u/Outrageous_Cat_8541

I kept seeing people hesitant to share their code for security scans so I made the whole thing run locally.

npx should-i-ship scan

It checks for missing auth, rate limiting gaps, exposed secrets, input validation issues, dangerous functions, and general launch blockers. You get your top 3 findings with full detail for free.

So far across scans I’ve been running, 40% of projects had hardcoded credentials, 40% had zero rate limiting on API endpoints, and 40% had routes with no auth at all. These aren’t edge cases. They keep showing up.

If you want the complete report with every finding, exact files, and fix prompts, that’s $10. Still no account needed. Findings get uploaded (never source code), you get a link, you pay, you see everything.

If you have Semgrep or OSV installed locally it’ll run those too for deeper security and dependency checks. I’d recommend it if you’re serious about shipping something to prod.

Almost at 1k npm downloads in about two weeks. Just want to help people catch this stuff before their users do.

npx should-i-ship scan

I built a tool called Should I Ship that scans codebases for launch blockers. Here’s what 15 scans this week found:

100% had orphaned files. Code that nothing references anymore but is still sitting in the project. AI tools generate files and then forget about them when they refactor.

40% had API routes with no authentication. Endpoints anyone can hit directly.

40% had hardcoded credentials somewhere in the codebase.

40% had zero rate limiting on their API endpoints. One bad actor or scraper and your costs explode.

40% had endpoints missing input validation. Users can send whatever they want and your backend just accepts it.

None of this is unusual for AI-generated code. AI tools are great at getting working versions out fast, but they’re not always built for production.

You can run a free local scan with the CLI (npm i should-i-ship) or try a free preview at shouldiship.com. Full launch report is $10.

I built a tool called Should I Ship that scans codebases built with Cursor, Bolt, Lovable, etc. for security gaps, cost traps, and things that’ll break when real users show up.

Between my own scans and what I keep seeing people post about in this sub and on X, the same problems come up over and over:

1. API keys hardcoded in the client. Not in env vars, just sitting in the frontend code. One browser inspector away from being stolen.

2. No rate limiting anywhere. Your AI features will get scraped or abused on day one and you’ll wake up to a $500 OpenAI bill.

3. No error handling on payments. Stripe webhook failures silently eat transactions. Users pay, nothing happens, you don’t know.

4. Auth that looks right but isn’t. Routes that check auth on the frontend but not the API. Anyone with Postman can hit your endpoints directly.

5. Database queries with no pagination or limits. Works fine with 10 users, falls over at 100.

None of this means your app is bad. It means AI tools are great at building features and terrible at thinking about what happens when strangers use them.

If you want me to scan your repo, drop it in the comments or DM me. Free for public repos. I’m building up case studies and genuinely want to help people catch this stuff before launch.

shouldiship.com if you want to check it out.

I posted here recently about Should I Ship, a launch-readiness scanner for AI-built apps.

The most useful feedback was not about pricing or copy. It was about trust.

A few people basically said: “This seems useful, but asking builders to connect a repo immediately is a big ask, especially for a tool that is supposed to catch security issues.”

That was fair.

So I shipped a local CLI.

You can now run:

npx should-i-ship@latest scan

It writes a local Markdown & JSON report to .should-i-ship/ and does not upload source code.

It also shows which scan engines ran locally, so the report is clear about what was checked.

The free scan catches the obvious launch risks.

The $19 Launch Ready Report is still the paid path for people who want the deeper hosted scan: security gaps, auth, APIs, dependencies, launch blockers, production readiness, prioritized fixes, a saved dashboard, shareable report, and one rescan credit.

Quick clarification on privacy:

The CLI does not upload source code.

The hosted paid report requires explicit read-only GitHub auth because it rescans the repo and creates the saved/shareable report.

So the split is:

• CLI = local, free, private, quick sanity check
• Hosted Launch Ready Report = deeper scan, saved dashboard, prioritized fixes, shareable report, rescan credit

I’m also thinking through a GitHub workflow next, so teams can keep this closer to their existing review/deploy process.

This is not meant to replace a professional security audit. It is meant to be a pre-launch sanity check for people shipping AI-built apps faster than they can confidently review them.

Appreciate the feedback from this sub. The local-first path was the right call.

AI tools have made it weirdly easy to get from idea to working app.

That’s amazing, but it also creates this uncomfortable gap: just because the app runs, the buttons work, and the demo feels real… doesn’t mean it’s safe to put in front of users.

I’ve been building a tool called Should I Ship for that exact moment.

It scans a repo for common launch blockers like:

• missing auth checks
• unverified Stripe webhooks
• exposed keys/env files
• no rate limits
• AI/API cost traps
• missing input validation
• missing error monitoring
• brittle architecture patterns

To be clear: this is not meant to replace a professional security audit. It’s more of a pre-launch sanity check for non-technical or semi-technical builders who used AI to build something and want to know, “What are the obvious things I should fix before I send this to real users?”

I originally framed it as a subscription product, but that felt too heavy for the moment people actually care most: right before launch. So I just added a $19 one-time Launch Ready Report.

The flow is:

• connect a repo
• run a private scan
• get a launch-readiness score
• see the highest-risk findings and suggested fixes
• optionally share a privacy-safe report/badge

I’m trying to figure out if this positioning is useful or if it sounds too fear-based.

Would love blunt feedback:

Is $19 reasonable for a one-time pre-launch sanity check?

If you used AI to build an app, would you trust a tool like this enough to connect a repo?

What would you need to see before trusting the report?

Does “launch readiness for AI-built apps” feel like a real category?

Small onboarding lesson from a micro SaaS I’m building:

If your input expects a very specific kind of URL, don’t just say “paste a URL” or even “paste a repo.”

I’m building a pre-launch scanner for AI-built apps. The free preview needs a public GitHub repo URL.

Yesterday I got a small spike of usage and noticed people were pasting deployed app URLs instead of GitHub repos.

Totally reasonable mistake. My copy said “paste a repo,” but the user saw “scan my app” and pasted the app.

I changed the error from: “Paste a public GitHub repo URL like https://github.com/owner/repo.”

to:

“Free preview scans public GitHub repos only. Paste a repo URL like https://github.com/owner/repo.”

Tiny copy change, but it made the constraint much clearer.

Curious how other people handle this: do you explain strict input requirements before submission, after failed validation, or both?