AI-powered application security platform for developers.

---

12 security agents. 50+ attack classes. One command.

Ship Safe v4.2 is an AI-powered security platform that runs 12 specialized agents in parallel against your codebase — scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Docker/Terraform misconfigs, CI/CD pipeline poisoning, LLM security issues, and more. It produces a confidence-weighted score and a prioritized remediation plan so you know exactly what to fix first.

---

Quick Start

# Full security audit — secrets + 12 agents + deps + remediation plan
npx ship-safe audit .
Red team scan only (12 agents, 50+ attack classes)
npx ship-safe red-team .
Quick secret scan
npx ship-safe scan .
Security health score (0-100)
npx ship-safe score .
Environment diagnostics
npx ship-safe doctor

---

The audit Command

One command that runs everything and generates a full report:

npx ship-safe audit .

════════════════════════════════════════════════════════════
  Ship Safe v4.2 — Full Security Audit
════════════════════════════════════════════════════════════
[Phase 1/4] Scanning for secrets...         ✔ 49 found
[Phase 2/4] Running 12 security agents...   ✔ 103 findings
[Phase 3/4] Auditing dependencies...        ✔ 44 CVEs
[Phase 4/4] Computing security score...     ✔ 25/100 F
Remediation Plan
════════════════════════════════════════════════════════
🔴 CRITICAL — fix immediately
────────────────────────────────────────────────────────


[SECRETS] Rotate Stripe Live Secret Key
.env:67 → Move to environment variable or secrets manager


[INJECTION] Unsafe pickle.loads()
backend/ai_processor.py:64 → Use JSON for untrusted data


🟠 HIGH — fix before deploy
────────────────────────────────────────────────────────
3. [XSS] dangerouslySetInnerHTML without sanitization
frontend/src/utils/blogContentRenderer.jsx:50 → Add DOMPurify
... 149 more items in the full report
📊 Full report: ship-safe-report.html

What it runs:

1. Secret scan — 50+ patterns with entropy scoring (API keys, passwords, tokens)
2. 12 security agents — run in parallel with per-agent timeouts (injection, auth, SSRF, supply chain, config, LLM, mobile, git history, CI/CD, API)
3. Dependency audit — npm/pip/bundler CVE scanning
4. Score computation — confidence-weighted scoring across 8 categories (0-100, A-F)
5. Remediation plan — prioritized fix list grouped by severity
6. HTML report — standalone dark-themed report with table of contents

Flags:

• --json — structured JSON output (clean for piping)
• --sarif — SARIF format for GitHub Code Scanning
• --csv — CSV export for spreadsheets
• --md — Markdown report
• --html [file] — custom HTML report path (default: ship-safe-report.html)
• --compare — show per-category score delta vs. last scan
• --timeout <ms> — per-agent timeout (default: 30s)
• --no-deps — skip dependency audit
• --no-ai — skip AI classification
• --no-cache — force full rescan (ignore cached results)

---

12 Security Agents

Agent	Category	What It Detects
InjectionTester	Code Vulns	SQL/NoSQL injection, command injection, code injection (eval), XSS, path traversal, XXE, ReDoS, prototype pollution, Python f-string SQL injection, Python subprocess shell injection
AuthBypassAgent	Auth	JWT vulnerabilities (alg:none, weak secrets), cookie security, CSRF, OAuth misconfig, BOLA/IDOR, weak crypto, timing attacks, TLS bypass, Django DEBUG = True, Flask hardcoded secret keys
SSRFProber	SSRF	User input in fetch/axios, cloud metadata endpoints, internal IPs, redirect following
SupplyChainAudit	Supply Chain	Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts
ConfigAuditor	Config	Dockerfile (running as root, :latest tags), Terraform (public S3, open SG), Kubernetes (privileged containers), CORS, CSP, Firebase, Nginx, Go fmt.Sprintf SQL injection, Go unescaped templates, Rust unsafe blocks, Rust .unwrap() in production
LLMRedTeam	AI/LLM	OWASP LLM Top 10 — prompt injection, excessive agency, system prompt leakage, unbounded consumption, RAG poisoning
MobileScanner	Mobile	OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode
GitHistoryScanner	Secrets	Leaked secrets in git commit history (checks if still active in working tree)
CICDScanner	CI/CD	OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection
APIFuzzer	API	Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints
ReconAgent	Recon	Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines
ScoringEngine	Scoring	8-category weighted scoring with trend tracking

