Introducing ShipSafe: Security Scanning for Developers Who Ship Fast
Today we’re launching ShipSafe — a one-command security scanner that wraps Semgrep, Gitleaks, and Trivy into a single CLI. But it goes beyond pattern matching.
AI coding assistants are incredible at writing code fast. They’re also incredible at shipping hardcoded API keys, missing auth checks, and unsanitized database queries. Pattern matching catches the obvious stuff. ShipSafe catches the rest.
The Knowledge Graph
ShipSafe builds a call graph of your entire codebase using Tree-sitter and KuzuDB. It traces data flow from user input through your function calls to database queries, file system operations, and shell commands. If there’s a path from untrusted input to a dangerous sink without validation — ShipSafe finds it.
MCP Server for AI Assistants
ShipSafe includes an MCP server with 7 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code, not after. Run shipsafe mcp-server and add it to your MCP config.
Privacy First
Your source code never leaves your machine. All scanning and analysis runs locally. The optional monitoring snippet (@shipsafe/monitor) has automatic PII scrubbing and is MIT licensed — you can inspect every line.
Get Started
Free forever for solo projects. Install in 10 seconds:
npm install -g @shipsafe/cliThen run shipsafe scan in any project. That’s it.
Built in San Juan, PR.