Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

ShipSafe vs SonarQube — Security Scanner Comparison

SonarQube is a mature code quality and security platform used by enterprises worldwide. ShipSafe is a lightweight, local-only security scanner built for developers using AI coding assistants. Here is how they compare.

Feature Comparison

Feature	ShipSafe	SonarQube
Setup	npm install, zero config	Requires server deployment
Infrastructure	CLI only	Server + database required
False positive rate	Low (Tree-sitter AST)	Moderate (known for noise)
Code quality rules	Security focused	Security + code quality + code smells
Prompt injection detection	7 rules	Not available
Malicious MCP scanning	30 patterns	Not available
Secret detection	174 patterns	Basic patterns
Image metadata stripping	Built-in (MetaStrip)	Not available
MCP server for AI assistants	8 tools	Not available
Git pre-commit hooks	Built-in	Not available (CI/CD focus)
Language support	JS, TS, Python	29 languages
Code coverage tracking	Not available	Built-in
Technical debt tracking	Not available	Built-in

ShipSafe Strengths

✓Zero configuration — npm install and scan immediately
✓No server infrastructure required — runs as a CLI
✓Lower false positive rate using Tree-sitter AST analysis
✓AI security detection (prompt injection, malicious MCP servers)
✓Image metadata stripping (MetaStrip) — unique capability
✓Git pre-commit hooks block issues before they reach the repo
✓MCP server integrates directly with AI coding assistants
✓Free for solo projects with no server costs

SonarQube Strengths

✓Comprehensive code quality analysis beyond security (maintainability, reliability)
✓Technical debt tracking and quality gates
✓Code coverage integration and tracking
✓29 language support vs ShipSafe's 3
✓Mature enterprise features (quality profiles, project portfolios)
✓Well-established industry standard with extensive documentation

Key Differentiators

Setup Complexity

ShipSafe is a single npm install. SonarQube requires deploying a server (Java), setting up a database, and configuring project analysis.

False Positives

ShipSafe uses Tree-sitter AST for context-aware detection. SonarQube is known for generating significant noise that requires triage.

AI Security

ShipSafe has prompt injection and MCP threat detection. SonarQube has no AI-specific security rules.

Developer Workflow

ShipSafe integrates into the developer workflow with git hooks and MCP. SonarQube is CI/CD focused with results on a dashboard.

The Verdict

Choose ShipSafe if you want lightweight, zero-config security scanning with AI-specific rules and low false positives. Choose SonarQube if you need comprehensive code quality tracking, technical debt management, or multi-language support across a large organization.

Frequently Asked Questions

Is ShipSafe better than SonarQube for security scanning?

For pure security scanning of JavaScript, TypeScript, and Python projects, ShipSafe offers more focused coverage with lower false positives. SonarQube is better if you also need code quality metrics (maintainability, reliability, code smells), technical debt tracking, and code coverage integration. ShipSafe is security-only but does it with less noise.

Do I need a server for ShipSafe like SonarQube?

No. ShipSafe is a CLI tool that runs locally — no server, no database, no Docker. SonarQube requires deploying a Java-based server with a PostgreSQL database, which adds infrastructure cost and maintenance overhead.

Does SonarQube detect prompt injection?

No. SonarQube was built before the LLM era and has no rules for prompt injection, malicious MCP servers, or other AI-specific security threats. ShipSafe has 37 AI-specific rules covering these attack vectors.

Can I use ShipSafe and SonarQube together?

Yes. Many teams use ShipSafe in the developer workflow (git hooks, MCP server) for real-time security feedback and SonarQube in CI/CD for broader code quality analysis. The two tools complement each other — ShipSafe catches security issues before commit, SonarQube provides quality gates on pull requests.

Try ShipSafe Free

Install and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Other Comparisons

ShipSafe vs Semgrep →ShipSafe vs Snyk →ShipSafe vs CodeQL →