Deployment Checks · Beta

# Gate Every Deploy  
With Automated Checks

Run SSH commands, HTTP probes, and vulnerability scanners before or after a deployment. Catch uncommitted server edits, maintenance flags, and security issues — and abort bad deploys before they cost you build minutes.

[Start Free Trial](/signup?cta=Start+Free+Trial)

Pre-build & post-deploy stages

SSH, HTTP & vulnerability scans

Trivy & TruffleHog bundled in

Last updated on 18th May 2026

deploy / production

`›
Pre-build check · drift detector``ssh production "git diff --quiet"``✓ Working tree clean — proceed``›
Pre-build check · vulnerability scan (Trivy)``✓ 0 critical, 0 high — proceed``›
Post-deploy check · smoke test``GET https://app.example.com/health``✓ 200 OK — deploy marked successful`

Deployment Checks are validations that run on the deployment worker — either before the build pipeline starts (pre-build) or after every server has received its files (post-deploy). A failing pre-build check aborts the deployment cleanly before any build resources are spent. A failing post-deploy check marks the deployment failed and fires the usual failure notifications.

## Two Stages, Two Questions

Every check answers one of the two questions you ask most around a deploy.

Pre-build

### Is it safe to deploy right now?

Runs at the very start of a deployment, before the build pipeline begins. A failure aborts the deploy cleanly — no build minutes spent, no files uploaded.

- Detect uncommitted changes operators made directly on the server
- Refuse to deploy when a maintenance flag is up
- Block deploys that fail a vulnerability scan

Post-deploy

### Did the deploy actually work?

Runs after every server has received its files, before the deployment is marked complete. A failure marks the deploy failed and fires your usual failure notifications.

- Smoke-test your homepage or healthcheck endpoint
- Run a service-specific verification command
- Catch silent failures the build pipeline missed

## Three Check Types

Pick the right tool for the question you're asking.

### SSH Check

Run an arbitrary shell command on one or more SSH-capable servers in the project. A non-zero exit aborts (pre-build) or fails (post-deploy) the deploy. Stdout and stderr are captured into the deploy log in a console block.

`git diff --quiet || exit 1`

### HTTP Check

Send a GET or HEAD request to any URL and assert the response status — optionally checking the body for a specific substring. Works for any project type, including FTP, ElasticBeanstalk, Heroku, and cloud-storage protocols.

`GET /maintenance.json — expect 404`

### Vulnerability Scan

Run Trivy or TruffleHog against your source on the build server before build commands execute — catch dependency CVEs and leaked secrets in one gate. Configurable severity threshold — fail on critical only, or anywhere down to low.

[Jump to scanners ↓](#vulnerability-scans)

## Vulnerability Scanners

Catch CVEs and leaked secrets before your code reaches production. Trivy and TruffleHog are bundled into the build image — both open-source, both zero-config.

### Trivy

Open-source, zero-config

Trivy is an open-source vulnerability scanner from Aqua Security. No account, no API key, no setup. Bundled into every build image — pick a severity threshold and go.

**Pick Trivy if** : you want to block deploys whose dependencies have known CVEs before they reach production.

### TruffleHog

Open-source, secret detection

TruffleHog scans your source tree for high-entropy strings and known credential formats — AWS keys, API tokens, private keys accidentally committed. Bundled into every build image, zero setup required.

**Pick TruffleHog if** : you want to catch credentials accidentally committed before they reach production.

### Severity threshold

Pick the lowest severity that should fail the deploy. **Critical only** is the least strict; **Low or higher** blocks anything the scanner produces.

Low+Medium+High+ (recommended)Critical only

## What People Use Them For

The same primitives, very different gates.

### Detecting drift on the server

A pre-build SSH check that runs `git diff --quiet` against the release directory catches operators who edited config directly on the server. Aborts the deploy before it overwrites their hotfix.

### Maintenance-mode gate

A pre-build HTTP check against a `/maintenance.json` endpoint that returns 200 during downtime. Expected 404 → deploy aborts while maintenance is up, resumes when it ends.

### Post-deploy smoke test

A post-deploy HTTP check that hits your homepage with expected 200. Cheap canary that catches the deploys where the build succeeded but the app didn't actually start.

### Vulnerability gate

A pre-build Trivy or TruffleHog scan with severity threshold of "high or higher" — refuses to deploy code with known CVEs or leaked credentials without breaking the build for low-priority noise.

Getting Started

## Add your first check in a couple of minutes

 ![Check mark](/assets/icons/tick-01ba7f4740d492a18fbdf4424bf7446c87ddfccbc0157214ad536b11512e914d.svg)

### Enable beta features

Deployment Checks are in beta. Toggle beta features on in your account to see them in the project sidebar.

 ![Check mark](/assets/icons/tick-01ba7f4740d492a18fbdf4424bf7446c87ddfccbc0157214ad536b11512e914d.svg)

### Pick a stage and type

Pre-build to gate the deploy, post-deploy to verify it. SSH, HTTP, or Vulnerability scan.

 ![Check mark](/assets/icons/tick-01ba7f4740d492a18fbdf4424bf7446c87ddfccbc0157214ad536b11512e914d.svg)

### Configure the check

Pick the server (SSH), URL and expected status (HTTP), or scanner and severity threshold (Vuln). Save.

 ![Check mark](/assets/icons/tick-01ba7f4740d492a18fbdf4424bf7446c87ddfccbc0157214ad536b11512e914d.svg)

### Deploy and read the log

Every deploy now runs the check. Output streams into the deploy log alongside everything else.

[Read the documentation →](https://www.deployhq.com/support/deployments/deployment-checks)

DEPLOY FLOW WITH CHECKSTriggerPre-build check ✓drift · maintenance · vuln scanBuild pipeline runsFiles uploaded to serversPost-deploy check ✓

## Frequently Asked Questions

### What's the difference between pre-build and post-deploy checks?

Pre-build checks run before the build pipeline starts. A failure aborts the deploy cleanly — no build minutes spent, no files uploaded. Post-deploy checks run after every server has received its files. A failure marks the deploy failed and fires your usual failure notifications, but does not roll back — the files stay where they are and you decide how to react.

### Do vulnerability scans cost extra build minutes?

Yes, but only the build-server startup cost (typically a few seconds). Trivy and TruffleHog are bundled into the build image, so there is no install step. A failed scan aborts the deploy before your build commands run, so you do not waste build minutes on a build whose output would be rejected.

### Which scanners are supported?

Trivy (dependency CVEs) and TruffleHog (leaked secrets) are bundled into the build image. Both are open-source and require zero configuration — pick a severity threshold and go.

### Does a failing post-deploy check roll back the deployment?

No. Deployment Checks alert you so you can react — they do not auto-rollback. A failing post-deploy check marks the deploy failed and fires the usual failure notifications. To revert the change itself, use [one-click rollback](/features/one-click-rollback) from the deployments page.

### How do I enable Deployment Checks?

Deployment Checks are currently in beta. Enable beta features on your account, and a 'Deployment Checks' entry will appear in the project sidebar.

## Stop shipping broken deploys

Gate every release with checks that actually run where your code goes.

[Start Free Trial](/signup?cta=Start+Free+Trial)

10-day free trial • No setup fees • Cancel anytime

## Explore More Features

Discover all the tools that make DeployHQ the easiest way to deploy your code.

[

### Zero Downtime Deployments
→](/features/zero-downtime-deployments)[

### One-Click Rollback
→](/features/one-click-rollback)[

### Turbo Deployments
→](/features/turbo-deployments)[

### Build Pipelines
→](/features/build-pipelines)[

### Build Cache
→](/features/build-cache)[

### Scheduled Deployments
→](/features/scheduled-deployments)[

### Deployment Availability
→](/features/deployment-availability)[

### Docker Builds
→](/features/docker-builds)[

### Deployment Checks
→](/features/deployment-checks)[

### Deployment Targets
→](/features/deployment-targets)[

### Automatic Deployment
→](/features/automatic-deployments)[

### Deployment Templates
→](/features/deployment-templates)[

### Deploy Behind Firewalls
→](/features/deploy-behind-firewalls)[

### SSH Deployment
→](/features/ssh-deployment)[

### Deployment Zones
→](/features/deployment-zones)[

### Team & Permissions
→](/features/team-permissions)[

### Single Sign-On
→](/features/sso)[

### Custom Actions
→](/features/custom-actions)[

### Server Management
→](/features/server-management)[

### CLI & Agents
→](/agents)[

### Powerful Integrations
→](/features/integrations)

## Get started today for just $9/month

That's unlimited deployments and 3 projects.

[Start your free 10 day trial](/signup?cta=Start+your+free+10+day+trial)