Shipcheck MCP
@TateLyman
About Shipcheck MCP
MCP server for read-only Shipcheck launch-risk scans on authorized JavaScript and TypeScript repos
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"shipcheck": {
"command": "npx",
"args": [
"--yes",
"--package",
"shipcheck-mcp",
"shipcheck-mcp"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Shipcheck MCP?
Shipcheck MCP is an MCP server that lets local MCP clients run Shipcheck on authorized JavaScript and TypeScript repositories. It performs defensive static analysis to detect launch risks such as exposed private-looking environment variables, unsigned Stripe webhooks, missing Supabase/Firebase rule evidence, debug routes, missing usage-cost guardrails, missing CI, loose dependencies, thin release docs, missing MCP smoke-test proof, undocumented STDIO execution boundaries, and undocumented remote MCP auth boundaries.
How to use Shipcheck MCP?
Run directly with npx --yes shipcheck-mcp. Add the server to an MCP client's stdio configuration using command: "npx" and args: ["--yes", "--package", "shipcheck-mcp", "shipcheck-mcp"]. Once configured, invoke the scan_repository tool with parameters such as root, format, failOn, and strict.
Key features of Shipcheck MCP
- Scans repos for over a dozen common launch risks
- Defensive static analysis – reads files, does not modify or execute code
- No network access required
- Multiple output formats: text, markdown, JSON, SARIF
- Configurable severity thresholds (info/low/medium/high) and strict mode
- Designed for JavaScript and TypeScript projects
Use cases of Shipcheck MCP
- Pre-launch safety check for MCP servers before publishing
- Automated CI pipeline scan for insecure configurations
- Local audit of a repository to catch missing security evidence
FAQ from Shipcheck MCP
What risks does Shipcheck MCP check for?
It scans for exposed private-looking env vars, unsigned Stripe webhooks, missing Supabase/Firebase rule evidence, debug routes, missing usage-cost guardrails, missing CI, loose dependencies, thin release docs, missing MCP smoke-test proof, undocumented STDIO execution boundaries, and undocumented remote MCP auth boundaries.
Does Shipcheck MCP modify my repository or execute code?
No. Shipcheck is defensive static analysis. It reads local project files, does not modify the repository, does not execute project code, and does not require network access.
On which repositories can I run Shipcheck MCP?
Only on repos you own or are authorized to inspect. The tool is meant for authorized use only.
What output formats are supported?
Formats: text, markdown, json, or sarif.
What severity levels can I set?
Severities: info, low, medium, or high. You can also set failOn to a specific severity to fail the scan when issues at that level or higher are found.
More Other MCP servers
MaxKB
1Panel-dev🔥 MaxKB is an open-source platform for building enterprise-grade agents. 强大易用的开源企业级智能体平台。
Reactive Resume
amruthpillaiA one-of-a-kind resume builder that keeps your privacy in mind. Completely secure, customizable, portable, open-source and free forever. Try it out today!

EverArt
modelcontextprotocolModel Context Protocol Servers
Awesome-MCP-ZH
yzflyMCP 资源精选, MCP指南,Claude MCP,MCP Servers, MCP Clients
🚀 Model Context Protocol (MCP) Curriculum for Beginners
microsoftThis open-source curriculum introduces the fundamentals of Model Context Protocol (MCP) through real-world, cross-language examples in .NET, Java, TypeScript, JavaScript, Rust and Python. Designed for developers, it focuses on practical techniques for building modular, scalable,
Comments