DEV.co
Open-Source Security · asamassekou10

ship-safe

Ship Safe is a CLI security scanner designed for AI-driven development environments. It detects CI/CD misconfigurations, agent permission risks, MCP tool injection, hardcoded secrets, and supply-chain threats across 23 parallel security agents, with optional AI-powered fix recommendations.

Source: GitHub — github.com/asamassekou10/ship-safe
739
GitHub stars
82
Forks
JavaScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryasamassekou10/ship-safe
Ownerasamassekou10
Primary languageJavaScript
LicenseMIT — OSI-approved
Stars739
Forks82
Open issues1
Latest releasev9.3.2 (2026-05-20)
Last updated2026-05-20
Sourcehttps://github.com/asamassekou10/ship-safe

What ship-safe is

JavaScript-based static analysis and SAST tool that runs 23 specialized agents (injection detection, auth bypass, SSRF, supply chain audits, AI/LLM risks, compliance scanning) in parallel, with optional LLM integration for remediation planning. Outputs SARIF format for CI/CD integration; works offline without API keys for scanning.

Quickstart

Get the ship-safe source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/asamassekou10/ship-safe.gitcd ship-safe# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Securing AI-enabled development pipelines

Detects agentic AI risks (prompt injection, privilege escalation, tool poisoning, memory poisoning) and MCP server misconfigurations—critical for teams using Claude agents, managed LLMs, or custom agentic workflows.

Developer-first CI/CD security gates

Interactive REPL with diff-before-fix, undo capability, and diff verification fits teams that want security scanning without blocking workflows. Integrates into GitHub Actions with severity thresholding and SARIF output.

Multi-layer supply-chain and secrets audit

Combines git history secrets scanning, dependency typosquatting detection, hardcoded PII, unpinned versions, and CI/CD pipeline poisoning in a single tool—suitable for regulated environments needing comprehensive artifact provenance.

Implementation considerations

  • Requires Node.js/npm environment. Installable via `npx ship-safe` (no global install necessary). Plan for scanning time on large codebases and performance tuning if agents are slow.
  • LLM integration is optional; AI-powered fixes require API keys for Anthropic, OpenAI, DeepSeek, Groq, etc. Ensure API costs and provider uptime are acceptable for your team.
  • CI/CD integration via GitHub Actions (or similar) requires environment setup for LLM providers and SARIF output configuration. Threshold tuning needed to avoid alert fatigue.
  • Agents are language-agnostic but JavaScript is primary; detection coverage may vary for Python, Go, Rust, etc. Test on sample codebase before full rollout.
  • Undo capability relies on git; ensure clean working tree and consider automation of fix-review-commit flow if running in headless CI.

When to avoid it — and what to weigh

  • Requiring commercial support or SLA — MIT license permits commercial use, but no documented support tier, SLA, or vendor backing is visible. Relies on community contribution and sponsor model.
  • Need for runtime monitoring or behavioral analysis — Ship Safe is static analysis only. Does not monitor running applications, enforce policies at runtime, or provide real-time threat detection.
  • Closed-source or vendored-only deployments — Open-source on GitHub; if your org requires proprietary security tools with code escrow or vendor indemnification, this is not suitable.
  • Expecting zero false positives — Tool includes suppression syntax (comments, .ship-safeignore file) but like all static analysis, may require tuning. No published false-positive rate or industry benchmark provided.

License & commercial use

MIT License (MIT). Permissive open-source license allowing commercial use, modification, and distribution with minimal restrictions (retain license and copyright notice).

MIT is a permissive OSI license that permits commercial use without additional licensing fees or vendor approval. No documented restrictions on commercial deployment or integration. However, no warranty or indemnification is provided; liability is disclaimed. Confirm your org's legal review of MIT terms before enterprise deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Ship Safe is a security scanning tool; its own security posture requires review. Key considerations: (1) API keys for LLM providers must be handled securely in CI/CD environments; (2) offline scanning mode avoids telemetry, but optional LLM features may send code snippets to third-party APIs—review privacy requirements; (3) tool runs static analysis on source code and git history—ensure it respects .gitignore and suppression syntax to avoid false positives; (4) SARIF output may expose sensitive findings; manage access to reports. No published security audit, penetration test results, or vulnerability disclosure policy provided.

Alternatives to consider

Snyk

Commercial SaaS platform with runtime and supply-chain scanning, priority support, and integrations. Better for enterprises requiring managed services and SLAs.

Semgrep

Open-source static analysis engine with rule library and policy engine. Lighter weight, language-agnostic, but no built-in agentic AI or LLM-specific checks.

Checkmarx / Aqua CSPM

Enterprise SAST/DAST platforms with AI-powered remediation and compliance reporting. Suitable for regulated industries needing vendor support and audit trails.

Software development agency

Build on ship-safe with DEV.co software developers

Try Ship Safe free: `npx ship-safe` in your terminal. No signup, no API key required for scanning. Get started in seconds.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

ship-safe FAQ

Do I need an API key to scan my code?
No. Scanning (static analysis) works fully offline and requires no API keys. LLM-powered fix suggestions are optional and require an API key for your chosen LLM provider (Anthropic, OpenAI, etc.).
What LLM providers are supported?
Anthropic, OpenAI, Google, DeepSeek, Groq, Together, Mistral, xAI, Perplexity, Ollama, LM Studio, and any OpenAI-compatible endpoint. Auto-detected from environment variables; use `--provider` to override.
Can I integrate Ship Safe into GitHub Actions?
Yes. Provided example uses `npx ship-safe ci . --threshold 75 --sarif results.sarif` with `github/codeql-action/upload-sarif` for automated security gates.
Does it support languages other than JavaScript?
Unknown. Primary language is JavaScript; agent coverage for Python, Go, Rust, etc. not explicitly documented. Recommend testing on sample codebase before production use.

Work with a software development agency

Adopting ship-safe is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Secure Your AI-Driven Codebase

Try Ship Safe free: `npx ship-safe` in your terminal. No signup, no API key required for scanning. Get started in seconds.