Is your deploy production-ready?

What this checker looks for

Most production incidents aren't exotic — they're the same handful of avoidable mistakes shipped over and over. This tool scans the text you paste for the highest-signal ones, weighted by how much damage they tend to cause:

• Hardcoded secrets — live API keys, tokens, passwords, or private keys sitting in the image or env (the highest-severity finding).
• Running as root — no non-root USER in the Dockerfile, so a compromised process has root in the container.
• Unpinned base images — :latest or untagged images that make builds non-reproducible.
• Missing healthcheck — the orchestrator can't tell a wedged container from a healthy one.
• Dev/debug mode — NODE_ENV=development, DEBUG=true, and friends shipped to prod.
• No restart policy / resource limits — a crash stays down; a leak takes the host with it (compose).

A good score is the floor, not the ceiling

Passing these checks means your config avoids the obvious traps. It says nothing about what happens after you deploy — when a teammate ships a bad migration at 2am, or an AI agent runs a destructive command against production. Static config can't gate a live action. That requires something watching the runtime.

Frequently asked questions

What makes a deploy production-ready?

No hardcoded secrets, a non-root user, a pinned base image, a defined healthcheck, a restart policy and resource limits, and production (not debug) settings — the signals this tool scores.

Is it safe to paste my Dockerfile or .env?

Yes — everything runs in your browser. Nothing is uploaded or logged; it works offline.

Does a perfect score mean I'm safe?

It means your config avoids the common traps. Runtime safety — bad deploys, risky migrations, rogue agent actions — needs a control plane that gates live actions. That's what Infraveil does →