Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

Hardcoded Secrets Detection — ShipSafe

ShipSafe ships 174 secret detection patterns covering AWS, Stripe, GitHub, Google Cloud, Azure, Slack, and 50+ other services. Each pattern uses service-specific key format validation combined with Shannon entropy filtering to achieve high accuracy — catching real secrets while ignoring placeholder values like 'your-api-key-here'.

174 detection rulesLocal-only scanning

What is Hardcoded Secrets?

Hardcoded secrets are API keys, tokens, passwords, and credentials committed directly in source code. Once pushed to a repository, secrets are permanently in git history and can be found by attackers. GitHub reports that over 10 million secrets are leaked in public repositories every year.

Why It Matters

A leaked secret cannot be unleaked. Even if you delete the file in a new commit, the secret remains in git history forever (unless you force-push a rewritten history, which is disruptive and often incomplete). Automated bots scan every public GitHub push for credential patterns — AWS keys are exploited within minutes of exposure, typically to spin up cryptocurrency miners that can cost tens of thousands of dollars. Stripe keys can be used for fraudulent charges. Database passwords give direct access to user data. The only remediation is immediate key rotation.

What ShipSafe Detects

✓AWS access keys (AKIA prefix) and secret keys (40-char base64)
✓Stripe API keys — both live (sk_live_) and test (sk_test_) keys
✓GitHub personal access tokens (ghp_), fine-grained tokens (github_pat_), and OAuth tokens
✓Google Cloud service account keys (JSON private key format)
✓Azure storage keys, connection strings, and SAS tokens
✓Slack tokens (xoxb-, xoxp-, xoxs-) and webhook URLs
✓Twilio Account SID + Auth Token, SendGrid API keys, Firebase server keys, and Supabase service_role keys
✓Database connection strings with embedded passwords (postgresql://, mongodb+srv://, mysql://)
✓Private keys (RSA, DSA, EC, PGP) detected by BEGIN/END markers
✓Generic high-entropy strings assigned to variables named apiKey, secret, token, password, or credential

Example: Vulnerable Code

Hardcoded Stripe key and database password

// Vulnerable: hardcoded API key
const stripe = require("stripe")(
  "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
);

// Vulnerable: hardcoded database password
const db = new Pool({
  host: "db.example.com",
  user: "admin",
  password: "SuperSecret123!",
  database: "production",
});

ShipSafe Catches It

$ shipsafe scan

  CRITICAL  secrets/stripe-live-key
  src/payments.ts:2
  Stripe live secret key detected. This key has full access to your Stripe account.
  Fix: Move to environment variable — process.env.STRIPE_SECRET_KEY

  HIGH  secrets/database-password
  src/db.ts:5
  Database password hardcoded in source code.
  Fix: Move to environment variable — process.env.DATABASE_PASSWORD

What to Do Instead

Safe alternative: environment variables with startup validation

// SAFE: load secrets from environment variables
const stripe = require("stripe")(process.env.STRIPE_SECRET_KEY);

const db = new Pool({
  connectionString: process.env.DATABASE_URL,
});

// .env (add to .gitignore — never commit this file)
// STRIPE_SECRET_KEY=sk_live_4eC39HqLyjWDarjtT1zdp7dc
// DATABASE_URL=postgresql://admin:SuperSecret123!@db.example.com/production

// .env.example (commit this — documents required vars without values)
// STRIPE_SECRET_KEY=
// DATABASE_URL=

// Validate env vars at startup so you catch missing config immediately
function requireEnv(name: string): string {
  const value = process.env[name];
  if (!value) throw new Error(`Missing required env var: ${name}`);
  return value;
}

const stripeKey = requireEnv("STRIPE_SECRET_KEY");
const databaseUrl = requireEnv("DATABASE_URL");

Frequently Asked Questions

What if I already committed a secret?

Rotate the key immediately — generate a new one from the service provider and revoke the old one. The old key is permanently in git history and should be considered compromised. Do not try to rewrite git history as your only remediation; attackers may have already cloned the repo.

Does ShipSafe catch test keys?

Yes. ShipSafe detects both live and test keys. Test keys (like sk_test_ for Stripe) are flagged at MEDIUM severity because they still expose test-mode data and can be used to validate that you are a real customer of the service, which aids targeted attacks.

How does ShipSafe avoid false positives on placeholder keys?

ShipSafe uses Shannon entropy filtering to distinguish high-entropy real keys from low-entropy placeholders like 'your-api-key-here' or 'REPLACE_ME'. It also maintains a denylist of common example values from official API documentation.

Does the git hook block commits with secrets?

Yes. When you run 'shipsafe hooks install', a pre-commit hook is installed that scans staged files for secrets. If any CRITICAL or HIGH secret is found, the commit is blocked and the finding is displayed. The secret never enters git history.

Detect Hardcoded Secrets in Your Code

Install ShipSafe and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Related Security Categories

Insecure Authentication Detection →Malicious MCP Server Detection →SQL Injection Detection →Command Injection Detection →