---

All Commands

Core Audit Commands

# Full audit with remediation plan + HTML report
npx ship-safe audit .
Red team: 12 agents, 50+ attack classes
npx ship-safe red-team .
npx ship-safe red-team . --agents injection,auth    # Run specific agents
npx ship-safe red-team . --html report.html         # HTML report
npx ship-safe red-team . --json                     # JSON output
Secret scanner (pattern matching + entropy)
npx ship-safe scan .
npx ship-safe scan . --json          # JSON for CI
npx ship-safe scan . --sarif         # SARIF for GitHub
Security health score (0-100, A-F)
npx ship-safe score .
Dependency CVE audit
npx ship-safe deps .
npx ship-safe deps . --fix           # Auto-fix vulnerabilities

AI-Powered Commands

# AI audit: scan + classify with Claude + auto-fix secrets
npx ship-safe agent .
Auto-fix hardcoded secrets: rewrite code + write .env
npx ship-safe remediate .
Revoke exposed keys — opens provider dashboards
npx ship-safe rotate .

Diagnostics

# Environment check — Node.js, git, npm, API keys, cache, version
npx ship-safe doctor

Infrastructure Commands

# Continuous monitoring (watch files for changes)
npx ship-safe watch .
Generate CycloneDX SBOM
npx ship-safe sbom .
Policy-as-code (enforce minimum score, fail on severity)
npx ship-safe policy init
Block git push if secrets found
npx ship-safe guard
Initialize security configs (.gitignore, headers)
npx ship-safe init
Launch-day security checklist
npx ship-safe checklist
MCP server for AI editors (Claude Desktop, Cursor, etc.)
npx ship-safe mcp

---

Claude Code Plugin

Use Ship Safe directly inside Claude Code — no CLI needed:

claude plugin add github:asamassekou10/ship-safe

Command	Description
/ship-safe	Full security audit — 12 agents, remediation plan, auto-fix
/ship-safe-scan	Quick scan for leaked secrets
/ship-safe-score	Security health score (0-100)

Claude interprets the results, explains findings in plain language, and can fix issues directly in your codebase.

---

Incremental Scanning

Ship Safe caches file hashes and findings in .ship-safe/context.json. On subsequent runs, only changed files are re-scanned — unchanged files reuse cached results.

✔ [Phase 1/4] Secrets: 41 found (0 changed, 313 cached)

• ~40% faster on repeated scans
• Auto-invalidation — cache expires after 24 hours or when ship-safe updates
• --no-cache — force a full rescan anytime

The cache is stored in .ship-safe/ which is automatically excluded from scans.

LLM Response Caching

When using AI classification (--no-ai to disable), results are cached in .ship-safe/llm-cache.json with a 7-day TTL. Repeated scans reuse cached classifications — reducing API costs significantly.

---

Smart .gitignore Handling

Ship Safe respects your .gitignore for build output, caches, and vendor directories — but always scans security-sensitive files even if gitignored:

Skipped (gitignore respected)	Always scanned (gitignore overridden)
node_modules/, dist/, build/	.env, .env.local, .env.production
*.log, *.pkl, vendor dirs	*.pem, *.key, *.p12
Cache directories, IDE files	credentials.json, *.secret

Why? Files like .env are gitignored because they contain secrets — which is exactly what a security scanner should catch.

---

Multi-LLM Support

Ship Safe supports multiple AI providers for classification:

Provider	Env Variable	Model
Anthropic	ANTHROPIC_API_KEY	claude-haiku-4-5
OpenAI	OPENAI_API_KEY	gpt-4o-mini
Google	GOOGLE_AI_API_KEY	gemini-2.0-flash
Ollama	OLLAMA_HOST	Local models

Auto-detected from environment variables. No API key required for scanning — AI is optional.

