local scan
npx --yes shipcheck-cli .shipcheck-cli / npm release gate
Static release checks for JS, TS, and MCP repos.
Shipcheck reads authorized repositories and reports the launch risks that usually show up after first users arrive: exposed configuration, unsigned webhooks, missing database-rule evidence, debug routes, dependency drift, and incomplete MCP listing metadata.
- input
- local repo
- output
- text / md / json / sarif
- use case
- pre-launch gate
01
Runs where teams already ship.
CLI for local checks, GitHub Action for pull requests, and SARIF for code scanning workflows.
02
Built for launch evidence.
Findings are written as handoff notes: what is risky, why it matters, and what to inspect next.
03
MCP-aware.
Checks server package identity, registry metadata, install instructions, and tool-safety notes.
install
One command locally, one workflow in CI.
markdown report
npx --yes shipcheck-cli . --format markdown > shipcheck-report.mdGitHub code scanning
npx --yes shipcheck-cli . --format sarif > shipcheck.sarifMCP server mode
npx --yes --package shipcheck-mcp shipcheck-mcpworkflow
- uses: TateLyman/shipcheck-action@v1
with:
format: sarif
output: shipcheck.sarif
fail-on: medium
strict: truechecks
The scanner focuses on things that are expensive to learn in production.
env
Secrets and config boundaries
Flags private-looking keys, service-role references, sensitive public env names, and loose environment-file hygiene.
payments
Webhook safety
Looks for Stripe webhook handlers without visible signature verification and calls out payment paths that need review.
data
Database rule evidence
Checks for Firebase rules and Supabase RLS policy evidence before user data moves through the app.
routes
Debug and test leftovers
Finds routes and files that look like seed, reset, mock, debug, admin-test, or temporary bypass paths.
usage
Paid API usage controls
Warns when expensive external calls lack visible rate limits, quotas, throttling, or abuse controls.
release
Build and release hygiene
Catches missing CI, missing lockfiles, risky scripts, loose dependency versions, and weak TypeScript config.
sarif
Code scanning handoff
Exports SARIF so findings can live in GitHub code scanning instead of getting buried in a job log.
mcp
MCP server mode
Runs as an MCP server for authorized local repo scans and returns text, Markdown, JSON, or SARIF output.
registry
MCP launch metadata
Flags missing package identity, missing server.json, unclear install config, and vague tool-safety notes.
may 2026 bar
Package trust and MCP install quality are now part of launch readiness.
npm
Trusted publishing
npm's current flow supports OIDC-based trusted publishers for GitHub Actions, GitLab CI/CD, and CircleCI, reducing dependence on long-lived publish tokens.
npm docsprovenance
Build origin matters
Public packages published through trusted publishing can get provenance attestations by default, which gives buyers a clearer source-to-package trail.
provenance notemcp
Registry metadata is moving
The MCP Registry is still marked preview, with server.json carrying package and remote-server metadata for discovery.
security
Tooling needs threat notes
MCP guidance calls out implementation risks like confused deputy behavior and SSRF, so launch docs need permissions and network boundaries.
MCP security docshandoff
Use the free report yourself, or turn it into a fixed-scope review.
self serve
Run the scanner
$0
Export Markdown or SARIF, inspect the findings, and use the remediation notes in your own release process.
review
Manual risk check
$99
Send the repo or report for a human pass across auth, data rules, env boundaries, payments, deploy config, and install proof.
payment detailsfix
Rescue sprint
$299+
Fix the highest-value blocker first: exposed config, webhook verification, deploy failure, database rule gap, or broken production flow.
authorized use only
Run Shipcheck on repos you own or are allowed to inspect.
For a review, send the repo link, package link, or exported Shipcheck report. I will confirm scope before paid work starts.