Ship code,
not vulnerabilities.
16 security agents scan for secrets, injection, auth bypass, SSRF, supply chain attacks, agentic AI, MCP, RAG, PII, and more — with LLM-powered deep analysis and confidence tuning that cuts false positives by 70%.
From vulnerable to secure,
automatically.
npx ship-safe remediate . --all rewrites your code, writes the .env file, updates .gitignore, and fixes common vulnerabilities — all in one shot.
// config.js import OpenAI from 'openai'; const openai = new OpenAI({ apiKey: "sk-proj-xK9mN2pL8qR3f5..." ← exposed });
// config.js import OpenAI from 'openai'; const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY ← ✓ safe });
OPENAI_API_KEY=sk-proj-xK9mN2pL8qR3f5...Everything that can get you hacked.
16 agents. 5 OWASP standards. One tool.
Secrets & Injection
50+ secret patterns plus injection testing — SQL, NoSQL, XSS, command injection, path traversal, XXE, ReDoS, prototype pollution.
- API keys, database URLs, private keys, JWTs
- SQL injection, XSS,
eval(),pickle.loads - Entropy scoring to catch random-looking secrets
- Smart
.gitignore— always scans.envfiles
Auth, SSRF & Supply Chain
Dedicated agents for auth bypass, SSRF, and supply chain attacks — the hardest vulns to catch manually.
- JWT alg:none, weak secrets, CSRF, OAuth misconfig
- SSRF via fetch/axios, cloud metadata endpoints
- Typosquatting detection (Levenshtein distance)
- Suspicious install scripts, wildcard versions
Config, CI/CD & AI/LLM
Scans Docker, Terraform, Kubernetes, CI/CD pipelines, LLM integrations, MCP servers, agentic AI, and RAG pipelines.
- Dockerfile root user,
:latesttags, open ports - Pipeline poisoning, unpinned actions, secret logging
- OWASP LLM Top 10 + Agentic AI Top 10 — MCP, RAG, PII
- LLM-powered deep analysis for exploitability verification
A specialist for every attack surface.
Each agent is purpose-built to find what general scanners miss.
SQL/NoSQL injection, XSS, command injection, eval, path traversal, XXE, ReDoS, prototype pollution
JWT alg:none, weak secrets, CSRF, OAuth misconfig, BOLA/IDOR, timing attacks
User input in fetch/axios, cloud metadata endpoints, internal IPs, redirect following
Typosquatting, dependency confusion, git/URL deps, wildcard versions, suspicious install scripts
Dockerfile, Terraform (RDS, CloudFront, Lambda, S3), Kubernetes, CORS, CSP, Firebase, Nginx misconfigs
Row Level Security — service_role key in client code, CREATE TABLE without RLS, anon inserts, unprotected storage
OWASP LLM Top 10 — prompt injection, excessive agency, system prompt leakage, RAG poisoning
MCP server security — unvalidated tool inputs, missing auth, excessive permissions, tool poisoning
OWASP Agentic AI Top 10 — agent hijacking, privilege escalation, unsafe code execution, memory poisoning
RAG pipeline security — unvalidated embeddings, context injection, document poisoning, vector DB access control
PII detection — SSNs, credit cards, emails, phone numbers in source code, logs, and configs
Insecure storage, WebView injection, HTTP endpoints, debug mode, permissions
Leaked secrets in git history — checks if still active in working tree
Pipeline poisoning, unpinned actions, secret logging, self-hosted runners
Routes without auth, missing validation, mass assignment, GraphQL introspection, rate limiting, OpenAPI spec issues
Attack surface mapping — frameworks, auth patterns, databases, cloud providers
How audit works
One command. Four phases. Prioritized fix list.
Scan for secrets
Scans every file for 50+ secret patterns with entropy scoring. Respects .gitignore for build output but always scans .env, .pem, and other security-sensitive files.
Run 16 security agents
Deploys specialized agents for injection, auth bypass, SSRF, supply chain, config, Supabase RLS, LLM security, mobile, git history, CI/CD, API fuzzing, and recon. Context-aware confidence tuning reduces false positives.
Audit dependencies
Runs your package manager's own audit tool — npm, yarn, pnpm, pip, or bundler. Finds known CVEs in your dependency tree and flags vulnerable versions.
Score & remediation plan
Computes a 0–100 security score across 8 weighted categories. Generates a prioritized remediation plan — CRITICAL first, then HIGH, then MEDIUM — so you know exactly what to fix first.
HTML report
Outputs a standalone dark-themed HTML report with every finding, file location, severity, CWE/OWASP mapping, and suggested fix. Share it with your team or attach it to a PR.
All commands
Everything you need. Nothing you don't.
Full security audit — secrets + 16 agents + deps + score + deep analysis + remediation plan + HTML report.
Run 16 security agents (80+ attack classes) against your codebase. Targeted deep scan.
Quick secret scan — 50+ patterns with entropy scoring. No API key needed.
0–100 security health score with A–F grade. 8 weighted categories.
Audit npm, yarn, pnpm, pip, or bundler dependencies for known CVEs.
AI-powered audit — scan + classify with Claude + auto-fix secrets.
Continuous monitoring — watches files for changes and re-scans automatically.
CI/CD pipeline mode — compact output, threshold gating, exit codes. Optimized for automation.
Accept current findings as baseline — only report regressions on future scans.
Auto-fix secrets and common vulnerabilities — TLS bypass, debug mode, XSS, Docker :latest.
Install a git hook that blocks git push if secrets are found.
Drop it into your pipeline.
Use ship-safe ci for threshold-based gating, compact output, and SARIF. Zero config.
name: Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Security gate
run: npx ship-safe ci . --threshold 75 --sarif results.sarif
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarifUse --sarif with scan to upload findings directly to GitHub's Security tab via github/codeql-action/upload-sarif.