Studio feature

Self-Hosted Docker

The full CanIShip audit engine — running entirely on your own machine or server. Same interface. Same ShipScore. Zero data leaving your infrastructure.

Why we built this

The cloud version of CanIShip is great for public URLs. But a lot of real work happens before anything is public — staging environments behind VPNs, local dev builds, internal tools that should never send URLs to a third-party server.

The Docker image is CanIShip repackaged so that everything runs on your hardware. Your URL never leaves your network. Your audit data lives in a volume you control. The only outbound call is a license check back to us once every 24 hours — after that, it works fully offline.

We also built this for CI/CD. If you want a quality gate that fails a GitHub Actions build when the ShipScore drops below 75, this is the way to do it.

Who it's for

🔒

Privacy-first teams

Your URLs, reports, and audit data never touch our servers. Stays entirely within your own infrastructure.

🏗️

CI/CD pipelines

Wire it into GitHub Actions, GitLab CI, or any pipeline. Set MIN_SCORE=75 and your build fails if quality drops.

🖥️

Local & VPN apps

Audit localhost, staging environments behind a VPN, or any URL your cloud scanner can't reach.

Before you start

Docker	Version 20+ recommended
RAM	4 GB minimum — Chromium + Claude analysis needs headroom
Studio license key	From Settings → Docker License (below)
Anthropic API key	From console.anthropic.com — you pay for your own Claude usage
Internet (first run)	Required to validate your license — then works offline for 24h

Quick start

Step 1 — Get your license key

Go to Settings → Docker License and click Generate license key. Keep it private — it authorises your container to run audits.

Step 2 — Pull the image

docker pull hanimebar/caniship:latest

Step 3 — Run it

docker run -p 3000:3000 \
  -e LICENSE_KEY=your-license-key \
  -e ANTHROPIC_API_KEY=sk-ant-... \
  -v caniship-data:/data \
  hanimebar/caniship:latest

Open http://localhost:3000 — same interface, fully local.

Auditing local or VPN apps

By default, private IP addresses are blocked to prevent SSRF. To audit an app on your local network, add two flags:

docker run -p 3000:3000 \
  -e LICENSE_KEY=... \
  -e ANTHROPIC_API_KEY=... \
  -e ALLOW_PRIVATE_IPS=true \
  --network host \
  -v caniship-data:/data \
  hanimebar/caniship:latest

--network host lets the container reach your machine's ports. Audit http://localhost:3001 or http://192.168.x.x directly.

GitHub Actions integration

Add your secrets under Settings → Secrets and Variables → Actions in your GitHub repo, then drop this workflow in:

# .github/workflows/quality-gate.yml
name: Quality Gate

on:
  push:
    branches: [main]
  pull_request:

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run CanIShip Audit
        uses: ./.github/actions/caniship
        with:
          url: https://staging.myapp.com
          description: >
            A project management SaaS. Users sign up, create workspaces,
            add tasks, and collaborate with their team.
          license_key: ${{ secrets.CANISHIP_LICENSE_KEY }}
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          depth: quick
          min_score: 75
          flows: "sign up, create workspace, add task"

The action pulls the image, starts the container, submits the audit, polls until complete, and uploads the JSON + HTML report as a build artifact.

If the score falls below min_score, the build exits with code 1 — your PR is blocked.

All environment variables

Variable	Default	Description
LICENSE_KEYrequired	—	Your Studio license key from Settings
ANTHROPIC_API_KEYrequired	—	Your Anthropic API key from console.anthropic.com
SQLITE_PATH	/data/caniship.db	Path to the SQLite database inside the container
DATABASE_URL	—	Use Postgres instead of SQLite: postgresql://user:pass@host:5432/db
OUTPUT_DIR	—	Write JSON + HTML report files here after each audit
REPORT_FORMAT	both	json, html, or both
MIN_SCORE	0	Exit with code 1 if audit score falls below this — useful for CI/CD
ALLOW_PRIVATE_IPS	false	Set to true to audit apps on your local network (192.168.x.x, localhost)
PORT	3000	Port the server listens on
HEADLESS	false	Set to true to disable the web UI and run API-only
WEBHOOK_SECRET	—	Signs webhook payloads with X-CanIShip-Signature

License & offline use

→Your license is validated against caniship.actvli.com on startup
→After a successful validation, the container works offline for up to 24 hours
→Audits in progress are never interrupted by a validation check
→Check last validation time: cat /data/.license_state
→Your ANTHROPIC_API_KEY is used locally — it is never sent to Äctvli servers

Ready to set up?

Get your license key →