Features

40+ rules. 8 domains.
Everything that bites.

RepoReady checks your GitHub repo against the SHIP-SAFE audit framework — a structured checklist built from real SaaS post-mortems, security incidents, and launch failures.

See pricing

The SHIP-SAFE framework

Click into any domain to see exactly what gets checked.

Secrets

Hardcoded API keys and tokens in source files
Committed `.env`, `.env.local`, `.env.production` files
AWS credentials, private keys, PEM blocks in code
Stripe secret keys or webhook secrets in non-env files
Passwords or database URLs in config files

Hooks

Stripe webhook handler missing `stripe.webhooks.constructEvent()`
GitHub webhook endpoints with no HMAC signature verification
Webhook routes listed as public in auth middleware
Raw body not preserved before JSON parsing in webhook route

Identity

API routes missing auth session check at the top
`/api/admin` routes with no role or auth guard
Missing auth middleware protecting dashboard and account routes
User input used in DB queries without ownership verification

Payments

Hardcoded Stripe price IDs instead of `process.env.*`
Hardcoded `unit_amount` in checkout session creation
`STRIPE_WEBHOOK_SECRET` missing from environment config
Checkout success/cancel URLs pointing to localhost
Customer email taken from request body instead of server-side auth

Surfaces

No rate limiting on auth or scan trigger endpoints
No rate limiting on public-facing API routes
Admin endpoints accessible without IP restriction
CORS policy set to wildcard `*` on sensitive routes

Availability

Missing `/api/health` route for uptime monitoring
Unhandled promise rejections in async server functions
No global error boundary (`error.tsx`)
Database calls with no timeout or error fallback
Missing `try/catch` around third-party API calls

Footguns

`eval()` or `new Function()` in application code
`dangerouslySetInnerHTML` without sanitization
Secrets or user PII logged via `console.log`
Disabled TypeScript strict mode or `@ts-ignore` on security-critical files

Exit

Missing `public/robots.txt`
Missing `og:title`, `og:description`, `og:image` meta tags
Missing `twitter:card` meta tags
No sitemap (`sitemap.ts` or `sitemap.xml`)
Missing `<title>` on key landing and marketing pages

Under the Hood

How RepoReady works

Built for speed, privacy, and signal over noise.

File prioritization, not full clones

RepoReady doesn't clone your entire repo. It fetches your file tree, then selectively pulls priority files: API routes, middleware, payment code, environment configs, auth helpers. Scans run in seconds, not minutes.

Pattern-matching only — no AI

Every rule is a deterministic regex or structural check. There are no AI-generated guesses, no hallucinated vulnerabilities, no false positives caused by LLM confusion. What you see is a real match in your real code.

Severity-ranked findings

Each finding is ranked BLOCKER, WARNING, or REVIEW. BLOCKERs are things that will get you hacked or cause data loss. WARNINGs are serious but not immediately catastrophic. REVIEWs are things worth checking before launch.

Pre-written fix guidance

Every finding ships with a copy-paste fix suggestion. You don't need to Google what to do — the guidance is written specifically for the rule that fired, so you can fix it in minutes.

Shareable public reports

Every scan generates a public read-only report URL at `/reports/[id]`. Share it with a co-founder, investor, or client to show you've done the work. Reports show top 3 findings publicly, full report for paid accounts.

Your code stays private

We store only findings: the rule, severity, file path, and a 10-line snippet around the match. Full file contents are never stored in our database. GitHub tokens are held by Clerk, not our servers.

See it find issues in your repo.

One free scan. No credit card. Takes under 2 minutes.

Features

40+ rules. 8 domains.
Everything that bites.

RepoReady checks your GitHub repo against the SHIP-SAFE audit framework — a structured checklist built from real SaaS post-mortems, security incidents, and launch failures.

See pricing

The SHIP-SAFE framework

Click into any domain to see exactly what gets checked.

Secrets

Hardcoded API keys and tokens in source files
Committed `.env`, `.env.local`, `.env.production` files
AWS credentials, private keys, PEM blocks in code
Stripe secret keys or webhook secrets in non-env files
Passwords or database URLs in config files

Hooks

Stripe webhook handler missing `stripe.webhooks.constructEvent()`
GitHub webhook endpoints with no HMAC signature verification
Webhook routes listed as public in auth middleware
Raw body not preserved before JSON parsing in webhook route

Identity

API routes missing auth session check at the top
`/api/admin` routes with no role or auth guard
Missing auth middleware protecting dashboard and account routes
User input used in DB queries without ownership verification

Payments

Hardcoded Stripe price IDs instead of `process.env.*`
Hardcoded `unit_amount` in checkout session creation
`STRIPE_WEBHOOK_SECRET` missing from environment config
Checkout success/cancel URLs pointing to localhost
Customer email taken from request body instead of server-side auth

Surfaces

No rate limiting on auth or scan trigger endpoints
No rate limiting on public-facing API routes
Admin endpoints accessible without IP restriction
CORS policy set to wildcard `*` on sensitive routes

Availability

Missing `/api/health` route for uptime monitoring
Unhandled promise rejections in async server functions
No global error boundary (`error.tsx`)
Database calls with no timeout or error fallback
Missing `try/catch` around third-party API calls

Footguns

`eval()` or `new Function()` in application code
`dangerouslySetInnerHTML` without sanitization
Secrets or user PII logged via `console.log`
Disabled TypeScript strict mode or `@ts-ignore` on security-critical files

Exit

Missing `public/robots.txt`
Missing `og:title`, `og:description`, `og:image` meta tags
Missing `twitter:card` meta tags
No sitemap (`sitemap.ts` or `sitemap.xml`)
Missing `<title>` on key landing and marketing pages

Under the Hood

How RepoReady works

Built for speed, privacy, and signal over noise.

File prioritization, not full clones

Pattern-matching only — no AI

Severity-ranked findings

Pre-written fix guidance

Every finding ships with a copy-paste fix suggestion. You don't need to Google what to do — the guidance is written specifically for the rule that fired, so you can fix it in minutes.

Shareable public reports

Your code stays private

We store only findings: the rule, severity, file path, and a 10-line snippet around the match. Full file contents are never stored in our database. GitHub tokens are held by Clerk, not our servers.

See it find issues in your repo.

One free scan. No credit card. Takes under 2 minutes.

40+ rules. 8 domains.Everything that bites.

The SHIP-SAFE framework

How RepoReady works

See it find issues in your repo.

40+ rules. 8 domains.Everything that bites.

The SHIP-SAFE framework

How RepoReady works

See it find issues in your repo.

40+ rules. 8 domains.
Everything that bites.

40+ rules. 8 domains.
Everything that bites.