You built something.
Is it safe to ship?

Whether you built it for yourself or for others — ShipGrade scans your deployed app for exposed secrets, security gaps, and trust signals. Free. No signup required.

Free scan. Results in 30 seconds. 3 scans per hour.

11 scanners · 30-second results · No signup required

Who is ShipGrade for?

Whether you're checking your own work or proving quality to buyers, ShipGrade has you covered.

"I built something for myself"

You vibe-coded a tool for your business, your nonprofit, your side project. ShipGrade checks if it's leaking API keys, missing security headers, or exposing user data. Find out before someone else does.

  • Find exposed secrets in your page source
  • Check if your database is locked down
  • Verify your SSL and security headers
  • Get plain-language fix suggestions
Run a free scan

"I'm building something for others"

You're shipping a product. Buyers want to know it's secure, maintained, and trustworthy. ShipGrade gives you a public trust profile with a letter grade you can share anywhere.

  • Public trust profile page with letter grade
  • Embeddable badge for your landing page
  • Daily re-scans so your profile stays current
  • Listed in the ShipGrade directory
Join the beta

Invite-only — request access if you don't have a code

How it works

1

Paste your URL

Instant scan, no signup. Works with any deployed website or web app. Results in about 30 seconds.

2

See what's exposed

Security issues, missing headers, leaked secrets, DNS gaps — broken down check by check with a letter grade.

3

Fix it or prove it

Get remediation guidance to fix issues, or create a trust profile to share your grade with buyers and stakeholders.

What we check

Different product types get different scanner suites, each tailored to what matters for that kind of software.

Websites & SaaS — 6 scanners

SSL / TLS

Certificate validity, HTTPS redirect, HSTS

Security Headers

CSP, X-Frame-Options, HSTS, and 5 more

Uptime

Continuous monitoring, response time, availability

Performance

TTFB, compression, redirect chains, HTTP/2+

DNS

DNSSEC, SPF, DMARC, CAA records

Privacy

Privacy policy, terms, cookie consent, contact info

MCP Servers — 5 scanners

Permissions

Tool count, scope breadth, input validation

Authentication

Auth middleware, secret handling, transport

Dependencies

Known vulnerabilities, freshness, lockfile

Code Safety

Hardcoded secrets, injection, error handling

Project Health

Type safety, tests, license, documentation

See our full grading methodology

Why people trust ShipGrade

Fully transparent

Our methodology is public. Every check, every weight, every grade threshold — no black boxes.

Instant results

Paste a URL, get your grade in 30 seconds. No sales calls, no enterprise pricing, no audit that takes weeks.

Built for indie builders

Whether you vibe-coded your first app or you're an experienced solo dev, ShipGrade meets you where you are.

Always current

Create an account for daily re-scans and hourly uptime pings. Your profile reflects reality, not a snapshot from months ago.

Real scenarios ShipGrade catches

🚨

"I vibe-coded an internal tool on Lovable. ShipGrade found my Supabase anon key was exposed with no RLS. Fixed it in 10 minutes."

Exposed API key — caught by Privacy scanner

🔍

"I sell a SaaS to small businesses. My ShipGrade badge is on my landing page — it's the first thing prospects ask about."

Trust signal — embeddable badge

🔒

"Built a side project for my nonprofit. Had no idea my OpenAI API key was visible in the page source."

Exposed secret — caught by Privacy scanner

Ready to ship with confidence?

Scan your app for free, or create a trust profile to share your grade with buyers.

Scan your URL — free Join the beta