CVE-2025-48757 · 170+ apps breached, real user data leaked

Security for apps
built without
a developer.

ShipIntel is the security layer for AI-built apps. Connect your repo, get a plain-English audit, paste the fix straight back into Lovable, Cursor, or Bolt.

Join the waitlist See how it works
shipintel.dev/r/4f2a91
34
/ 100
my-startup-app
Critical risk — action needed
4 critical · 2 high · 3 medium
Critical User data table is publicly readable.
Anyone on the internet can list every row in profiles. Row-level security is off.
High API key visible to every visitor.
Your OpenAI key is bundled into the browser. It can be extracted and used to bill your account.
High 3 endpoints have no authentication.
Routes accept requests from anyone — not just your logged-in users.
Built for apps from
Lovable Bolt v0 Cursor Replit Windsurf
The problem

AI tools shipped
millions of apps fast.
Security didn't ship with them.

170+
Lovable apps exposed in CVE-2025-48757 alone, real user data leaked
45%
of AI-generated code samples contain OWASP Top 10 vulnerabilities
28.6M
secrets newly committed to public repositories in 2025
10×
the security defect rate of human-written code, in AI-assisted commits

"Existing scanners assume you can use a terminal. Vibe coders never opened one. ShipIntel is built for the people who built the apps — not for the people who wrote the scanners."

— Design principle
How it works

Three steps.
No terminal required.

Built for founders who have never run a command line in their lives. From URL to actionable fixes in under a minute.

01

Connect your repo

Sign in with GitHub. We request read-only access to one repository — nothing else. Private repos fully supported.

02

We audit the real risks

Our engine inspects code, dependencies, secrets history, and live infrastructure for the exact failure modes AI tools produce.

03

Paste the fix into your AI tool

Every finding includes a copy-paste prompt for Lovable, Bolt, or Cursor. No jargon, no CVE codes — just instructions your AI tool understands.

What ShipIntel inspects
Database access policies
Live audit of who can actually read or write your tables — not just whether the rules exist.
Secret & key exposure
Detects keys leaked in code, env files, browser bundles, and the full git history — including ones already deleted.
Endpoint authentication
Identifies API routes shipping without authentication or authorization checks.
Dependency vulnerabilities
Continuous CVE matching across every package your app pulls in, with safe-version suggestions.
Injection & input handling
Patterns AI tools commonly produce that allow attackers to manipulate your queries or your data.
Cross-origin & perimeter config
Misconfigured CORS, missing security headers, exposed admin routes — the ones AI tools tend to miss.
Architecture

Engineered like
enterprise security.
Designed for solo founders.

Four layers operate behind a single GitHub URL. Each layer specialises — together they catch the failure modes a single tool can't.

Built on a Python-native, open-source-first stack. No vendor lock-in. Customer source code is processed in ephemeral environments, never persisted.

SOC 2 ready Read-only access Zero source-code retention Encrypted at rest
04
Presentation
Application
A real-time scan dashboard, shareable report cards, and the upgrade flow. Server-rendered for speed and accessibility — no heavy client bundle.
Server-rendered Real-time updates
03
Intelligence
Translation Layer
Raw findings are converted into plain-English explanations and copy-paste fix prompts tuned per AI tool. Powered by Anthropic's Claude with multi-tier prompt caching.
Claude · Haiku 4.5 Prompt caching Per-tool tuning
02
Core
Detection Engine  · proprietary
A multi-stage pipeline of static analysis, dependency auditing, secrets discovery, and live configuration probing — tuned specifically against patterns observed in AI-generated code.
Static analysis CVE matching Secrets discovery Live config audit
01
Foundation
Infrastructure & Data
Async job orchestration handles the scan workload. PostgreSQL stores audit metadata only — never full source code. Results cached by commit fingerprint to keep scans fast and economics tight.
PostgreSQL Async workers Commit-level cache
01
Read-only by design
We never write to your repository. Minimum-privilege OAuth scopes, scoped to the repo you select.
02
No source retention
Code lives in an ephemeral environment for the duration of the scan, then is destroyed.
03
Open foundation
Built on permissively licensed primitives. No vendor we can't replace, no dependency that can change terms on you.
04
Honest about limits
We tell you what we can't see. No security tool catches everything — we'd rather be useful than overstated.
Pricing

No subscription
unless you want one.

Pay per scan, or go Professional for a monthly allowance at a lower rate. Every scan is a full report — no feature gates, no teaser tiers.

Pay Per Report
$36 / scan

No commitment. Pay once, get a full report on any public GitHub repo.

  • Full report — every finding
  • Copy-paste fix prompts
  • Security score
  • Full git-history secret scan
  • Shareable report card
  • Report stays forever — no expiry
Join waitlist
Professional · Most popular
$240 / month

10 scans/month at $24 each — 33% off pay-per-scan.

  • 10 scans per month
  • Everything in Pay Per Report
  • Scan history & trends
  • Live database policy audit
  • Extra scans at $24 each
  • Priority support
Join waitlist
Professional · Yearly  Save 27%
$2,099 / year

150 scans/year at $14 each — 61% off pay-per-scan.

  • 150 scans per year
  • Everything in Professional Monthly
  • Lowest per-scan cost
  • Extra scans at $24 each
  • Annual invoice for business
  • Score-over-time dashboard soon
Join waitlist

Prices shown in USD ($) based on your location — join the waitlist to lock in launch-day pricing

Roadmap

From zero to launch.
Eight weeks.

A focused build, in public. No fundraising, no over-engineering. Ship the core, validate it, grow.

Week 01
Detection engine
  • Multi-stage scan pipeline
  • Detection rules calibrated against real AI-built repos
  • False-positive tuning
Week 02
Translation layer
  • Plain-English finding output
  • Per-tool fix prompt generation
  • Quality tuning across vulnerability types
Week 03
GitHub integration
  • OAuth flow & minimum-privilege scopes
  • Repository ingest pipeline
  • Commit-level result caching
Week 04
Auth & payments
  • Account system & sessions
  • Stripe billing for Pay Per Report & Professional
  • Scan quota enforcement
Week 05
Application UI
  • Dashboard & live scan progress
  • Report & finding-card views
  • Public shareable cards
Week 06
Closed beta
  • 10 founder-builders, paid attention to
  • Live observation of every scan
  • UX iteration on real friction
Week 07
Launch prep
  • Public assets & positioning
  • OG image generation
  • Payment flow stress-tested
Week 08 · Launch
Go live
  • Discord, Twitter, Reddit, Show HN
  • Live response & daily fixes
  • Target: first 10 paying customers
Early access

Be the first to know
when ShipIntel launches.

Founding members lock in launch-day pricing for life. One email from us when we go live. That's it.

You're in. We'll email you the moment we launch.
No credit card · No spam · Unsubscribe any time
— Or join the conversation
Discord Subreddit