ship-safe
Ship Safe is a CLI security scanner designed for AI-driven development environments. It detects CI/CD misconfigurations, agent permission risks, MCP tool injection, hardcoded secrets, and supply-chain threats across 23 parallel security agents, with optional AI-powered fix recommendations.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | asamassekou10/ship-safe |
| Owner | asamassekou10 |
| Primary language | JavaScript |
| License | MIT — OSI-approved |
| Stars | 739 |
| Forks | 82 |
| Open issues | 1 |
| Latest release | v9.3.2 (2026-05-20) |
| Last updated | 2026-05-20 |
| Source | https://github.com/asamassekou10/ship-safe |
What ship-safe is
JavaScript-based static analysis and SAST tool that runs 23 specialized agents (injection detection, auth bypass, SSRF, supply chain audits, AI/LLM risks, compliance scanning) in parallel, with optional LLM integration for remediation planning. Outputs SARIF format for CI/CD integration; works offline without API keys for scanning.
Get the ship-safe source
Clone the repository and explore it locally.
git clone https://github.com/asamassekou10/ship-safe.gitcd ship-safe# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Node.js/npm environment. Installable via `npx ship-safe` (no global install necessary). Plan for scanning time on large codebases and performance tuning if agents are slow.
- LLM integration is optional; AI-powered fixes require API keys for Anthropic, OpenAI, DeepSeek, Groq, etc. Ensure API costs and provider uptime are acceptable for your team.
- CI/CD integration via GitHub Actions (or similar) requires environment setup for LLM providers and SARIF output configuration. Threshold tuning needed to avoid alert fatigue.
- Agents are language-agnostic but JavaScript is primary; detection coverage may vary for Python, Go, Rust, etc. Test on sample codebase before full rollout.
- Undo capability relies on git; ensure clean working tree and consider automation of fix-review-commit flow if running in headless CI.
When to avoid it — and what to weigh
- Requiring commercial support or SLA — MIT license permits commercial use, but no documented support tier, SLA, or vendor backing is visible. Relies on community contribution and sponsor model.
- Need for runtime monitoring or behavioral analysis — Ship Safe is static analysis only. Does not monitor running applications, enforce policies at runtime, or provide real-time threat detection.
- Closed-source or vendored-only deployments — Open-source on GitHub; if your org requires proprietary security tools with code escrow or vendor indemnification, this is not suitable.
- Expecting zero false positives — Tool includes suppression syntax (comments, .ship-safeignore file) but like all static analysis, may require tuning. No published false-positive rate or industry benchmark provided.
License & commercial use
MIT License (MIT). Permissive open-source license allowing commercial use, modification, and distribution with minimal restrictions (retain license and copyright notice).
MIT is a permissive OSI license that permits commercial use without additional licensing fees or vendor approval. No documented restrictions on commercial deployment or integration. However, no warranty or indemnification is provided; liability is disclaimed. Confirm your org's legal review of MIT terms before enterprise deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Ship Safe is a security scanning tool; its own security posture requires review. Key considerations: (1) API keys for LLM providers must be handled securely in CI/CD environments; (2) offline scanning mode avoids telemetry, but optional LLM features may send code snippets to third-party APIs—review privacy requirements; (3) tool runs static analysis on source code and git history—ensure it respects .gitignore and suppression syntax to avoid false positives; (4) SARIF output may expose sensitive findings; manage access to reports. No published security audit, penetration test results, or vulnerability disclosure policy provided.
Alternatives to consider
Snyk
Commercial SaaS platform with runtime and supply-chain scanning, priority support, and integrations. Better for enterprises requiring managed services and SLAs.
Semgrep
Open-source static analysis engine with rule library and policy engine. Lighter weight, language-agnostic, but no built-in agentic AI or LLM-specific checks.
Checkmarx / Aqua CSPM
Enterprise SAST/DAST platforms with AI-powered remediation and compliance reporting. Suitable for regulated industries needing vendor support and audit trails.
Build on ship-safe with DEV.co software developers
Try Ship Safe free: `npx ship-safe` in your terminal. No signup, no API key required for scanning. Get started in seconds.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
ship-safe FAQ
Do I need an API key to scan my code?
What LLM providers are supported?
Can I integrate Ship Safe into GitHub Actions?
Does it support languages other than JavaScript?
Work with a software development agency
Adopting ship-safe is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Secure Your AI-Driven Codebase
Try Ship Safe free: `npx ship-safe` in your terminal. No signup, no API key required for scanning. Get started in seconds.