Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

CLI Reference

Complete reference for all ShipSafe CLI commands, flags, and output formats.

Global Flags

These flags work with any command:

--versionPrint ShipSafe version

--helpShow help for a command

--verboseShow debug output

--quietSuppress all output except errors

`shipsafe scan`

Run a security scan on your project. This is the primary command you will use. Scans all JavaScript, TypeScript, and Python files.

Usage

shipsafe scan [path] [flags]

Flags

--severity <level>Minimum severity to report: critical, high, medium, low (default: low)

--format <type>Output format: text, json, sarif (default: text)

--baselineSave current findings as baseline for future delta scans

--deltaOnly show findings not in the baseline

--stagedOnly scan git-staged files

--jsonShorthand for --format json

--no-colorDisable colored output

--workers <n>Number of parallel workers (default: CPU count)

Examples

# Scan current directory
shipsafe scan

# Scan specific directory, only critical findings
shipsafe scan ./src --severity critical

# JSON output for CI/CD
shipsafe scan --json

# Only scan changed files since baseline
shipsafe scan --delta

`shipsafe init`

Initialize ShipSafe in a project. Creates the .shipsafe directory, default config, and optionally installs git hooks.

Usage

shipsafe init

Flags

--hooksAlso install git pre-commit hooks

--baselineAlso create an initial baseline

Examples

# Initialize with hooks and baseline
shipsafe init --hooks --baseline

`shipsafe setup`

Interactive setup wizard. Walks you through configuration options, hook installation, and MCP server setup.

Usage

shipsafe setup

Examples

shipsafe setup

`shipsafe baseline`

Manage scan baselines. Create, show, or reset baselines for incremental scanning.

Usage

shipsafe baseline <action>

Flags

createCreate a baseline from current scan findings

showShow baseline summary (finding count, date)

resetDelete the baseline file

Examples

# Create baseline
shipsafe baseline create

# View baseline info
shipsafe baseline show

# Reset baseline
shipsafe baseline reset

`shipsafe activate`

Activate a Pro or Team license. Enter your license key to unlock advanced features like knowledge graph, auto-fix, and monitoring.

Usage

shipsafe activate <license-key>

Examples

shipsafe activate SHIP-XXXX-XXXX-XXXX

`shipsafe scan-environment`

Scan your development environment for threats. Checks CLAUDE.md files, git hooks, npm scripts, and MCP configurations for malicious patterns.

Usage

shipsafe scan-environment [path]

Flags

--format <type>Output format: text, json (default: text)

Examples

# Scan current project environment
shipsafe scan-environment

# Scan a cloned repo before working in it
shipsafe scan-environment ./suspicious-repo

`shipsafe config`

View or modify ShipSafe configuration. Shows current settings from config file and environment variables.

Usage

shipsafe config [key] [value]

Flags

--globalModify global config (~/.shipsafe/config.json)

Examples

# View all config
shipsafe config

# Set severity to high
shipsafe config severity high

# Set global license key
shipsafe config --global license-key SHIP-XXXX-XXXX-XXXX

`shipsafe hooks`

Manage git pre-commit hooks. Install, uninstall, or check hook status.

Usage

shipsafe hooks <action>

Flags

installInstall the pre-commit hook

uninstallRemove the pre-commit hook

statusCheck if hooks are installed

Examples

# Install hooks
shipsafe hooks install

# Check status
shipsafe hooks status

# Remove hooks
shipsafe hooks uninstall

`shipsafe mcp-server`

Start the MCP server for AI coding assistants. Exposes 8 security tools via the Model Context Protocol.

Usage

shipsafe mcp-server

Flags

--port <n>Port to listen on (default: stdio)

Examples

# Start MCP server (add to your MCP config)
shipsafe mcp-server