★ github
read-only · touches nothing · runs in seconds

Your AI-coded app is probably leaking secrets.

ShipWorthy scans your vibe-coded app for the mistakes AI leaves behind — hardcoded keys, committed .env files, wide-open endpoints — before you ship it. One command. It never changes your code or touches your cloud.

~/my-app — shipworthy
$ npx shipworthy ./my-app
 
shipworthy READ-ONLY scan — no files changed, no cloud touched
 
Scanned 4 files in 0.03s · 19 rules · target: my-app (Vite single-page app)
────────────────────────────────────────────────
findings (13)
────────────────────────────────────────────────
CRITICAL Stripe live secret key [confirmed]
src/api.ts:4 secret.stripe-live-secret
export const STRIPE_KEY = "sk_liv••••••••••••••••••";
risk  A live Stripe secret key can move real money and read customer data.
fix  Remove it, roll the key, keep secret keys server-side only.
HIGH Wide-open CORS [confirmed]
server/index.js:11 cors.wildcard-origin
app.use(cors({ origin: '*' }));
risk  Any site can call your API from a user's browser.
fix  Restrict origin to your own domain(s).
CRITICAL 3 · HIGH 6 · MEDIUM 4    13 findings

Scan your own app — free

Drop your email and I'll send you the one command to run ShipWorthy on your code, plus the setup. Find out what you're leaking before someone else does.

$ npx shipworthy ./your-app 🔒 sent to your inbox
✓ on its way — check your inbox for the command.

no spam · unsubscribe anytime · the scanner is open source

// what it catches

Hardcoded secrets
AWS keys, Stripe sk_live, Google/GitHub/Slack tokens, private keys, JWTs.
Browser-exposed env
Secret-looking VITE_ / REACT_APP_ / NEXT_PUBLIC_ vars baked into the bundle.
Secrets in git
.env and key files that are tracked and would get pushed.
Wide-open CORS
origin: '*' and friends that let any site hit your API.
Unauthenticated endpoints
Data-returning routes with no visible auth check.
Injection-prone code
String-built SQL, eval, shell built from request input.
// what it does NOT do