Your First Security Scan
This tutorial walks you through scanning your GitHub repository for security vulnerabilities. Total time: under 5 minutes.
Prerequisites
- A GitHub account
- A repository with code (any language)
- That's it
Step 1: Sign Up (30 seconds)
- Go to ShipReady.dev
- Click "Get Started"
- Click "Continue with GitHub"
- Authorize the GitHub App
Step 2: Connect Your Repository (60 seconds)
After authorization, you'll see your repositories:
- Find the repository you want to scan
- Click "Connect"
- Wait for the green checkmark
Step 3: Run Your First Scan
- Click "Scan Now" on your connected repository
- Watch the progress indicator
- Results appear when complete
- SQL injection patterns
- XSS vulnerabilities
- Hardcoded secrets
- Authentication issues
- Authorization problems
- Input validation gaps
Step 4: Review Results
Your scan results show:
Security Score
A 0-100 score based on:
- Number of vulnerabilities
- Severity distribution
- Code patterns
Findings by Severity
| Severity | Meaning |
|---|
| Critical | Exploitable now, fix immediately |
|---|
| High | Serious risk, fix soon |
|---|
| Medium | Should fix, lower urgency |
|---|
| Low | Minor issues, fix when convenient |
|---|
| Info | Suggestions for improvement |
|---|
Individual Findings
Each finding includes:
- Title: What the issue is
- File: Where it's located
- Line: Exact line number
- Description: Why it's a problem
- Fix: How to resolve it
Step 5: Fix Your First Vulnerability
Let's fix a common issue: hardcoded secret.
The Finding
CRITICAL: Hardcoded API Key DetectedFile: src/config/api.ts
Line: 5
const API_KEY = 'sk_live_abc123xyz789'
The Fix
- Create environment variable:
# .env.local
API_KEY=sk_live_abc123xyz789- Update code:
// Before
const API_KEY = 'sk_live_abc123xyz789'// After
const API_KEY = process.env.API_KEY
- Add to .gitignore:
# .gitignore
.env.local- Commit the fix:
git add .gitignore src/config/api.ts
git commit -m "Move API key to environment variable"
git push- Re-scan: Click "Scan Again" to verify the fix
Understanding Common Findings
SQL Injection
// Vulnerable
const query = SELECT * FROM users WHERE id = ${userId}// Fixed
const query = 'SELECT * FROM users WHERE id = $1'
await db.query(query, [userId])
Missing Authentication
// Vulnerable
app.get('/api/users', async (req, res) => {
return db.users.findAll()
})// Fixed
app.get('/api/users', authenticate, async (req, res) => {
return db.users.findAll()
})
XSS Vulnerability
// Vulnerable
// Fixed
{userInput}// Or if HTML needed:
import DOMPurify from 'dompurify'
Next Steps
Enable Automatic Scanning
- Go to repository settings
- Enable "Scan on Push"
- Now every push triggers a scan
Set Up PR Checks
- Enable "PR Security Check"
- Configure blocking rules
- PRs with critical issues won't merge
Explore Security Score
- Click on your score for breakdown
- Track improvement over time
- Compare across repositories
Troubleshooting
"No code found"
Your repository might be:
- Empty
- Only containing non-code files
- Using an unsupported language
"Scan taking too long"
Large repositories take longer. If over 5 minutes:
- Check repository size
- Contact support for large repos
"GitHub permission error"
Re-authorize the GitHub App:
- Go to GitHub Settings
- Applications → Authorized OAuth Apps
- Revoke ShipReady
- Re-connect from ShipReady dashboard
Summary
✓ Connected GitHub
✓ Selected repository
✓ Ran first scan
✓ Reviewed results
✓ Fixed first issue
------------------------------------
Total: Minutes to secure codeYou've completed your first security scan. Your code is now safer than 90% of AI-generated applications.