Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

Insecure Authentication Detection — ShipSafe

ShipSafe ships 98 authentication rules that go beyond checking for missing middleware. It detects weak password hashing algorithms (MD5, SHA1, unsalted SHA256), JWT misconfigurations (algorithm confusion, missing expiration, 'none' algorithm acceptance), insecure cookie flags, CSRF gaps on state-changing routes, and password storage in localStorage or sessionStorage.

98 detection rulesLocal-only scanning

What is Insecure Authentication?

Insecure authentication encompasses vulnerabilities in how applications verify user identity and manage sessions. Weak authentication allows attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.

Why It Matters

Authentication is the front door of your application. When it fails, every other security control fails too — access control, audit logging, data isolation, all of it depends on knowing who the user is. Weak password hashing means a database breach becomes a mass password compromise. JWT misconfiguration can let attackers forge tokens and impersonate any user, including administrators. Missing auth on API routes is the most common vulnerability in AI-generated code, because AI assistants focus on the business logic and forget the security layer.

What ShipSafe Detects

✓Missing authentication middleware on sensitive routes (DELETE, PUT, PATCH, and admin endpoints)
✓Weak password hashing: MD5, SHA1, SHA256 without salt, and single-round hashing without a work factor
✓JWT misconfigurations: algorithm confusion (accepting 'none'), missing exp claim, HS256 with a weak secret, RS256 key confusion
✓Session fixation vulnerabilities where session ID is not regenerated after login
✓Missing CSRF protection on state-changing endpoints (POST, PUT, DELETE without CSRF token validation)
✓Insecure cookie settings: missing httpOnly (allows JS access), missing secure (sent over HTTP), missing sameSite (cross-site request risk)
✓Broken access control where users can access other users' resources by changing an ID parameter (IDOR)
✓Password or tokens stored in localStorage or sessionStorage (accessible to any XSS payload)

Example: Vulnerable Code

Missing authentication and weak password hashing

// Vulnerable: no auth middleware on admin route
app.delete("/api/users/:id", async (req, res) => {
  await db.query("DELETE FROM users WHERE id = $1", [req.params.id]);
  res.json({ deleted: true });
});
// Anyone on the internet can delete any user!

// Vulnerable: weak password hashing
const crypto = require("crypto");
const hash = crypto.createHash("md5").update(password).digest("hex");
// MD5 produces identical hashes for identical passwords (no salt)
// and can be brute-forced at billions of attempts per second on a GPU.

ShipSafe Catches It

$ shipsafe scan

  HIGH  auth/missing-auth-middleware
  src/routes/admin.ts:1
  DELETE endpoint /api/users/:id has no authentication middleware.
  Fix: Add authentication middleware — app.delete("/api/users/:id", requireAuth, async (req, res) => { ... })

  HIGH  auth/weak-password-hash
  src/auth.ts:3
  MD5 used for password hashing. MD5 is cryptographically broken.
  Fix: Use bcrypt or argon2 — await bcrypt.hash(password, 12)

What to Do Instead

Safe alternatives: auth middleware, bcrypt hashing, and secure cookie settings

// SAFE: auth middleware + authorization check
import { requireAuth, requireRole } from "./middleware/auth";

app.delete("/api/users/:id", requireAuth, requireRole("admin"),
  async (req, res) => {
    await db.query("DELETE FROM users WHERE id = $1", [req.params.id]);
    res.json({ deleted: true });
  }
);

// SAFE: bcrypt password hashing with work factor
import bcrypt from "bcrypt";

// Hash with cost factor 12 (~250ms per hash — fast enough for login,
// slow enough to make brute force infeasible)
const hash = await bcrypt.hash(password, 12);

// Verify
const isValid = await bcrypt.compare(inputPassword, storedHash);

// SAFE: secure cookie settings
app.use(session({
  cookie: {
    httpOnly: true,   // JS cannot read the cookie (blocks XSS theft)
    secure: true,     // only sent over HTTPS
    sameSite: "lax",  // blocks cross-site request forgery
    maxAge: 24 * 60 * 60 * 1000, // 24 hours
  },
}));

Frequently Asked Questions

Why is MD5 bad for password hashing?

MD5 is cryptographically broken and can be computed at over 10 billion hashes per second on a modern GPU. It also produces no salt by default, meaning identical passwords produce identical hashes. Use bcrypt (cost factor 12+) or argon2id instead — these are designed to be intentionally slow and include built-in salting.

What is JWT algorithm confusion?

JWT algorithm confusion occurs when a server that expects RS256 (asymmetric) tokens is tricked into accepting HS256 (symmetric) tokens signed with the RS256 public key. Since the public key is public, the attacker can forge any token. ShipSafe detects JWT verify calls that do not explicitly restrict the accepted algorithms.

Does ShipSafe detect missing auth on Next.js API routes?

Yes. ShipSafe detects Next.js API routes (both Pages Router and App Router) that perform database operations or sensitive actions without checking authentication. It understands Next.js middleware patterns and server-side session validation.

What is IDOR and does ShipSafe detect it?

IDOR (Insecure Direct Object Reference) is when a user can access another user's data by changing an ID in the URL or request body. ShipSafe detects patterns where a user-supplied ID from req.params or req.body is used directly in a database query without verifying that the authenticated user owns that resource.

Detect Insecure Authentication in Your Code

Install ShipSafe and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Related Security Categories

Hardcoded Secrets Detection →XSS Detection →SQL Injection Detection →SSRF Detection →