Is your app ready to ship?
Built it with Lovable, Bolt, or v0? Drydock scans your code for the things that keep it from being safe in production — leaked secrets, missing auth, no tests — scores it out of 10, and generates the fixes as a pull request.
No signup to run a free audit. See Pro pricing →
See what you get
A sample report, exactly as it renders for a real audit.
Production Readiness
Not production-ready yet
stack: nextjs
files scanned: 128
A live Stripe payment key is written directly in your code.
Fix before launchThis key moves real money. Anyone who finds it can issue refunds, read customer payment data, or create charges.
Roll the key in the Stripe dashboard immediately and keep the new one in environment variables.
Hardcoded Stripe live secret key · app/api/checkout/route.ts:12 · sk_live_51Nc…9aQ2
Your .env file — the file that holds ALL your secrets — is inside the repository.
Fix before launchThe .env file usually contains database passwords and API keys in one place. Committing it hands your entire keychain to anyone who ever sees the code.
Remove it from the repository, add .env to .gitignore, and rotate every secret that was inside.
.env committed to the repository · .env:1
Your Supabase anon (public) key appears in the code.
ImportantThis particular key is meant to be public — it ships in every app's front-end by design, so this is informational, not a breach. The keys that must stay secret are the service_role key and database passwords, which are NOT flagged here.
No urgent action needed for the anon key itself. Do confirm your Row Level Security is on, since the anon key relies on it.
Supabase anon key present in client code · lib/supabaseClient.ts:4 · eyJhbGciOiJI…
The project has no automated tests.
Worth fixingEvery change is a blind edit: things that worked yesterday can silently break today, and you'll learn it from your users.
Start with a few tests for the money paths — signup, login, checkout.
No automated tests found
The app isn't packaged to run on a server (no Dockerfile).
Good to knowIt runs on the builder's platform, but moving to your own hosting — often needed for cost or control — will be a wall.
Add a Dockerfile; our Deploy Pack generates a working one automatically.
No Dockerfile
No automated checks run when the code changes (no CI).
Good to knowBroken changes reach your live app with nothing in the way.
Add a simple GitHub Actions workflow that runs the tests on every change.
No CI workflow