Is my source code sent to ShipSafe servers?

Never. ShipSafe runs entirely on your machine. Scans, analysis, and auto-fixes all happen locally. Your source code never leaves your computer. No account required. Works offline.

How do I install ShipSafe?

Run: npm install -g @shipsafe/cli. Then run 'shipsafe scan' in any project directory. That's it — zero configuration required.

What does ShipSafe detect?

ShipSafe has 1,200+ detection rules covering SQL injection (127 rules), XSS (143 rules), prompt injection (7 rules), command injection (89 rules), SSRF (67 rules), hardcoded secrets (174 patterns), insecure authentication (98 rules), malicious MCP servers (30 patterns), path traversal, insecure deserialization, and more.

How is ShipSafe different from Snyk or SonarQube?

ShipSafe runs entirely locally (Snyk requires cloud), has AI-specific security rules like prompt injection and malicious MCP server detection (unique to ShipSafe), strips image metadata, and includes an MCP server for AI coding assistants. It's built for solo developers and small teams who use AI coding assistants.

Can I use ShipSafe with Claude, Cursor, or other AI tools?

Yes. ShipSafe includes an MCP server with 8 tools that plug directly into Claude, Cursor, Windsurf, and any other MCP-compatible assistant. Your AI can check security while it writes code.

What is prompt injection and does ShipSafe detect it?

Prompt injection is when untrusted user input is passed directly into LLM prompts, allowing attackers to manipulate AI behavior. ShipSafe has 7 dedicated rules that detect unsanitized user input in LLM prompts, system prompt leakage, indirect prompt injection via retrieved content, and prompt template manipulation.

What are malicious MCP servers and how does ShipSafe detect them?

Malicious MCP servers are rogue AI tool servers that can steal credentials, exfiltrate code, or inject malicious prompts. ShipSafe's scan-environment command checks your MCP configurations, CLAUDE.md files, git hooks, and npm scripts for 30 threat patterns including credential theft, data exfiltration, and prompt injection.

Yes. The free tier includes full security scanning with 1,200+ rules, git pre-commit hooks, baseline/delta mode, and support for 1 project. Pro ($19/mo) adds knowledge graph analysis, auto-fix, monitoring, and MCP server. Team ($49/mo) adds GitHub App integration and source maps.

How does ShipSafe reduce false positives?

ShipSafe uses Tree-sitter AST analysis to understand code context — it knows whether a variable comes from user input and whether it's been sanitized before reaching a dangerous sink. This context-aware detection dramatically reduces false positives compared to regex-only scanners.

Is it safe to use claude --dangerously-skip-permissions with ShipSafe?

ShipSafe's git pre-commit hooks provide a safety net when using --dangerously-skip-permissions. Even if Claude Code writes insecure code in autonomous mode, ShipSafe blocks the commit if it contains hardcoded secrets or critical vulnerabilities. Install hooks with: shipsafe hooks install.

SQL Injection Detection — ShipSafe

ShipSafe ships 127 SQL injection rules that understand Prisma, Drizzle, Knex, and raw pg/mysql2 drivers. It parses your code into an AST with Tree-sitter so it can tell the difference between a safe tagged-template query and a dangerous string-concatenated one — a distinction regex scanners consistently get wrong.

127 detection rulesLocal-only scanning

What is SQL Injection?

SQL injection occurs when untrusted user input is concatenated directly into SQL queries, allowing attackers to read, modify, or delete database data. It remains one of the most common and dangerous web vulnerabilities — consistently in the OWASP Top 10.

Why It Matters

A single SQL injection vulnerability can give an attacker full read access to your database — user emails, hashed passwords, payment records, everything. In the worst case, they can escalate to write access and modify or delete data, or use stacked queries and database-specific features (like xp_cmdshell on SQL Server or COPY TO PROGRAM on PostgreSQL) to execute operating system commands on the database server itself.

What ShipSafe Detects

✓Raw SQL queries with string concatenation or template literals containing user input
✓ORM bypass patterns where raw queries are used alongside an ORM (e.g., Prisma $queryRawUnsafe with concatenation)
✓Parameterized query misuse (e.g., wrapping interpolated values in quotes inside Prisma tagged templates, which disables parameterization)
✓Dynamic table and column names derived from user input — ORDER BY and table name injection
✓Stored procedure calls with unsanitized parameters
✓Second-order SQL injection where data stored from one request is later used unsafely in a query
✓NoSQL injection patterns in MongoDB queries ($where, $gt, $regex with user-controlled objects)

Example: Vulnerable Code

Vulnerable Express.js route with SQL injection

// Vulnerable: user input directly in SQL query
app.get("/users", async (req, res) => {
  const { search } = req.query;
  const result = await db.query(
    `SELECT * FROM users WHERE name = '${search}'`
  );
  res.json(result.rows);
});

// An attacker sends: search=' OR '1'='1' --
// The query becomes: SELECT * FROM users WHERE name = '' OR '1'='1' --'
// This returns ALL users in the database.

ShipSafe Catches It

$ shipsafe scan

  CRITICAL  sql-injection/template-literal-in-query
  src/routes/users.ts:4
  User input from req.query is interpolated directly into SQL query.
  Fix: Use parameterized queries — db.query("SELECT * FROM users WHERE name = $1", [search])

What to Do Instead

Safe alternatives: parameterized queries with pg, Prisma, and Drizzle

// SAFE: parameterized query with pg driver
app.get("/users", async (req, res) => {
  const { search } = req.query;
  const result = await db.query(
    "SELECT * FROM users WHERE name = $1",
    [search]
  );
  res.json(result.rows);
});

// SAFE: Prisma tagged template (auto-parameterizes)
const users = await prisma.$queryRaw`
  SELECT * FROM users WHERE name = ${search}
`;
// Prisma converts this to: SELECT * FROM users WHERE name = $1

// SAFE: Drizzle query builder
const users = await db
  .select()
  .from(usersTable)
  .where(eq(usersTable.name, search));

Frequently Asked Questions

Does ShipSafe detect SQL injection in Prisma?

Yes. ShipSafe detects unsafe Prisma patterns like $queryRawUnsafe with string concatenation while correctly ignoring safe parameterized Prisma queries. Prisma-specific exceptions were added in v1.0.4.

Can ShipSafe find SQL injection in template literals?

Yes. ShipSafe has specific rules for detecting user input interpolated into SQL template literals, including cases where quotes around interpolation disable parameterization in Prisma and Drizzle.

How many SQL injection rules does ShipSafe have?

ShipSafe has 127 SQL injection detection rules covering raw SQL, ORM bypass, template literals, dynamic table names, stored procedures, second-order injection, and NoSQL injection.

Does ShipSafe detect NoSQL injection in MongoDB?

Yes. ShipSafe detects NoSQL injection patterns in MongoDB queries where user-controlled objects are passed directly to query operators like $where, $gt, and $regex.

Detect SQL Injection in Your Code

Install ShipSafe and scan your project in under 60 seconds.

npm install -g @shipsafe/cli

Get Started Free How It Works

Related Security Categories

XSS Detection →Command Injection Detection →SSRF Detection →Insecure Authentication Detection →