How it works

We turn a repo scan into a launch-readiness score.

Should I Ship checks the production risks that tend to hide inside AI-built apps: security gaps, cost traps, architecture friction, and launch blockers.

The tests

What the scanner looks for

Static checks do the first pass. Semgrep and OSV add security and dependency coverage. Then the app groups the findings into the four score areas users see.

Security

40%
  • Exposed secrets and committed env files
  • Missing auth on API routes
  • Cross-user data access risks
  • SQL injection and unsafe query patterns
  • Dangerous functions, open CORS, and webhook verification

Launch readiness

30%
  • Rate limiting on API endpoints
  • Input validation on request bodies
  • Error handling across pages and routes
  • Logging and monitoring signals
  • Debug output that can leak internals

Architecture

20%
  • Route and API surface mapping
  • Import graph and circular dependencies
  • Large files and risky module boundaries
  • Orphaned exports and unused code
  • Component and data-flow shape

Cost risk

10%
  • AI provider usage and call density
  • Database query patterns like N+1 loops
  • Unbounded reads and missing pagination
  • Large dependencies and bundle pressure
  • CDN, asset delivery, and third-party service exposure

The score

How findings become points

The score is meant to answer one practical question: what should move before this app goes in front of real users?

01

Each category starts at 100.

02

Findings subtract points based on severity: critical, high, medium, low, or info.

03

Higher-confidence findings count more than lower-confidence findings.

04

Repeated findings taper so one noisy pattern does not flatten the score by itself.

05

Large repos get light normalization so five issues in a tiny repo hurts more than five issues in a much larger repo.

Your code

What we keep, and what we do not

We keep the report so you can come back to your scores and findings. We do not keep a copy of your repository.

We request read-only GitHub access for scanning.

We do not keep a copy of your repository.

We save the report: scores, findings, file paths, line numbers, metadata, and small redacted snippets when needed to explain an issue.

Temporary files created for Semgrep and OSV scans are deleted after those tools finish.

When AI summaries are enabled, finding context and a short recent diff excerpt can be sent to the AI provider to write the plain-English report. The score still comes from the scanner.

Get the score for the project you are shipping.

Three minutes, read-only GitHub access, and a report that points to the work that matters first.

Scan your repo