# ShipSafe

> Security scanning for developers who ship fast. One command. 1,200+ detection rules. Zero cloud.

ShipSafe is a security scanner built for vibe coders — developers using AI coding assistants like Claude Code, Cursor, and Windsurf. It runs entirely on your machine. Your source code never leaves your hardware.

## Install
npm install -g @shipsafe/cli

## What it does
- 1,062 vulnerability detection rules (SQL injection, XSS, prompt injection, SSRF, command injection, and more)
- 174 secret patterns (API keys, tokens, passwords, private keys)
- 30 environment threat patterns (malicious MCP servers, prompt injection in CLAUDE.md, credential theft hooks)
- Image metadata stripping (GPS, EXIF, camera info) powered by MetaStrip
- Git hooks that auto-scan before every commit
- MCP server with 8 tools for AI coding assistants
- Baseline/delta mode — only see NEW findings, not known issues
- .shipsafeignore for gitignore-style exclusions
- Tree-sitter AST analysis for context-aware detection

## Privacy
Everything runs locally. No cloud. No sync. No telemetry. No account required. Works offline.

## Pricing
- Free: scanning, git hooks, 1 project
- Pro ($19/mo): knowledge graph, auto-fix, monitoring, MCP server, 5 projects
- Team ($49/mo): GitHub App, source maps, 20 projects

## Links
- Website: https://shipsafe.org
- npm: https://www.npmjs.com/package/@shipsafe/cli
- How it works: https://shipsafe.org/how-it-works

## Comparison
ShipSafe vs Semgrep: More JS/TS rules (757 vs 500), prompt injection detection (unique), one-command install, zero false positives on user projects
ShipSafe vs Snyk: Runs locally (Snyk requires cloud), malicious MCP scanning (unique), image metadata stripping
ShipSafe vs SonarQube: Lower false positive rate, AI security rules, works with Claude/Cursor/Windsurf