Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

March 18, 2026

How to Detect and Fix Hardcoded API Keys in Your Codebase

Hardcoded API keys are the #1 secret leak vector. GitHub reports over 10 million secrets leaked in public repositories every year. Once a key is in git history, rotating it is the only fix. Here is how to find them and prevent future leaks.

Why Keys End Up in Code

Developers do not intentionally commit API keys. It happens because of:

•Quick prototyping — you paste a key to test something and forget to move it to .env
•AI code generation — tools like Cursor and Claude Code sometimes hardcode keys from context
•Copy-paste from docs — many API docs use real-looking keys in examples
•Config files — database connection strings with passwords, .env files committed by mistake
•Test files — real credentials used in integration tests instead of mocks

What Attackers Do with Leaked Keys

Leaked keys are exploited within minutes. Automated bots scan every public git push for credential patterns. The consequences are immediate and severe:

•AWS keys — crypto miners spin up thousands of EC2 instances, costing tens of thousands of dollars
•Stripe keys — attackers issue refunds, create fraudulent charges, or steal customer data
•Database passwords — data exfiltration, ransomware, complete system compromise
•GitHub tokens — source code theft, supply chain attacks, backdoor injection

ShipSafe’s 174 Secret Detection Patterns

ShipSafe ships with 174 secret detection patterns that cover 50+ services. Each pattern is tuned for high accuracy with entropy-based filtering to minimize false positives.

Services Covered

✓AWS (access + secret)✓Stripe (live + test)✓GitHub tokens✓Google Cloud✓Azure✓Slack tokens✓Twilio✓SendGrid✓Firebase✓Supabase✓OpenAI✓Anthropic✓Cloudflare✓DigitalOcean✓Heroku✓Mailgun✓Shopify✓Square✓Vercel✓Netlify✓MongoDB Atlas✓PlanetScale✓Sentry✓Datadog

Plus: private keys (RSA, DSA, EC, PGP), database connection strings, generic high-entropy tokens, and JWT secrets.

Finding Keys in Your Codebase

Scan your project with one command:

npm install -g @shipsafe/cli
shipsafe scan

ShipSafe shows exactly where each secret is:

$ shipsafe scan

  CRITICAL  secrets/aws-secret-key
  src/config/aws.ts:3
  AWS secret access key detected.
  Fix: Move to environment variable — process.env.AWS_SECRET_ACCESS_KEY

  CRITICAL  secrets/stripe-live-key
  src/payments/stripe.ts:1
  Stripe live secret key detected (sk_live_*).
  Fix: Move to environment variable — process.env.STRIPE_SECRET_KEY

  HIGH  secrets/database-password
  src/db/connection.ts:5
  Database password hardcoded in source code.
  Fix: Move to environment variable — process.env.DATABASE_URL

  MEDIUM  secrets/generic-api-key
  src/utils/analytics.ts:8
  High-entropy string assigned to variable "apiKey".
  Fix: Move to environment variable.

4 findings (2 critical, 1 high, 1 medium)

Fixing Leaked Keys

For each detected secret, follow this process:

Rotate the key immediately. Generate a new key from the service provider. The old key should be considered compromised.
Move to environment variables. Create a .env file (and add it to .gitignore) with the new key.
Update references. Replace hardcoded values with process.env.KEY_NAME.
Create .env.example. Document required environment variables without actual values.
Audit git history. If the key was ever committed, it is in git history forever. Rotating is the only safe remediation.

ShipSafe Pro can auto-fix detected secrets. The shipsafe_fix MCP tool moves secrets to .env and updates all references automatically.

Preventing Future Leaks with Git Hooks

The best defense is prevention. ShipSafe’s pre-commit hooks block secrets before they reach your repository:

shipsafe hooks install

Now every commit is scanned. If you accidentally add a file containing an API key:

$ git commit -m "Add payment integration"

  CRITICAL  secrets/stripe-live-key
  src/payments.ts:3
  Stripe live secret key detected.

  Commit blocked. Fix the findings above and try again.

This is especially valuable when using AI coding assistants like Claude Code and Cursor in autonomous mode.

ShipSafe vs Other Secret Scanners

Other tools detect secrets too. Here is how ShipSafe compares:

•vs GitHub Secret Scanning — GitHub only scans after push. ShipSafe blocks before commit, so secrets never reach the remote.
•vs Gitleaks — ShipSafe uses Gitleaks patterns under the hood, plus adds 40+ additional patterns and entropy-based filtering.
•vs Snyk — Snyk focuses on dependency vulnerabilities, not secrets. ShipSafe has 174 dedicated secret patterns.
•vs Semgrep — Semgrep Secrets is a paid add-on. ShipSafe includes all 174 patterns in the free tier.

Find and Fix Secrets in 10 Seconds

174 detection patterns. Git hooks that prevent leaks. Free forever.

npm install -g @shipsafe/cli && shipsafe scanGet Started Free