Skip to content

deveraux-dev/shipgate

Repository files navigation

Shipgate

Pre-deploy security scanner + post-deploy live pentest. Two scripts. Drop them in any project.

What it does

Before deploy: Scans your source code for hardcoded credentials, error message leaks, sensitive files in public directories, and bundle size anomalies.

After deploy: Hits your live endpoints like an attacker. Checks for file exposure, error leakage, header fingerprinting, route discovery, and prototype pollution.

Quick start

# Pre-deploy scan
bash security-gate.sh /path/to/your/project

# Post-deploy pentest
bash pentest.sh https://your-site.com /path/to/your/project

What it catches

Pre-deploy (security-gate.sh)

  • Hardcoded credentials across 12+ providers (Stripe, AWS, GitHub, GitLab, Slack, SendGrid, SSH keys, and more)
  • Error message leakage (stack traces, raw error messages sent to clients)
  • Sensitive files in public directories (.env, config.json, credentials, SSH keys)
  • Bundle size anomalies (accidentally embedded databases, model files, data dumps)
  • Custom patterns from your .shipgate.json

Post-deploy (pentest.sh)

  • Sensitive file exposure (12 common files tested against live URL)
  • Error probing (malformed JSON, prototype pollution, oversized bodies, long URLs)
  • Header fingerprinting (X-Powered-By, server version, missing security headers)
  • Route discovery (admin, debug, graphql, swagger, metrics, dashboard)
  • Auth bypass on protected endpoints
  • Forbidden content in public responses
  • Custom checks from your .shipgate-pentest.json

Custom patterns

.shipgate.json (pre-deploy)

Drop this in your project root to add project-specific checks:

{
  "forbidden": ["internal_api_key", "my_secret_function"],
  "forbidden_in_errors": ["DatabaseError", "my_table_name"],
  "max_bundle_kb": 300
}

.shipgate-pentest.json (post-deploy)

{
  "auth_endpoints": ["/api/users", "/api/admin"],
  "public_endpoints": ["/api/status", "/api/health"],
  "forbidden_in_responses": ["internal_id", "debug_info"],
  "sensitive_paths": ["backup.sql", "dump.json"]
}

Wire into your deploy

npm

{
  "scripts": {
    "predeploy": "bash shipgate/security-gate.sh .",
    "deploy": "your-deploy-command",
    "postdeploy": "bash shipgate/pentest.sh https://your-site.com ."
  }
}

CI/CD

- name: Security gate
  run: bash shipgate/security-gate.sh .

- name: Deploy
  run: your-deploy-command

- name: Pentest
  run: bash shipgate/pentest.sh ${{ env.DEPLOY_URL }} .

How it works

Both scripts exit 0 on pass, exit 1 on failure. Wire them into your pipeline and they block bad deploys automatically.

The scripts are self-contained bash. No dependencies except curl and python3 (for JSON config parsing). Works on Linux, macOS, WSL.

License

MIT

About

helps you ship

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages