Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

ShipSafe vs Snyk — Security Scanner Comparison

Snyk is a widely-used developer security platform with a strong focus on dependency scanning and cloud-based analysis. ShipSafe is a local-only security scanner built for developers using AI coding assistants. Here is how they compare.

Feature Comparison

Feature	ShipSafe	Snyk
Scanning approach	100% local	Cloud-based (uploads code snapshots)
Account required	No	Yes (free tier available)
Offline support	Full offline scanning	Requires internet connection
SAST rules	1,062 vulnerability rules	Snyk Code rules (proprietary)
Dependency scanning	Via npm audit integration	Industry-leading SCA
Prompt injection detection	7 rules	Not available
Malicious MCP scanning	30 patterns	Not available
Secret detection	174 patterns	Limited (focus is on dependencies)
Image metadata stripping	Built-in (MetaStrip)	Not available
MCP server for AI assistants	8 tools	IDE plugins
Container scanning	Not available	Industry-leading
IaC scanning	Not available	Terraform, CloudFormation, Kubernetes
Free tier	Full scanning, 1 project	Limited tests per month

ShipSafe Strengths

✓Runs entirely locally — your source code never leaves your machine
✓No account required — install and scan immediately
✓Works offline — no internet connection needed
✓Prompt injection and AI security detection — unique capability
✓Malicious MCP server scanning — unique capability
✓Image metadata stripping (MetaStrip) — unique capability
✓More generous free tier (full scanning vs limited monthly tests)
✓MCP server integrates directly with AI coding assistants

Snyk Strengths

✓Industry-leading dependency/SCA scanning with the largest vulnerability database
✓Container image scanning (Docker, OCI)
✓Infrastructure as Code scanning (Terraform, CloudFormation, Kubernetes)
✓IDE plugins with real-time feedback (VS Code, IntelliJ)
✓Mature CI/CD integrations (GitHub Actions, GitLab, Jenkins, etc.)
✓Automatic fix pull requests for dependency vulnerabilities

Key Differentiators

Privacy

ShipSafe runs 100% locally. Snyk uploads code snapshots to their cloud for analysis. If your organization has strict data handling requirements, this matters.

AI Security

ShipSafe detects prompt injection and malicious MCP servers. Snyk does not have AI-specific security rules.

No Account Required

ShipSafe works immediately after npm install. Snyk requires account creation and authentication.

Image Security

ShipSafe strips GPS and EXIF metadata from images — important for user-uploaded content. Snyk focuses on container images, not file metadata.

The Verdict

Choose ShipSafe if you prioritize local-only scanning, build AI applications, or need zero-config security for personal projects. Choose Snyk if you need enterprise dependency scanning, container security, or IaC analysis.

Frequently Asked Questions

ShipSafe vs Snyk which is better?

For SAST (static code analysis) with AI-specific rules, ShipSafe is better — it runs locally, has prompt injection detection, and requires no account. For dependency scanning (SCA), container scanning, and IaC security, Snyk is the industry leader. Many teams use both.

Does Snyk work offline?

No. Snyk requires an internet connection and uploads code snapshots to their cloud for analysis. ShipSafe runs entirely offline — no internet connection needed, no data ever leaves your machine.

Is ShipSafe free like Snyk?

Both have free tiers. ShipSafe's free tier includes full scanning with all 1,200+ rules, git hooks, and baseline mode for 1 project. Snyk's free tier has limited monthly test counts and some feature restrictions.

Does ShipSafe do dependency scanning like Snyk?

ShipSafe integrates with npm audit for basic dependency checking and has a shipsafe_check_package MCP tool. However, Snyk's SCA (Software Composition Analysis) is more comprehensive with a larger vulnerability database and automatic fix PRs.

Try ShipSafe Free

Install and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Other Comparisons

ShipSafe vs Semgrep →ShipSafe vs SonarQube →ShipSafe vs CodeQL →