Documentation
Everything you need to get started with Preflight.
Installation
Choose your preferred installation method:
Use with a coding agent
Preflight publishes an agent skill on skills.sh. Install it once and your coding agent (Claude Code, Cursor, OpenCode, Codex, and 50+ others) will know how to run scans, parse JSON output, triage findings into fixes, and rerun validation without you driving every command.
List the skill
Install the Preflight skill
Quick Start
Initialize in your project directory
cd your-project
preflight init
Run all checks
preflight scan
Scan a specific directory
preflight scan /path/to/project
Show matched files with verbose output
preflight scan --verbose
Run in CI mode with JSON output
preflight scan --ci --format json
Managing Checks
Silence a check
preflight ignore sitemap
Unsilence a check
preflight unignore sitemap
List all check IDs
preflight checks
| Check ID | Description |
|---|---|
envParity |
Environment variable consistency between staging and production |
healthEndpoint |
API health check endpoint availability |
vulnerabilityScan |
Security vulnerability detection in dependencies |
seoMeta |
SEO metadata (title, description) presence |
ogTwitterCards |
Open Graph and Twitter Card meta tags |
canonicalUrl |
Canonical URL tag implementation |
viewport |
Mobile viewport meta tag configuration |
langAttribute |
HTML lang attribute specification |
structuredData |
Schema.org structured data markup (JSON-LD) |
securityHeaders |
HTTP security headers (CSP, X-Frame-Options, etc.) |
sslCertificate |
SSL/TLS certificate validity and expiration |
wwwRedirect |
WWW to non-WWW (or vice versa) redirect handling |
emailAuth |
Email authentication (SPF, DKIM, DMARC) configuration |
secretScanning |
Detection of exposed secrets and credentials in code |
debugStatements |
Debug code and console statements in production |
errorPages |
Custom error pages (404, 500) configuration |
imageOptimization |
Image format and compression optimization |
legalPages |
Required legal pages (privacy policy, terms of service) |
cookieConsent |
Cookie consent banner implementation |
faviconIcons |
Favicon and app icon availability |
robotsTxt |
robots.txt file presence and configuration |
sitemap |
XML sitemap presence and validity |
llmsTxt |
llms.txt file for AI crawler guidance |
adsTxt |
ads.txt file for advertising transparency |
humansTxt |
humans.txt file for team credits |
indexNow |
IndexNow API key for instant search indexing |
license |
LICENSE file presence in repository |
Service IDs
When ignoring service-specific checks, use these exact service IDs:
Payments
stripe
paypal
braintree
paddle
lemonsqueezy
Error Tracking
sentry
bugsnag
rollbar
honeybadger
datadog
newrelic
logrocket
Email & Newsletters
postmark
sendgrid
mailgun
ses
resend
mailchimp
convertkit
beehiiv
aweber
activecampaign
campaignmonitor
drip
klaviyo
buttondown
Analytics
fullres
plausible
fathom
umami
googleanalytics
posthog
mixpanel
amplitude
segment
hotjar
datafast
Auth
auth0
clerk
workos
Chat
intercom
crisp
Notifications
slack
discord
twilio
Infrastructure
redis
sidekiq
rabbitmq
elasticsearch
convex
firebase
supabase
Storage & CDN
s3
cloudinary
cloudflare
Search
algolia
AI & LLMs
openai
anthropic
googleai
mistral
cohere
replicate
huggingface
grok
perplexity
togetherai
Cookie Consent
cookieconsent
cookiebot
onetrust
termly
cookieyes
iubenda
Dashboard, account & AI suggestions
Preflight is fully usable from the command line with no account. The optional dashboard at app.preflight.sh adds a hosted history of your scans and AI-generated fix suggestions for each finding. Your code never leaves your machine: scanning runs locally, and only a redacted summary of results (check IDs, statuses, and messages, never secret values or file contents) is sent when you publish.
Connect the CLI to your account
Create a free account on the dashboard, then authorize the CLI. auth login prints an authorization code and opens your browser to confirm it.
preflight auth login
preflight auth status # show who you're logged in as
preflight auth logout # remove stored credentials
Publish a scan
Add --publish to send a run to your dashboard. It prints a link to view the run. Publishing is best-effort: if you're offline or not logged in, the scan still runs and exits normally.
preflight scan --publish
On the dashboard you get each run's pass/warn/fail breakdown, the full list of findings, and a history of past scans per project so you can see what changed between deploys.
View past scans from the CLI
Read that history from the terminal with preflight history, without opening the dashboard.
preflight history # recent runs across your projects
preflight history --here # only the current project's runs
preflight history <run-id> # one run's full check results
preflight history --here --format json # machine-readable, for agents
Requires preflight auth login. --here matches runs to the current repository by its git remote, the same key used when publishing.
AI fix suggestions
Open any failed or warning check on a published run to generate a step-by-step fix tailored to your detected stack, with copy-ready commands and code. Suggestions are generated on demand and cached on the run.
Free accounts include a monthly quota of AI-assisted runs. To remove the limit, add your own OpenAI or Anthropic API key (your key, your billing) or upgrade your plan from the Billing page.
Exit Codes
Preflight uses exit codes for CI/CD integration:
| Code | Meaning |
|---|---|
0 |
All checks passed |
1 |
Warnings detected |
2 |
Errors found |
Configuration
Running preflight init creates a preflight.yml file in your project root. This file lets you configure:
- Project name and stack type (Rails, Next.js, Laravel, etc.)
- Staging and production URLs
- Service declarations (Stripe, Sentry, etc.)
- Check configurations for SEO, security, and environment parity
- Ignored checks
Example configuration
projectName: my-app
stack: rails # rails, next, react, vite, laravel, etc.
urls:
staging: "https://staging.example.com"
production: "https://example.com"
services:
stripe:
declared: true
checks:
envParity:
enabled: true
envFile: ".env"
exampleFile: ".env.example"
ignore:
- sitemap
- google_analytics
Supported Stacks
Preflight auto-detects and supports a wide range of technology stacks:
Backend
Ruby on Rails, Laravel, PHP, Go, Python/Django, Rust, Node.js
Frontend
Next.js, Nuxt, Remix, React, Vue.js, Vite, Svelte, Angular
CMS
WordPress, Craft CMS, Drupal, Ghost, Strapi, Sanity, Contentful, Prismic
Static Generators
Hugo, Jekyll, Gatsby, Eleventy, Astro
CI/CD Integration
Add Preflight to your CI pipeline to catch issues before they reach production.
GitHub Actions (npm)
- name: Run Preflight
run: |
npm install -g @preflightsh/preflight
preflight scan --ci
GitHub Actions (Docker)
- name: Run Preflight
run: docker run -v ${{ github.workspace }}:/app ghcr.io/preflightsh/preflight scan --ci --format json
Questions & False Positives
We strive to provide accurate detections, but false positives can occasionally occur. If you encounter a false positive or have any questions, we'd love to hear from you:
- Email us at hello@preflight.sh
- Open an issue on GitHub