Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

March 20, 2026

How to Scan Claude Code Projects for Security Vulnerabilities

Claude Code writes production-quality software at incredible speed. But speed without security is reckless. Here is how to integrate ShipSafe with Claude Code so every line of AI-generated code gets scanned for vulnerabilities.

Why Claude Code Needs Security Scanning

Claude Code is one of the most capable AI coding tools available. It can scaffold entire applications, refactor complex codebases, and implement features from natural language descriptions. But like any developer (human or AI), it can introduce security issues:

•Hardcoded secrets — API keys placed directly in source files instead of environment variables
•SQL injection — string interpolation in database queries, especially when using raw SQL
•Missing authentication — API routes without auth middleware, especially in rapid prototyping
•Prompt injection — unsanitized user input in LLM prompts when building AI features

The risk is amplified when using --dangerously-skip-permissions, where Claude operates autonomously without asking for approval.

Step 1: Install ShipSafe

Install ShipSafe globally via npm:

npm install -g @shipsafe/cli

Step 2: Add ShipSafe as an MCP Server

The most powerful integration is adding ShipSafe as an MCP server. This gives Claude direct access to security scanning tools while it writes code.

Add to your project’s .mcp.json:

{
  "mcpServers": {
    "shipsafe": {
      "command": "shipsafe",
      "args": ["mcp-server"]
    }
  }
}

Now Claude can call shipsafe_scan to check for vulnerabilities, shipsafe_check_package before installing dependencies, and shipsafe_scan_environment to verify the development environment is safe.

You can also instruct Claude to scan automatically by adding to your CLAUDE.md:

# Security

When committing code, call the shipsafe_scan MCP tool first.
Do not skip this step.

Step 3: Install Git Hooks

Git hooks are your safety net. Even if Claude (or you) forgets to scan manually, the pre-commit hook catches vulnerabilities before they enter git history.

shipsafe hooks install

This is critical when using --dangerously-skip-permissions. Claude can write and commit code autonomously, but the hook blocks any commit containing hardcoded secrets or critical vulnerabilities.

Step 4: Scan the Environment

Before working in any cloned repository, scan the development environment for threats. This catches malicious MCP servers, poisoned CLAUDE.md files, and credential-stealing git hooks.

shipsafe scan-environment

Step 5: Set a Baseline

If you are adding ShipSafe to an existing project, set a baseline so future scans only show new findings:

shipsafe scan --baseline

The Three-Layer Defense

With these steps complete, you have three layers of security:

Layer 1: MCP Server (proactive)

Claude checks security while writing code. Issues are caught and fixed before they are even staged.

Layer 2: Pre-commit Hook (reactive)

Every commit is scanned automatically. Secrets and critical vulnerabilities block the commit.

Layer 3: Manual Scan (verification)

Run shipsafe scan at any time for a full project audit.

What ShipSafe Catches in Claude Code Projects

ShipSafe has 1,261 detection rules covering:

✓127 SQL injection rules — including Prisma and Drizzle awareness
✓143 XSS rules — React, Vue, Angular, and template engines
✓174 secret patterns — AWS, Stripe, GitHub, and 50+ services
✓7 prompt injection rules — critical for AI features
✓30 environment threats — malicious MCP servers and hooks

Secure Your Claude Code Workflow

Install ShipSafe and scan your project in under 60 seconds.

npm install -g @shipsafe/cliGet Started Free