Preflight.sh is a command-line tool that scans your codebase for launch readiness. Identifies missing configuration, integration issues, security concerns, SEO metadata gaps, and other common mistakes before you deploy to production. View the changelog here.
Don't embarrass yourself in production. Just run the command.
brew install preflightsh/preflight/preflightnpm install -g @preflightsh/preflightgo install github.com/preflightsh/preflight@latestdocker pull ghcr.io/preflightsh/preflightcurl -sSL https://preflight.sh/install.sh | shDownload the latest release from GitHub Releases.
# Initialize in your project directory
cd your-project
preflight init
# Run all checks
preflight scan
# Scan a specific directory
preflight scan /path/to/project
# Run with verbose output (shows which files matched each check)
preflight scan --verbose
preflight scan -v # short form
# Run in CI mode with JSON output
preflight scan --ci --format json
# Silence a check
preflight ignore sitemap
# Unsilence a check
preflight unignore sitemap
# List all check IDs
preflight checksThis repo includes a skills.sh-compatible agent skill at skills/preflight/SKILL.md. It gives coding agents a repeatable Preflight workflow: inspect preflight.yml, run CI-safe scans, triage findings, avoid unsafe ignores, rerun validation, and report residual launch risk.
List the skill from this repository:
# With Bun
bunx --yes skills add preflightsh/preflight --list
# Or with npm
npx --yes skills add preflightsh/preflight --listInstall only the Preflight skill:
# With Bun
bunx --yes skills add preflightsh/preflight --skill preflight
# Or with npm
npx --yes skills add preflightsh/preflight --skill preflightPreflight is fully usable from the command line with no account. The optional dashboard at app.preflight.sh adds a hosted history of your scans and AI-generated fix suggestions for each finding. Your code never leaves your machine: scanning runs locally, and only a redacted summary of results (check IDs, statuses, and messages, never secret values or file contents) is sent when you publish.
Create a free account, then connect the CLI:
preflight auth login # opens your browser to authorize this CLI
preflight auth status # show who you're logged in as
preflight auth logout # remove stored credentialsPublish a scan to your dashboard with --publish. It prints a link to view the run. Publishing is best-effort: if you're offline or not logged in, the scan still runs and exits normally.
preflight scan --publishOn the dashboard you get each run's pass/warn/fail breakdown, the full list of findings, and a per-project history so you can see what changed between deploys.
Open any failed or warning check on a published run to generate a step-by-step fix tailored to your detected stack, with copy-ready commands and code.
- Free includes 5 published runs per month.
- Bring your own key: add an OpenAI or Anthropic API key in your dashboard settings and publishing stays free and unlimited (you pay your provider directly).
- Managed ($5/mo): we cover the AI costs and runs are unlimited, no API key required.
| Check | Description |
|---|---|
| ENV Parity | Compares .env and .env.example for missing variables |
| Health Endpoint | Verifies site is reachable; auto-detects /health, /healthz, /api/health or falls back to root |
| Vulnerability Scan | Checks for dependency vulnerabilities (bundle audit, npm audit, etc.) |
| SEO Metadata | Checks for title, description, and Open Graph tags |
| OG & Twitter Cards | Validates og:image, twitter:card and social sharing metadata |
| Canonical URL | Verifies canonical link tag is present |
| Viewport | Checks for proper viewport meta tag for mobile |
| Lang Attribute | Validates html lang attribute for accessibility |
| Structured Data | Checks for JSON-LD Schema.org markup |
| Security Headers | Validates HSTS, CSP, X-Content-Type-Options on both prod and staging |
| SSL Certificate | Checks SSL validity and warns before expiration |
| WWW Redirect | Verifies www/non-www redirect to canonical URL |
| Email Auth | Checks SPF/DMARC DNS records for email deliverability (opt-in) |
| Secret Scanning | Finds leaked API keys and credentials in code |
| Debug Statements | Detects console.log, var_dump, debugger left in code |
| Error Pages | Checks for custom 404/500 error pages |
| Image Optimization | Finds large images (>500KB) that hurt load times |
| Legal Pages | Checks for privacy policy and terms of service pages |
| Cookie Consent | Detects cookie consent solution (GDPR/CCPA compliance) |
| Favicon & Icons | Checks for favicon, apple-touch-icon (.png, .webp, .svg), and web manifest |
| robots.txt | Verifies robots.txt exists and has content |
| sitemap.xml | Checks for sitemap presence or generator |
| llms.txt | Checks for LLM crawler guidance file |
| ads.txt | Validates ads.txt for ad-supported sites (opt-in) |
| humans.txt | Checks for humans.txt to credit the team (opt-in) |
| IndexNow | Verifies IndexNow key file for faster search indexing (opt-in) |
| LICENSE | Checks for license file (opt-in, for open source projects) |
Preflight auto-detects and validates configuration for these services:
Payments
- Stripe, PayPal, Braintree, Paddle, LemonSqueezy
Error Tracking & Monitoring
- Sentry, Bugsnag, Rollbar, Honeybadger, Datadog, New Relic, LogRocket
Email & Newsletters
- Postmark, SendGrid, Mailgun, AWS SES, Resend, Mailchimp, Kit, Beehiiv, AWeber, ActiveCampaign, Campaign Monitor, Drip, Klaviyo, Buttondown
Analytics
- Plausible, Fathom, Umami, Fullres Analytics, Datafa.st Analytics, Google Analytics, PostHog, Mixpanel, Amplitude, Segment, Hotjar
Auth
- Auth0, Clerk, WorkOS
Chat
- Intercom, Crisp
Notifications
- Slack, Discord, Twilio
Infrastructure
- Firebase, Supabase, Redis, Sidekiq, RabbitMQ, Elasticsearch, Convex
Storage & CDN
- AWS S3, Cloudinary, Cloudflare
Search
- Algolia
SEO
- IndexNow
AI / LLMs
- OpenAI, Anthropic Claude, Google AI (Gemini), Mistral, Cohere, Replicate, Hugging Face, Grok (X/Twitter), Perplexity, Together AI
Preflight uses a preflight.yml file in your project root:
projectName: my-app
stack: rails # rails, next, react, vite, laravel, etc.
