Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

March 21, 2026

How to Prevent SQL Injection in Next.js — A Complete Guide

SQL injection remains one of the most dangerous web vulnerabilities, even in modern Next.js applications. Whether you use Prisma, Drizzle, or raw SQL, here is how to keep your queries safe — and how to detect injection risks automatically.

Why Next.js Apps Are Still Vulnerable

Next.js developers often assume ORMs like Prisma eliminate SQL injection risk entirely. That is mostly true for standard Prisma queries. But the moment you use $queryRaw, $executeRaw, or drop down to a lower-level database driver, the protection disappears.

Server Actions in Next.js 14+ make this even more relevant. With server-side code running directly in your component files, developers sometimes write database queries that accept form data without sanitization. The boundary between client and server code is blurring, and SQL injection is sneaking through the gaps.

The Safe Way: Prisma Parameterized Queries

Standard Prisma Client queries are automatically parameterized. This code is safe:

// SAFE: Prisma parameterizes automatically
const user = await prisma.user.findFirst({
  where: {
    email: userInput, // automatically escaped
  },
});

// SAFE: Prisma parameterizes findMany too
const posts = await prisma.post.findMany({
  where: {
    title: { contains: searchQuery }, // safe
  },
});

Prisma generates parameterized SQL under the hood. The user input never touches the query structure. ShipSafe recognizes these patterns and does not flag them — this is one of the Prisma-specific exceptions added in v1.0.4.

The Dangerous Way: Raw Queries

Raw queries bypass Prisma’s protections. This is where injection happens:

// VULNERABLE: string interpolation in raw query
const users = await prisma.$queryRaw`
  SELECT * FROM users
  WHERE name = '${searchQuery}'
`;

// VULNERABLE: string concatenation
const result = await prisma.$queryRawUnsafe(
  "SELECT * FROM users WHERE email = '" + email + "'"
);

The safe way to use raw queries is with Prisma’s tagged template:

// SAFE: Prisma tagged template auto-parameterizes
import { Prisma } from "@prisma/client";

const users = await prisma.$queryRaw`
  SELECT * FROM users
  WHERE name = ${searchQuery}
`;
// Prisma converts this to a parameterized query:
// SELECT * FROM users WHERE name = $1

The difference is subtle but critical. When you wrap the interpolation in quotes ('${searchQuery}'), Prisma treats it as a literal string. Without quotes, Prisma parameterizes it properly.

Server Actions: A New Attack Surface

Next.js Server Actions run on the server but are invoked from the client. Any form input that reaches a database query needs validation:

// VULNERABLE: Server Action with unvalidated input
"use server";

export async function searchUsers(formData: FormData) {
  const query = formData.get("search") as string;
  // Direct interpolation into raw SQL
  const users = await db.execute(
    `SELECT * FROM users WHERE name LIKE '%${query}%'`
  );
  return users;
}

// SAFE: Validated and parameterized
"use server";
import { z } from "zod";

const searchSchema = z.object({
  search: z.string().max(100).regex(/^[a-zA-Z0-9\s]+$/),
});

export async function searchUsers(formData: FormData) {
  const { search } = searchSchema.parse({
    search: formData.get("search"),
  });
  const users = await prisma.user.findMany({
    where: { name: { contains: search } },
  });
  return users;
}

Drizzle ORM: Same Principles Apply

If you use Drizzle instead of Prisma, the same rules apply. Drizzle’s query builder is safe; raw SQL is not:

// SAFE: Drizzle query builder
const users = await db
  .select()
  .from(usersTable)
  .where(eq(usersTable.email, userInput));

// VULNERABLE: Drizzle raw SQL with interpolation
const users = await db.execute(
  sql.raw(`SELECT * FROM users WHERE email = '${userInput}'`)
);

// SAFE: Drizzle parameterized raw SQL
const users = await db.execute(
  sql`SELECT * FROM users WHERE email = ${userInput}`
);

Automated Detection with ShipSafe

ShipSafe has 127 SQL injection detection rules that catch all the patterns above. It understands the difference between safe Prisma queries and dangerous raw SQL:

$ shipsafe scan

  CRITICAL  sql-injection/prisma-raw-unsafe
  src/actions/search.ts:8
  $queryRawUnsafe with string concatenation containing user input.
  Fix: Use tagged template — prisma.$queryRaw`SELECT ... WHERE id = ${id}`

  HIGH  sql-injection/template-literal-in-query
  src/lib/db.ts:15
  User input interpolated in SQL template literal with quotes.
  Fix: Remove quotes around interpolation to enable parameterization.

Scan complete: 2 findings (1 critical, 1 high)

ShipSafe’s Tree-sitter AST analysis traces the data flow from form input to database query, catching injection vectors that regex-based scanners miss.

Prevention Checklist

Use ORM queries by default. Prisma’s findMany, findFirst, create are always safe.
Parameterize raw queries. Use tagged templates without quotes around interpolated values.
Validate all input. Use Zod or a similar library to validate form data before it touches any query.
Avoid $queryRawUnsafe. If you must use it, build the query string with only trusted values.
Scan automatically. Install ShipSafe git hooks to catch injection before it reaches your repository.

Catch SQL Injection Automatically

ShipSafe has 127 SQL injection rules with Prisma and Next.js awareness.

npm install -g @shipsafe/cli && shipsafe scanGet Started Free