

ShipSafe detects IDOR (Insecure Direct Object References, proven across two real accounts), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets (and whether a leaked key still works right now), SQL injection, cross-site scripting (XSS), CSRF, and the data-exposure bugs that dominate AI-built apps: Supabase tables, Storage buckets, and database functions, plus Firebase databases, that a stranger can read with no login. It proves these from the public internet, not just by reading code. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

How is ShipSafe different?

The tool that built your app can't independently vouch for it, and a code-only scanner can't see what's exposed on the live internet. ShipSafe is the independent verifier: it reads your code and probes your deployed app from the outside, proving leaked keys that still work, database tables and storage readable by anyone, and IDOR across two real accounts, with the receipt. It is specifically tuned for the patterns Cursor, Lovable, and Bolt generate.

● Security Rules

Every check. Categorized.

127 rules grouped into 14 categories and ranked by severity. Each finding ships with a plain-English reason and the fix.

▸ SECRETS · 30 RULES

Secrets

Hardcoded credentials, API keys, and tokens that should be in environment variables.

Rule	Severity
AWS access key ID secrets/aws-access-key	critical
AWS secret access key secrets/aws-secret-key	critical
Stripe secret key secrets/stripe-secret-key	critical
GitHub personal access token secrets/github-token	critical
OpenAI API key (legacy + sk-proj/svcacct/None) secrets/openai-api-key	critical
Anthropic API key (sk-ant-...) secrets/anthropic-api-key	critical
Google AI Studio / Gemini API key secrets/google-ai-key	critical
xAI / Grok API key secrets/grok-xai-key	critical
Groq API key (gsk_...) secrets/groq-api-key	critical
Replicate API token (r8_...) secrets/replicate-token	critical
Perplexity API key (pplx-...) secrets/perplexity-api-key	high
Hugging Face access token (hf_...) secrets/huggingface-token	high
Together AI API key secrets/together-api-key	high
Mistral AI API key secrets/mistral-api-key	high
Cohere API key secrets/cohere-api-key	high
DeepSeek API key secrets/deepseek-api-key	high
ElevenLabs API key secrets/elevenlabs-api-key	high
Pinecone vector DB API key (pcsk_...) secrets/pinecone-api-key	critical
Weaviate vector DB API key secrets/weaviate-api-key	high
VS Code Marketplace publish token (VSCE_PAT) secrets/vsce-publish-token	critical
Open VSX publish token secrets/ovsx-publish-token	critical
Supabase service role key secrets/supabase-service-role	critical
Private key (RSA, EC, etc.) secrets/private-key	critical
JWT signing secret secrets/jwt-secret	critical
Database connection string with credentials secrets/database-url	critical
SendGrid API key secrets/sendgrid-api-key	critical
Slack webhook URL secrets/slack-webhook	critical
Generic API key pattern secrets/generic-api-key	high
Hardcoded password secrets/generic-password	high
Default credentials in code secrets/default-credentials	critical

▸ INJECTION · 5 RULES

Injection

SQL injection, command injection, and other code injection vectors.

Rule	Severity
SQL query built with string concatenation injection/sql-string-concat	critical
User input passed to shell command injection/command-injection	critical
Dynamic code execution with eval() injection/eval-usage	critical
Unsanitized file path from user input injection/path-traversal	high
Object merge with unvalidated user input injection/prototype-pollution	high

▸ XSS · 4 RULES

XSS

Cross-site scripting vulnerabilities that allow attackers to inject client-side scripts.

Rule	Severity
Setting innerHTML with dynamic content xss/innerhtml-usage	high
Using dangerouslySetInnerHTML in React xss/dangerously-set-html	high
Using document.write() with dynamic content xss/document-write	medium
Unescaped user input in template xss/unescaped-output	medium

▸ AUTH · 2 RULES

Auth

Authentication weaknesses that could let attackers bypass login or forge sessions.

Rule	Severity
JWT verified with hardcoded secret auth/hardcoded-jwt-verify	high
CORS allows all origins (*) auth/cors-wildcard	high

Rule

Severity

JWT verified with hardcoded secret

auth/hardcoded-jwt-verify

high

CORS allows all origins (*)

auth/cors-wildcard

high

▸ AUTHORIZATION · 5 RULES

Authorization

Missing or broken access control checks that could let users access resources they shouldn't.

