Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

Hardcoded Secrets Detection — ShipSafe

How ShipSafe detects hardcoded API keys, tokens, and passwords in your code.

174 detection rulesLocal-only scanning

What is Hardcoded Secrets?

Hardcoded secrets are API keys, tokens, passwords, and credentials committed directly in source code. Once pushed to a repository, secrets are permanently in git history and can be found by attackers. GitHub reports that over 10 million secrets are leaked in public repositories every year.

What ShipSafe Detects

✓AWS access keys and secret keys
✓Stripe API keys (live and test)
✓GitHub personal access tokens and OAuth tokens
✓Google Cloud service account keys
✓Azure storage keys and connection strings
✓Slack tokens and webhook URLs
✓Twilio, SendGrid, Firebase, and Supabase keys
✓Database connection strings with embedded passwords
✓Private keys (RSA, DSA, EC, PGP)
✓Generic high-entropy strings that match credential patterns

Example: Vulnerable Code

Hardcoded Stripe key and database password

// Vulnerable: hardcoded API key
const stripe = require("stripe")(
  "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
);

// Vulnerable: hardcoded database password
const db = new Pool({
  host: "db.example.com",
  user: "admin",
  password: "SuperSecret123!",
  database: "production",
});

ShipSafe Catches It

$ shipsafe scan

  CRITICAL  secrets/stripe-live-key
  src/payments.ts:2
  Stripe live secret key detected. This key has full access to your Stripe account.
  Fix: Move to environment variable — process.env.STRIPE_SECRET_KEY

  HIGH  secrets/database-password
  src/db.ts:5
  Database password hardcoded in source code.
  Fix: Move to environment variable — process.env.DATABASE_PASSWORD

Detect Hardcoded Secrets in Your Code

Install ShipSafe and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Related Security Categories

Insecure Authentication Detection →Malicious MCP Server Detection →SQL Injection Detection →Command Injection Detection →