Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

ShipSafe vs CodeQL — Security Scanner Comparison

CodeQL is GitHub's semantic code analysis engine, known for deep interprocedural analysis. ShipSafe is a local-only security scanner built for developers using AI coding assistants. Here is how they compare.

Feature Comparison

Feature	ShipSafe	CodeQL
Setup	npm install -g @shipsafe/cli	GitHub Actions or CodeQL CLI + database creation
Execution environment	Local machine	GitHub Actions (primary) or local CLI
Analysis depth	AST + pattern matching + call graph (Pro)	Deep interprocedural semantic analysis
Prompt injection detection	7 rules	Community queries (limited)
Malicious MCP scanning	30 patterns	Not available
Secret detection	174 patterns	Not a focus (GitHub has Secret Scanning)
Image metadata stripping	Built-in (MetaStrip)	Not available
MCP server for AI assistants	8 tools	Copilot integration
Git pre-commit hooks	Built-in	Not available (CI/CD focus)
Speed	Seconds	Minutes to hours (database creation)
Language support	JS, TS, Python	10+ languages
Custom queries	Not available	Powerful QL query language
GitHub integration	Via Team plan	Native (pull request annotations)

ShipSafe Strengths

✓Instant setup — npm install and scan in seconds
✓Runs anywhere without GitHub dependency
✓AI security detection (prompt injection, malicious MCP servers)
✓Image metadata stripping (MetaStrip) — unique capability
✓Git pre-commit hooks block issues before they reach the repo
✓MCP server integrates with Claude, Cursor, Windsurf
✓Fast — scans in seconds vs minutes/hours for CodeQL
✓Accessible for solo developers without enterprise setup

CodeQL Strengths

✓Deep interprocedural semantic analysis — catches complex data flow issues
✓Powerful custom query language (QL) for writing bespoke analyses
✓Native GitHub integration with pull request annotations
✓Free for open-source projects on GitHub
✓Extensive vulnerability research from GitHub Security Lab
✓Strong academic foundation in program analysis

Key Differentiators

Speed

ShipSafe scans in seconds. CodeQL requires building a database (minutes to hours for large codebases) before analysis can begin.

GitHub Independence

ShipSafe runs anywhere. CodeQL is designed around the GitHub ecosystem and is most useful with GitHub Actions.

AI Security

ShipSafe has prompt injection and MCP threat detection. CodeQL has limited community queries for AI security.

Developer Workflow

ShipSafe provides git hooks and MCP server for real-time security during development. CodeQL is a CI/CD tool that runs after code is pushed.

The Verdict

Choose ShipSafe if you want instant, local security scanning with AI-specific rules during development. Choose CodeQL if you need deep semantic analysis, custom query authoring, or are already invested in the GitHub ecosystem for enterprise security.

Frequently Asked Questions

Is CodeQL more accurate than ShipSafe?

CodeQL performs deeper interprocedural semantic analysis, which can catch complex data flow issues that span many functions. ShipSafe uses AST analysis with call graph awareness (in Pro), which is faster but less deep. For common vulnerability patterns (the top 80% of real-world issues), both catch them effectively. CodeQL's advantage appears in complex, multi-step data flow chains.

Can I use ShipSafe without GitHub?

Yes. ShipSafe runs anywhere — it is a standalone npm package with no GitHub dependency. CodeQL is designed around the GitHub ecosystem and is most effective when run through GitHub Actions with native pull request annotations.

Why is ShipSafe faster than CodeQL?

CodeQL must first build a database representation of your entire codebase (which can take minutes to hours for large projects), then execute queries against that database. ShipSafe parses files individually with Tree-sitter, runs pattern matching, and reports results — typically completing in under 5 seconds for projects with 100,000 lines of code.

Does CodeQL have AI security rules?

CodeQL has some community-contributed queries for LLM-related vulnerabilities, but they are limited and not maintained as first-party rules. ShipSafe has 37 dedicated AI security rules (prompt injection, malicious MCP servers) maintained as core product features.

Try ShipSafe Free

Install and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Other Comparisons

ShipSafe vs Semgrep →ShipSafe vs Snyk →ShipSafe vs SonarQube →