Rule	Severity
Data access without ownership verification authz/missing-ownership-check	high
Admin check only on frontend authz/admin-check-frontend-only	critical
Delete endpoint without authentication authz/delete-without-auth	critical
Role/permission taken from client request authz/role-from-client	critical
Sequential IDs expose data to enumeration authz/idor-sequential-id	medium

▸ CRYPTO · 2 RULES

Crypto

Weak or insecure cryptographic implementations.

Rule	Severity
Using MD5 or SHA1 for security purposes crypto/weak-algorithm	high
Math.random() used for security-sensitive values crypto/math-random	high

Rule

Severity

Using MD5 or SHA1 for security purposes

crypto/weak-algorithm

high

Math.random() used for security-sensitive values

crypto/math-random

high

▸ CONFIG · 4 RULES

Config

Configuration files that expose sensitive data or enable debug modes in production.

Rule	Severity
.env file committed to version control config/env-file-committed	critical
Debug mode enabled in production config config/debug-mode-enabled	medium
Insecure NextAuth.js configuration config/insecure-nextauth-config	high
Agent workspace config committed to repo config/agent-config-tracked	medium

▸ PII · 3 RULES

PII

Personally identifiable information leaked through logs, storage, or API responses.

Rule	Severity
Email addresses logged to console pii/email-in-logs	medium
Sensitive data in console.log pii/console-log-sensitive	medium
Sensitive data stored without encryption pii/unencrypted-storage	high

Rule

Severity

Email addresses logged to console

pii/email-in-logs

medium

Sensitive data in console.log

pii/console-log-sensitive

medium

Sensitive data stored without encryption

pii/unencrypted-storage

high

▸ BAAS · 13 RULES

BaaS

Backend-as-a-Service misconfigurations for Supabase, Firebase, and similar platforms.

Rule	Severity
Supabase service key used on client baas/supabase-service-key-client	critical
Supabase RLS policy bypassed baas/supabase-rls-bypass	high
Supabase table without Row Level Security baas/supabase-rls-disabled	critical
Supabase RLS policy allows all rows (USING true) baas/supabase-rls-policy-allows-all	critical
Postgres anon role granted broad privileges baas/supabase-anon-overgrant	high
Service-role key used in client-reachable route baas/supabase-service-role-client-reachable	critical
Supabase RLS trusts a JWT claim it doesn't issue baas/supabase-rls-policy-jwt-claim-not-verified	high
Anon key used for server-side mutations baas/supabase-anon-key-server-mutation	high
Supabase storage bucket without access policies baas/supabase-storage-no-policy	high
Direct query to auth.users table baas/supabase-auth-users-direct	medium
Supabase auth with unvalidated redirect URL baas/supabase-insecure-redirect	high
Firebase rules allow all reads/writes baas/firebase-rules-allow-all	critical
Storage bucket publicly accessible baas/storage-bucket-public	high

▸ LLM / AI · 19 RULES

LLM / AI

Security issues specific to LLM-powered applications and AI integrations.

Rule	Severity
System prompt exposed to client llm/system-prompt-exposed	high
Unsanitized user input in LLM prompt llm/user-input-to-prompt	critical
AI API key hardcoded in source llm/api-key-hardcoded	critical
AI API key leaks to browser via env prefix llm/api-key-client-env	critical
LLM output used without validation llm/no-output-validation	medium
LLM tool call executed without validation llm/tool-call-no-validation	high
RAG retrieval vulnerable to prompt injection llm/rag-injection	high
System prompt leaks through LLM output llm/prompt-leak-via-output	medium
LLM output executed as code llm/output-as-code	critical
MCP tool used without version pinning (rug-pull risk) llm/mcp-tool-no-pinning	medium
LangChain RecursiveUrlLoader without SSRF guard (CVE-2026-27795) llm/langchain-recursive-url-loader-unsafe	high
LangChain loads prompt template from untrusted path (CVE-2026-34070) llm/langchain-load-prompt-from-path	high
Vercel AI SDK called with raw user input llm/ai-sdk-input-as-prompt	high
AI agent run on PR title/body without sanitizing llm/agent-runs-on-unsanitized-pr-content	critical
LLM call without max_tokens or cost limit llm/no-max-tokens	medium
.env or secrets file read into LLM prompt llm/env-file-read-into-prompt	critical
Code writes to .git/hooks (CVE-2026-26268 vector) llm/agent-writes-to-git-hooks	high
Branch name or repo field passed to shell without sanitizing llm/codex-branch-name-shell-injection	critical
OpenAI Assistants/Responses API without tool allowlist llm/openai-assistant-tool-no-allowlist	high

▸ HEADERS · 13 RULES

Headers

Missing or misconfigured HTTP security headers and server-side request issues.

