Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

March 19, 2026

Best Security Scanner for Cursor IDE in 2026

Cursor has become the go-to IDE for AI-assisted development. But with AI writing more of your code, security scanning becomes even more important. Here is how to choose the right scanner for your Cursor workflow — and how to set up ShipSafe for maximum protection.

Why Cursor Needs Security Scanning

Cursor is brilliant at generating code from natural language. You describe a feature, and Cursor builds it. But AI-generated code can contain the same vulnerabilities as human-written code — and sometimes more, because the AI optimizes for functionality over security.

Common issues in Cursor-generated code include:

•Hardcoded API keys — AI often uses example keys or your actual keys from context
•SQL injection — string interpolation in database queries instead of parameterized queries
•Missing auth — API routes generated without authentication middleware
•XSS vulnerabilities — dangerouslySetInnerHTML in React components
•Prompt injection — unsanitized user input in LLM prompts

Comparing Security Scanners for Cursor

Here is how the leading security tools compare for Cursor IDE integration:

Feature	ShipSafe	Semgrep	Snyk
MCP integration	8 tools	No	No
Prompt injection	7 rules	No	No
Runs locally	Always	OSS only	Cloud
Git hooks	Built-in	Via pre-commit	No
Setup time	10 seconds	5-10 minutes	5+ minutes
AI-specific rules	37 rules	None	None

See detailed comparisons: ShipSafe vs Semgrep · ShipSafe vs Snyk · ShipSafe vs SonarQube

Setting Up ShipSafe with Cursor

ShipSafe integrates with Cursor via MCP (Model Context Protocol). This gives Cursor’s AI direct access to security scanning tools.

1. Install ShipSafe

npm install -g @shipsafe/cli

2. Add to Cursor MCP Config

Add ShipSafe to your Cursor MCP configuration (typically .cursor/mcp.json in your project):

{
  "mcpServers": {
    "shipsafe": {
      "command": "shipsafe",
      "args": ["mcp-server"]
    }
  }
}

3. Install Git Hooks

shipsafe hooks install

4. Add to .cursorrules

Tell Cursor’s AI to use ShipSafe automatically:

# .cursorrules
Before committing any code, run shipsafe_scan to check
for security vulnerabilities. Fix any CRITICAL or HIGH
findings before committing.

The MCP Advantage

The key advantage of ShipSafe over other scanners is MCP integration. Traditional scanners like Semgrep and Snyk run after you finish coding. ShipSafe runs while your AI writes code.

With the MCP server active, Cursor can:

✓Scan individual files after modifying them
✓Check npm packages before installing them
✓Verify the development environment is threat-free
✓Get detailed explanations of any detected vulnerability
✓Auto-fix common issues like moving secrets to .env files (Pro)

Works with Other AI IDEs Too

While this guide focuses on Cursor, ShipSafe’s MCP server works with any MCP-compatible tool. That includes Claude Code, Windsurf, and any future IDE that implements the Model Context Protocol. The getting started guide covers setup for all platforms.

Secure Your Cursor Workflow

Install ShipSafe and integrate with Cursor in under 60 seconds.

npm install -g @shipsafe/cliGet Started Free