Pre-deploy security scanner + post-deploy live pentest. Two scripts. Drop them in any project.
Before deploy: Scans your source code for hardcoded credentials, error message leaks, sensitive files in public directories, and bundle size anomalies.
After deploy: Hits your live endpoints like an attacker. Checks for file exposure, error leakage, header fingerprinting, route discovery, and prototype pollution.
# Pre-deploy scan
bash security-gate.sh /path/to/your/project
# Post-deploy pentest
bash pentest.sh https://your-site.com /path/to/your/project- Hardcoded credentials across 12+ providers (Stripe, AWS, GitHub, GitLab, Slack, SendGrid, SSH keys, and more)
- Error message leakage (stack traces, raw error messages sent to clients)
- Sensitive files in public directories (.env, config.json, credentials, SSH keys)
- Bundle size anomalies (accidentally embedded databases, model files, data dumps)
- Custom patterns from your
.shipgate.json
- Sensitive file exposure (12 common files tested against live URL)
- Error probing (malformed JSON, prototype pollution, oversized bodies, long URLs)
- Header fingerprinting (X-Powered-By, server version, missing security headers)
- Route discovery (admin, debug, graphql, swagger, metrics, dashboard)
- Auth bypass on protected endpoints
- Forbidden content in public responses
- Custom checks from your
.shipgate-pentest.json
Drop this in your project root to add project-specific checks:
{
"forbidden": ["internal_api_key", "my_secret_function"],
"forbidden_in_errors": ["DatabaseError", "my_table_name"],
"max_bundle_kb": 300
}{
"auth_endpoints": ["/api/users", "/api/admin"],
"public_endpoints": ["/api/status", "/api/health"],
"forbidden_in_responses": ["internal_id", "debug_info"],
"sensitive_paths": ["backup.sql", "dump.json"]
}{
"scripts": {
"predeploy": "bash shipgate/security-gate.sh .",
"deploy": "your-deploy-command",
"postdeploy": "bash shipgate/pentest.sh https://your-site.com ."
}
}- name: Security gate
run: bash shipgate/security-gate.sh .
- name: Deploy
run: your-deploy-command
- name: Pentest
run: bash shipgate/pentest.sh ${{ env.DEPLOY_URL }} .Both scripts exit 0 on pass, exit 1 on failure. Wire them into your pipeline and they block bad deploys automatically.
The scripts are self-contained bash. No dependencies except curl and python3 (for JSON config parsing). Works on Linux, macOS, WSL.
MIT