Rule	Severity
Missing Content Security Policy headers/missing-csp	medium
Missing Strict-Transport-Security header headers/missing-hsts	medium
Missing X-Frame-Options header headers/missing-x-frame-options	medium
Server-side request to user-provided URL headers/ssrf-unvalidated-url	high
Redirect to unvalidated URL headers/open-redirect	high
Missing Referrer-Policy header headers/missing-referrer-policy	low
Missing X-Content-Type-Options header headers/missing-x-content-type-options	low
Missing Permissions-Policy header headers/missing-permissions-policy	low
CORS allows credentials with wildcard origin headers/cors-credentials-wildcard	critical
Cookie set without Secure/HttpOnly flags headers/cookie-missing-secure	high
Auth route without rate limiting headers/rate-limit-missing-auth-route	high
Server request may reach cloud metadata endpoint headers/ssrf-cloud-metadata	critical
Server request may reach internal IP range headers/ssrf-internal-ip	high

▸ DEPENDENCIES · 9 RULES

Dependencies

Dependency risks from unpinned versions, typosquatting, and suspicious install scripts.

Rule	Severity
Unpinned dependency versions deps/unpinned-versions	medium
Package name similar to popular package deps/typosquatting-risk	medium
Package runs scripts on install deps/postinstall-script	high
Potentially AI-hallucinated package name deps/slopsquatting-risk	high
Remote code fetched and executed deps/eval-fetched-code	critical
CDN script without Subresource Integrity deps/cdn-no-integrity	medium
Known-malicious package (Cline 2.3.0, openclaw, postmark-mcp) deps/known-malicious-package	critical
Likely AI-hallucinated package name (extended list) deps/slopsquatting-risk-extended	high
No dependency lockfile in project deps/no-lockfile	medium

▸ CLIENT SECURITY · 4 RULES

Client Security

Client-side security patterns — token storage, error exposure, file uploads, and CSRF protection.

Rule	Severity
Auth token stored in localStorage (XSS risk) client/jwt-in-localstorage	high
Error stack trace sent to client client/error-stack-exposed	medium
File upload without type or size validation client/file-upload-no-validation	high
State-changing endpoint without CSRF protection client/missing-csrf-state-change	medium

▸ AI AGENT CONFIG · 14 RULES

AI Agent Config

IDE, agent, and CI misconfig that turns prompt injection into RCE. Covers MCP servers, .cursorrules, .github/workflows, Cursor Auto-Run, and the Pwn Request family.

Rule	Severity
AI agent config file contains invisible Unicode ai-agent/invisible-unicode-in-config	critical
MCP server runs an arbitrary shell command ai-agent/mcp-stdio-shell-command	critical
MCP server points to a public HTTP URL ai-agent/mcp-public-http-endpoint	high
Cursor Auto-Run / YOLO mode enabled ai-agent/cursor-auto-run-enabled	high
Agent tool allowlist disabled or empty ai-agent/agent-allowlist-disabled	high
Agent configured to auto-approve all tool calls ai-agent/auto-approve-tools	high
CI agent reads PR title or body without sanitizing ai-agent/ci-agent-untrusted-pr-input	critical
CI agent triggers on pull_request from forks ai-agent/ci-agent-pull-request-fork	high
PR title or body interpolated into shell step ai-agent/github-action-injection-from-pr	critical
Agent config path suggests workspace file was committed ai-agent/agent-config-not-gitignored	low
GitHub Action uses pull_request_target + checks out PR code ai-agent/pwn-request-checkout	critical
Workflow grants write-all permissions to AI agent job ai-agent/workflow-write-all-permissions	high
JSON schema loaded from untrusted remote URL ai-agent/jetbrains-junie-json-schema-remote	medium
.cursor/rules/*.mdc files present — review recommended ai-agent/cursor-mdc-rules-directory-presence	low

False positive?

Suppress any rule by ID. It won't block CI or clutter your reports.

npx @ship-safe/cli ignore {rule-id}-r "reason"

See Configuration for details on .shipsafeignore.

← PreviousConfiguration Next →GitHub Actions