Security Scanner

YourAI-generatedcode
hasvulnerabilities.

ShipSafe scans your GitHub repos for exposed API keys, SQL injection, insecure dependencies, and 50+ other patterns. Results in under 2 minutes.

Scan your repo free Try interactive demo →

Vulnerability Patterns

<2min

Average Scan Time

Plain English Results

The Problem

AIwritescodefast.
Itdoesn'twriteitsafe.

LLMs are trained on what code should do, not what it shouldn't. They'll hardcode your API key, skip authentication, and trust every input — then tell you the code is production-ready.

34%

of AI-generated codebases expose API keys or secrets in their source code.

41%

have API routes with no authentication — anyone with the URL can access them.

28%

contain SQL injection or command injection vulnerabilities in user-facing code.

Based on scanning hundreds of AI-generated repositories. Read the full research →

Threat Detection

What'shidinginyour
vibe-codedapp?

Exposed API Keys

Your OpenAI key is in the frontend bundle. Someone just ran up a $15K bill on your account.

Hardcoded Secrets

Database passwords, JWT secrets, and tokens committed to source code. Bots scrape GitHub for these.

SQL Injection

Your queries trust user input. One crafted string downloads your entire database.

Command Injection

User input passed to exec() or eval(). Attackers can run any command on your server.

No Authentication

Your admin panel has no login. Anyone with the URL can delete all your data.

Missing CSRF Protection

No CSRF tokens on forms. A malicious link can make actions on behalf of your logged-in users.

Insecure CORS

Access-Control-Allow-Origin set to *. Any website can make authenticated requests to your API.

Known CVEs

Your dependencies have published exploits. Attackers can run code on your servers.

Outdated Dependencies

Packages months or years behind. Known vulnerabilities with public proof-of-concept exploits.

Weak Cryptography

Using Math.random() for tokens or MD5 for passwords. Both are trivially crackable.

Information Leakage

Console.log(token), verbose error messages, or stack traces exposed to users.

Insecure HTTP

API calls over plain HTTP. Anyone on the network can read passwords and tokens in transit.

How It Works

Threestepsto
shipwithconfidence

Connect GitHub

One-click OAuth. Read-only access. We never store your source code.

Automatic Scan

50+ patterns analyzed in under 2 minutes. No config needed.

Fix in Plain English

Every issue explained. Copy-paste fixes included. No security expertise required.

Real Findings

Whatascanactually
lookslike

These are real patterns we find in AI-generated code every day. Each one comes with a plain-English explanation and a copy-paste fix.

criticalsrc/lib/ai.ts:3

Exposed OpenAI API Key

const openai = new OpenAI({ apiKey: "sk-proj-xK9m..." })

Move to .env.local and use process.env.OPENAI_API_KEY. Rotate the exposed key immediately.

highsrc/app/api/users/route.ts:14

SQL Injection in User Query

const result = await db.query(`SELECT * FROM users WHERE email = '${email}'`)

Use parameterized queries: db.query("SELECT * FROM users WHERE email = $1", [email])

mediumsrc/app/api/admin/delete/route.ts:1

Missing Authentication on Admin Route

export async function DELETE(req) { await db.delete(users)... }

Add auth middleware to verify the user is authenticated and has admin role before processing.

Try the interactive demo →

Safety Score

Getgraded.Shareit.

Every scan produces an A–F grade. Embed the badge in your README to show users you take security seriously.

AShipSafe

BShipSafe

CShipSafe

FShipSafe

A 90–100B 75–89C 60–74F 0–59

We scan ourselves

ShipSafe's own security badge — updated live.

Security Playbook

24ruleseveryAIapp
shouldfollow

We compiled the most common security mistakes in AI-generated code into a free, actionable checklist. ShipSafe checks all 24 automatically.

Auth & Sessions

Secure API Dev

API & Access

Data & Infra

Other Rules

View all 24 controls Read the full playbook →

Built For

IfyoucodewithAI,
thisisforyou

Vibe Coders

You built your app with ChatGPT, Cursor, or Copilot. It works great. But you have no idea if it's secure.

Indie Hackers

You're shipping fast and alone. You don't have time to learn security, but you can't afford a breach either.

Non-Technical Founders

Your developer used AI to build your MVP. You need to know if your users' data is actually safe.

Freelancers

You're delivering client projects built with AI tools. A ShipSafe badge shows you take quality seriously.

Bootcamp Grads

You learned to code recently and use AI heavily. Security wasn't in the curriculum, but it matters.

Small Teams

Your 2-3 person team ships fast with AI assistance. No one has security expertise. ShipSafe is your safety net.

Pricing

Simple,transparentpricing

Start free. Upgrade when you need full details.

Free

✓ Unlimited scans & repos
✓ Safety Score (A–F)
✓ Finding counts & categories
✓ First scan with full details
✕ File paths & line numbers
✕ AI explanations & fixes

Scan free

Pro

Popular

$29/mo

✓ Everything in Free
✓ Full finding details
✓ AI explanations
✓ Copy-paste fixes
✓ 10 repositories
✓ README badge

Upgrade to Pro — $29/mo

Team

$79/mo

✓ Everything in Pro
✓ Unlimited repos
✓ Scan on every push
✓ Slack & email alerts
✓ CI/CD integration
✓ 5 team seats

Coming soon

Just need one scan? $9 — unlock full details for any single scan.

FAQ

Commonquestions

Do you store my source code?

No. We stream your files through the scanner and discard them immediately. Nothing is saved to disk or database. Only the scan results (findings, scores, file paths) are stored.

What GitHub permissions do you need?

Read-only access to your repository contents. We use GitHub OAuth with the minimum required scope. We cannot push code, create issues, or modify your repos in any way.

How is the Safety Score calculated?

You start at 100. Each finding deducts points based on severity: critical (-25), high (-15), medium (-8), low (-3). The score maps to a letter grade: A (90-100), B (75-89), C (60-74), F (below 60).

What does the free plan include?

Unlimited scans with Safety Scores and finding counts. Your very first scan includes full details (file paths, AI explanations, copy-paste fixes). After that, full details require Pro or a $9 single-scan unlock.

Can I scan private repositories?

Yes. ShipSafe works with both public and private repos. Your code is accessed via your GitHub OAuth token with read-only permissions.

How long does a scan take?

Most scans complete in under 2 minutes. Larger repositories with many files may take slightly longer. You can watch the progress in real time.

Is ShipSafe itself secure?

We scan our own codebase with ShipSafe. Check our live security badge on this page. We also detail our data practices on our Terms & Data page.

Stopshipping
insecurecode

Scan your repo now. Get results in 2 minutes. Your first scan includes full details — free.

Scan your repo free

YourAI-generatedcodehasvulnerabilities.

AIwritescodefast.Itdoesn'twriteitsafe.

What'shidinginyourvibe-codedapp?