urls:
staging: "https://staging.example.com"
production: "https://example.com"
services:
stripe:
declared: true
sentry:
declared: true
checks:
envParity:
enabled: true
envFile: ".env"
exampleFile: ".env.example"
healthEndpoint:
enabled: true
path: "/health" # optional - auto-detects common paths if not set
stripeWebhook:
enabled: true
url: "https://api.example.com/webhooks/stripe"
seoMeta:
enabled: true
mainLayout: "app/views/layouts/application.html.erb"
security:
enabled: true
secrets:
enabled: true
# Per-file allowlist for the secrets scan. Use this to suppress an
# individual finding (e.g. a referrer-restricted public key) without
# disabling the whole check.
allowlist:
- path: web/js/golden-hour.js
fingerprint: "sha256:<hex>" # recommended — pins to the exact secret
reason: "HTTP-referrer-restricted Google Timezone key"
- path: "web/tools/**/*.php" # doublestar globs are supported
indexNow:
enabled: true
key: "your32characterhexkeyhere00000"
emailAuth:
enabled: true # opt-in, checks SPF/DMARC on production domain
humansTxt:
enabled: false # opt-in, credits the team
license:
enabled: false # opt-in, for open source projects
# Silence specific checks or services by ID
ignore:
- sitemap
- llmsTxt
- google_analyticsSilence specific checks or services using preflight ignore <id>:
preflight ignore sitemap # Ignore sitemap check
preflight ignore sentry # Ignore Sentry service validation
preflight unignore sitemap # Re-enable sitemap check
preflight checks # List all ignorable IDsPrefer allowlisting an individual finding over silencing the whole
secrets check. Add one-off exceptions from the command line:
preflight ignore secrets web/js/golden-hour.jsThat appends a path entry under checks.secrets.allowlist in your
preflight.yml. The path field is a doublestar
glob (** matches across directories) resolved against the
project-relative file path.
Pin the fingerprint. A path-only allowlist silently accepts any
future secret dropped into that file. Edit the entry and add a
fingerprint: "sha256:<hex>" — the SHA-256 of the detected secret
value. Now if the key is rotated or a different secret shows up in the
same file, preflight re-alerts.
Findings are matched by path + fingerprint, not whole-file. An allowlisted fingerprint in a file does not suppress other secrets on other lines in the same file.
SEO & Social:
seoMeta, canonical, structured_data, indexNow (opt-in), ogTwitter, viewport, lang
Security & Infrastructure:
securityHeaders, ssl, www_redirect, email_auth (opt-in), secrets
Environment & Health:
envParity, healthEndpoint
Code Quality & Performance:
vulnerability, debug_statements, error_pages, image_optimization
Legal & Compliance:
legal_pages
Web Standard Files:
favicon, robotsTxt, sitemap, llmsTxt, adsTxt (opt-in), humansTxt (opt-in), license (opt-in)
All services have validation checks that verify proper integration (env vars, SDK patterns, config files):
Payments: stripe, paypal, braintree, paddle, lemonsqueezy
Error Tracking: sentry, bugsnag, rollbar, honeybadger, datadog, newrelic, logrocket
Transactional Email: postmark, sendgrid, mailgun, aws_ses, resend
Email Marketing: mailchimp, convertkit, beehiiv, aweber, activecampaign, campaignmonitor, drip, klaviyo, buttondown
Analytics: plausible, fathom, google_analytics, fullres, datafast, posthog, mixpanel, amplitude, segment, hotjar
Auth: auth0, clerk, workos, firebase, supabase
Communication: twilio, slack, discord, intercom, crisp
Infrastructure: redis, sidekiq, rabbitmq, elasticsearch, convex
Storage & CDN: aws_s3, cloudinary, cloudflare
Search: algolia
AI: openai, anthropic, google_ai, mistral, cohere, replicate, huggingface, grok, perplexity, together_ai
SEO: indexNow
Cookie Consent: cookieconsent, cookiebot, onetrust, termly, cookieyes, iubenda
| Code | Meaning |
|---|---|
| 0 | All checks passed |
| 1 | Warnings only |
| 2 | Errors found |
Backend Frameworks
- Ruby on Rails, Laravel, PHP, Go, Python/Django, Rust, Node.js
Frontend Frameworks
- Next.js, Nuxt, Remix, React, Vue.js, Vite, Svelte, Angular
Traditional CMS
- WordPress, Craft CMS, Drupal, Ghost
Static Site Generators
- Hugo, Jekyll, Gatsby, Eleventy (11ty), Astro
Headless CMS
- Strapi, Sanity, Contentful, Prismic
Other
- Static sites
# GitHub Actions example (curl)
- name: Run Preflight
run: |
curl -sSL https://preflight.sh/install.sh | sh
preflight scan --ci --format json# GitHub Actions example (Docker)
- name: Run Preflight
run: docker run -v ${{ github.workspace }}:/app ghcr.io/preflightsh/preflight scan --ci --format jsonMIT