Scan web apps and APIs before they ship.
Turn vulnerabilities into deploy decisions.
Shaker Scan scans preview, staging, and production web apps for real security issues, then turns the results into machine-usable decisions for GitHub pull requests, CI, and agent workflows.
npx -y shakerscan-cli gate \
--api-key sk_live_your_key_here \
--target https://preview-482.example.com \
--scan-type quick \
--environment preview \
--policy-pack preview-fast \
--approval-token true
# decision: block
# rationale: verified auth issue met preview-fast
# evidence_hash: 9f243f2b7d6e...
# approval_token: not issued for block decisionsNo matching block rules fired. Continue with stored evidence and, if needed, a signed approval token.
Verified or family-matched findings crossed policy thresholds. Promotion should stop here.
The gate found enough risk to escalate, but a human can explicitly override the decision.
What the hosted product already does.
Scan for vulnerabilities, verify what matters, and gate deploys without leaving the hosted control plane.
Web app and API scanning
The worker scans web apps, preview deployments, and APIs with real tooling and returns normalized findings with severity, confidence, and CWE metadata.
Deterministic verification
Supported findings can be retested through the Verify API before policy decisions are made.
Family-aware policy
Policy packs can gate on severity and on finding families like exposed files, authentication, injection, and XSS.
Evidence plus tokens
Evidence artifacts are stored with hashes, and signed approval tokens can be minted for allow decisions.
Agent surfaces
CLI, MCP, API, and signed webhooks are live now for CI, coding agents, and operator workflows.
Hosted GitHub PR gate
GitHub pull requests can trigger hosted preview scans, deterministic verification, policy evaluation, and commit status plus check-run feedback when one target maps cleanly to the repo.
Semantic agent guard
Structured agent and MCP traces can now be evaluated for prompt leakage, exfiltration, approval bypass, and untrusted tool-use.
Remediation handoff
Blocked findings can create persisted remediation artifacts and hand off into GitHub issue workflows.
What is still missing.
The main limits today are around agent trace capture, token-eligible evidence for agent evaluations, and broader GitHub routing beyond the current one-repo, one-target PR gate.
Four ways in, one control loop out.
Use scan, findings, verify, policy, evidence, approval token, remediation, and usage routes directly.
Run one gate command in CI or locally without opening the dashboard first.
Give Claude Code and Cursor executable Shaker Scan tools instead of ad hoc prompts.
Push signed workflow events to GitHub, chatops, or internal automation when state changes.
Start with one preview gate.
Create an account, run a first scan, and move into verification and policy from the same workspace.