---

Scoring System

Starts at 100. Each finding deducts points by severity and category, weighted by confidence level (high: 100%, medium: 60%, low: 30%) to reduce noise from heuristic patterns.

8 Categories (with weight caps):

Category	Weight	Critical	High	Medium	Cap
Secrets	15%	-25	-15	-5	-15
Code Vulnerabilities	15%	-20	-10	-3	-15
Dependencies	15%	-20	-10	-5	-15
Auth & Access Control	15%	-20	-10	-3	-15
Configuration	10%	-15	-8	-3	-10
Supply Chain	10%	-15	-8	-3	-10
API Security	10%	-15	-8	-3	-10
AI/LLM Security	10%	-15	-8	-3	-10

Grades: A (90-100), B (75-89), C (60-74), D (40-59), F (0-39)

Exit codes: 0 for A/B (>= 75), 1 for C/D/F — use in CI to fail builds.

---

Policy-as-Code

Create .ship-safe.policy.json to enforce team-wide security standards:

npx ship-safe policy init

{
  "minimumScore": 70,
  "failOn": "critical",
  "requiredScans": ["secrets", "injection", "deps", "auth"],
  "ignoreRules": [],
  "customSeverityOverrides": {},
  "maxAge": { "criticalCVE": "7d", "highCVE": "30d", "mediumCVE": "90d" }
}

---

CI/CD Integration

# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
  - name: Full security audit
    run: npx ship-safe audit . --no-ai --json

  - name: Score delta vs. last scan
    run: npx ship-safe audit . --no-ai --compare

  - name: Upload SARIF to GitHub Security tab
    run: npx ship-safe audit . --no-ai --sarif > results.sarif

  - uses: github/codeql-action/upload-sarif@v3
    with:
      sarif_file: results.sarif

Export formats: --json, --sarif, --csv, --md, --html

---

Suppress False Positives

Inline: Add # ship-safe-ignore comment on a line:

password = get_password()  # ship-safe-ignore

File-level: Create .ship-safeignore (gitignore syntax):

# Exclude test fixtures
tests/fixtures/
*.test.js
Exclude documentation with code examples
docs/

---

OWASP Coverage

Standard	Coverage
OWASP Top 10 Web 2025	A01-A10: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Auth Failures, Data Integrity, Logging Failures, SSRF
OWASP Top 10 Mobile 2024	M1-M10: Improper Credential Usage, Inadequate Supply Chain, Insecure Auth, Insufficient Validation, Insecure Communication, Inadequate Privacy, Binary Protections, Security Misconfiguration, Insecure Data Storage, Insufficient Cryptography
OWASP LLM Top 10 2025	LLM01-LLM10: Prompt Injection, Sensitive Info Disclosure, Supply Chain, Data Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption
OWASP CI/CD Top 10	CICD-SEC-1 to 10: Insufficient Flow Control, Identity Management, Dependency Chain Abuse, Poisoned Pipeline Execution, Insufficient PBAC, Credential Hygiene, Insecure System Config, Ungoverned Usage, Improper Artifact Integrity, Insufficient Logging

---

What's Inside

/configs

Drop-in security configs for Next.js, Supabase, and Firebase.

/snippets

Copy-paste security patterns: rate limiting, JWT, CORS, input validation.

/ai-defense

LLM security: prompt injection detection, cost protection, system prompt hardening.

/checklists

Manual security audits: launch-day checklist, framework-specific guides.

---

Contributing

1. Fork the repo
2. Add your security pattern, agent, or config
3. Include comments explaining why it matters
4. Open a PR

See CONTRIBUTING.md for guidelines.

---

Security Standards Reference

• OWASP Top 10 Web 2025
• OWASP Top 10 Mobile 2024
• OWASP LLM Top 10 2025
• OWASP API Security Top 10 2023
• OWASP CI/CD Top 10

---

License

MIT - Use it, share it, secure your stuff.

---

Star History

---

Ship fast. Ship safe.