# Ship Safe

> AI-powered application security CLI that runs 18 specialized agents in parallel to scan codebases for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, and more.

Ship Safe is an AI-powered application security platform for developers that runs 18 specialized security agents in parallel against your codebase with a single command. It covers 80+ attack classes including secrets detection, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, and CI/CD pipeline poisoning. The tool provides OWASP 2025 scoring with EPSS exploit probability, compliance mapping to SOC 2, ISO 27001, and NIST AI RMF, and integrates directly into CI/CD pipelines with GitHub PR comments, threshold gating, and SARIF output.

- **18 Security Agents** — *Run in parallel covering injection, auth bypass, SSRF, supply chain, config auditing, Supabase RLS, LLM/MCP/agentic AI, RAG, PII, vibe coding, CI/CD, API fuzzing, and more.*
- **Full Audit Command** — *Run `npx ship-safe audit .` for a complete scan including secrets, agents, dependency CVEs, scoring, and an interactive HTML remediation report.*
- **OWASP 2025 Scoring** — *8-category weighted scoring system (0-100, A-F grades) aligned with OWASP Top 10 2025 risk rankings with per-finding EPSS exploit probability.*
- **LLM-Powered Deep Analysis** — *Use `--deep` flag with Anthropic, OpenAI, Google, Groq, Ollama, or any OpenAI-compatible provider to verify exploitability of critical findings.*
- **Secrets Verification** — *Probes provider APIs (GitHub, Stripe, OpenAI, etc.) with `--verify` to check if leaked keys are still active.*
- **CI/CD Integration** — *Dedicated `npx ship-safe ci .` command with compact output, exit codes, threshold gating, SARIF export, and GitHub PR comment posting.*
- **MCP Server Scanning** — *`npx ship-safe scan-mcp` vets tool manifests for prompt injection and credential harvesting before connecting.*
- **Claude Code Hooks** — *Install real-time hooks via `npx ship-safe hooks install` to block secrets before they touch disk and inject advisory findings into Claude's context.*
- **Baseline Management** — *Accept current findings as a baseline and only report regressions on subsequent scans.*
- **Incremental Scanning** — *Caches file hashes and findings for ~40% faster repeated scans; only changed files are re-scanned.*
- **Policy-as-Code** — *Enforce team-wide security standards via `.ship-safe.policy.json` with minimum score, severity thresholds, and CVE age limits.*
- **Compliance Mapping** — *Maps findings to SOC 2 Type II, ISO 27001:2022, and NIST AI Risk Management Framework controls.*

## Features
- 18 parallel security agents
- 80+ attack class coverage
- Secret scanning with entropy scoring (50+ patterns)
- OWASP 2025 weighted scoring (0-100, A-F)
- EPSS exploit probability scoring
- LLM-powered deep taint analysis
- Secrets liveness verification via provider API probing
- Dependency CVE auditing (npm/pip/bundler)
- MCP server manifest scanning
- Agentic AI and LLM security (OWASP LLM Top 10)
- CI/CD pipeline poisoning detection
- Supabase RLS misconfiguration detection
- Docker/Terraform/Kubernetes config auditing
- PII compliance detection
- Compliance mapping (SOC 2, ISO 27001, NIST AI RMF)
- SARIF output for GitHub Code Scanning
- Interactive HTML report with severity filtering
- Baseline management for regression-only reporting
- Incremental scanning with file hash caching
- Policy-as-code enforcement
- Claude Code hooks for real-time secret blocking
- Claude Code plugin support
- GitHub Actions integration with PR comments
- Agent Bill of Materials (CycloneDX 1.5)
- Multi-LLM support (Anthropic, OpenAI, Google, Groq, Ollama, etc.)
- Vibe-check emoji security grade with shareable badge
- Industry benchmark comparison
- Git history secret scanning
- Diff scanning for pre-commit and PR workflows

## Integrations
GitHub Actions, GitHub PR Comments, Claude Code, Anthropic Claude, OpenAI, Google Gemini, Ollama, Groq, Together AI, Mistral, DeepSeek, xAI Grok, Perplexity, LM Studio, npm, Supabase, Stripe, Firebase, Terraform, Kubernetes, Docker, SARIF / GitHub Code Scanning

## Platforms
WEB, API, CLI

## Pricing
Open Source

## Version
v6.4.0

## Links
- Website: https://www.shipsafecli.com
- Documentation: https://shipsafecli.com/docs
- Repository: https://github.com/asamassekou10/ship-safe
- EveryDev.ai: https://www.everydev.ai/tools/ship-safe