tate@programs ~/tools/shipcheck read-only scanner

shipcheck-cli / npm release gate

Static release checks for JS, TS, and MCP repos.

Shipcheck reads authorized repositories and reports the launch risks that usually show up after first users arrive: exposed configuration, unsigned webhooks, missing database-rule evidence, debug routes, dependency drift, token-based npm publish workflows, incomplete MCP listing metadata, missing smoke-test proof, unclear STDIO execution boundaries, and unclear remote auth boundaries.

npm package GitHub Action MCP server 2026 runbook directory pass paid MCP review free self-check

input: local repo
output: text / md / json / sarif
use case: pre-launch gate

shipcheck run

$ npx --yes shipcheck-cli .
Shipcheck report: /work/checkout-app
Score: 72/100
Status: fail (threshold: high)
Findings: 1 high, 2 medium, 1 low, 0 info

[HIGH] Public frontend env var looks private
[MEDIUM] Stripe webhook lacks visible signature check
[MEDIUM] Supabase usage lacks RLS policy evidence
[LOW] README launch notes are incomplete

01 Runs where teams already ship.

CLI for local checks, GitHub Action for pull requests, and SARIF for code scanning workflows.

02 Built for launch evidence.

Findings are written as handoff notes: what is risky, why it matters, and what to inspect next.

03 MCP-aware.

Checks server package identity, registry metadata, install instructions, smoke-test proof, STDIO execution-boundary notes, remote auth notes, tool-safety notes, and metadata version drift.

install

One command locally, one workflow in CI.

open action repo

local scan

npx --yes shipcheck-cli .

markdown report

npx --yes shipcheck-cli . --format markdown > shipcheck-report.md

GitHub code scanning

npx --yes shipcheck-cli . --format sarif > shipcheck.sarif

MCP server mode

npx --yes --package shipcheck-mcp shipcheck-mcp

workflow

- uses: TateLyman/shipcheck-action@v1
  with:
    format: sarif
    output: shipcheck.sarif
    fail-on: medium
    strict: true

action repo proof

shipcheck-action ci
status: passing
checks: action smoke test + SARIF validation
fixture: 100/100 Shipcheck score

checks

The scanner focuses on things that are expensive to learn in production.

env

Secrets and config boundaries

Flags private-looking keys, service-role references, sensitive public env names, and loose environment-file hygiene.

payments

Webhook safety

Looks for Stripe webhook handlers without visible signature verification and calls out payment paths that need review.

data

Database rule evidence

Checks for Firebase rules and Supabase RLS policy evidence before user data moves through the app.

routes

Debug and test leftovers

Finds routes and files that look like seed, reset, mock, debug, admin-test, or temporary bypass paths.

usage

Paid API usage controls

Warns when expensive external calls lack visible rate limits, quotas, throttling, or abuse controls.

release

Build and release hygiene

Catches missing CI, missing lockfiles, risky scripts, loose dependency versions, token-based npm publish workflows, and weak TypeScript config.

sarif

Code scanning handoff

Exports SARIF so findings can live in GitHub code scanning instead of getting buried in a job log.

mcp

MCP server mode

Runs as an MCP server for authorized local repo scans and returns text, Markdown, JSON, or SARIF output.

registry

MCP launch metadata

Flags missing package identity, missing server.json, mismatched registry package versions, unclear install config, missing smoke-test proof, undocumented STDIO execution boundaries, undocumented remote auth boundaries, and vague tool-safety notes.

may 2026 bar

Package trust and MCP install quality are now part of launch readiness.

book an MCP review

npm

Trusted publishing

npm's current flow supports OIDC-based trusted publishers for GitHub Actions, GitLab CI/CD, and CircleCI, reducing dependence on long-lived publish tokens.

npm docs

provenance

Build origin matters

Public packages published through trusted publishing can get provenance attestations by default, which gives buyers a clearer source-to-package trail.

provenance note

mcp

Registry metadata is moving

The MCP Registry is still marked preview, with server.json carrying package and remote-server metadata for discovery.

MCP registry docs

security

Tooling needs threat notes

MCP guidance calls out implementation risks like confused deputy behavior and SSRF, so launch docs need permissions and network boundaries.

MCP security docs

handoff

Use the free report yourself, or turn it into a fixed-scope review.

self serve

Run the scanner

Export Markdown or SARIF, inspect the findings, and use the remediation notes in your own release process.

review

Manual risk check

$99

Send the repo or report for a human pass across auth, data rules, env boundaries, payments, deploy config, and install proof.

payment details

fix

Rescue sprint

$299+

Fix the highest-value blocker first: exposed config, webhook verification, deploy failure, database rule gap, or broken production flow.

authorized use only

Run Shipcheck on repos you own or are allowed to inspect.

For a review, send the repo link, package link, or exported Shipcheck report. I will confirm scope before paid work starts.

send report