Drydock
Production-readiness audits for vibe-coded apps

Is your app ready to ship?

Built it with Lovable, Bolt, or v0? Drydock scans your code for the things that keep it from being safe in production — leaked secrets, missing auth, no tests — scores it out of 10, and generates the fixes as a pull request.

Public GitHub repos only. The scan runs synchronously — keep this tab open until it finishes.

No signup to run a free audit. See Pro pricing →

See what you get

A sample report, exactly as it renders for a real audit.

Example reportIllustrative data — not a real audit

Production Readiness

Not production-ready yet

stack: nextjs

files scanned: 128

2 critical1 high1 medium2 low
Security
1.8
Auth
6.2
Correctness
8.0
Config
7.4
Testing
6.4
Deploy
8.5
  • A live Stripe payment key is written directly in your code.

    Fix before launch

    This key moves real money. Anyone who finds it can issue refunds, read customer payment data, or create charges.

    Roll the key in the Stripe dashboard immediately and keep the new one in environment variables.

    Hardcoded Stripe live secret key · app/api/checkout/route.ts:12 · sk_live_51Nc…9aQ2

  • Your .env file — the file that holds ALL your secrets — is inside the repository.

    Fix before launch

    The .env file usually contains database passwords and API keys in one place. Committing it hands your entire keychain to anyone who ever sees the code.

    Remove it from the repository, add .env to .gitignore, and rotate every secret that was inside.

    .env committed to the repository · .env:1

  • Your Supabase anon (public) key appears in the code.

    Important

    This particular key is meant to be public — it ships in every app's front-end by design, so this is informational, not a breach. The keys that must stay secret are the service_role key and database passwords, which are NOT flagged here.

    No urgent action needed for the anon key itself. Do confirm your Row Level Security is on, since the anon key relies on it.

    Supabase anon key present in client code · lib/supabaseClient.ts:4 · eyJhbGciOiJI…

  • The project has no automated tests.

    Worth fixing

    Every change is a blind edit: things that worked yesterday can silently break today, and you'll learn it from your users.

    Start with a few tests for the money paths — signup, login, checkout.

    No automated tests found

  • The app isn't packaged to run on a server (no Dockerfile).

    Good to know

    It runs on the builder's platform, but moving to your own hosting — often needed for cost or control — will be a wall.

    Add a Dockerfile; our Deploy Pack generates a working one automatically.

    No Dockerfile

  • No automated checks run when the code changes (no CI).

    Good to know

    Broken changes reach your live app with nothing in the way.

    Add a simple GitHub Actions workflow that runs the tests on every change.

    No CI workflow