asamassekou10/ship-safe

Summary

ship-safe is a CLI security scanner that runs 13 static-analysis agents in parallel against a codebase, detecting secrets, injection vulnerabilities, auth misconfigs, SSRF, supply chain issues, and more. It generates scored reports with remediation plans and can optionally classify findings via Claude API. It wraps pattern matching and AST-free regex scanning into a single 'npx ship-safe audit .' command with HTML/JSON/SARIF output.

Great for

people interested in developer security tooling, static analysis pipelines, or building pattern-based vulnerability scanners for modern JS/TS and multi-language codebases

Easy wins

• +Add new secret patterns to cli/utils/patterns.js — the file has a clear comment-delimited structure and maintenance notes explaining exactly how to add patterns with low false-positive rates
• +Add detection rules to an existing agent (e.g. injection-tester.js or auth-bypass-agent.js) — each agent has a consistent PATTERNS array pattern that's easy to extend
• +Improve the single test file (cli/__tests__/agents.test.js) — it only tests happy paths; edge cases like binary files, symlinks, very large files, and Windows path handling are missing
• +Add a new agent for an unrepresented category (e.g. GraphQL schema exposure, HTTP security headers, or Ruby/PHP-specific patterns) by following the base-agent.js contract

Red flags

• !Single commit history with one contributor — the '4.3.0' version number and 'v4.3' branding in a repo with 1 commit is misleading; this appears to be an initial public release framed as a mature versioned product
• !The Supabase JWT pattern (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...) will match any HS256 JWT, not just Supabase service role keys — this is a likely high-volume false positive source in any codebase using JWTs
• !scanFile() is copy-pasted between cli/commands/agent.js and cli/commands/remediate.js with only minor differences — any bug fix in one won't propagate to the other
• !The Claude API integration in agent.js sends code context unmasked for vulnerability findings ('Not masked — it's a code pattern, not a secret') which could inadvertently leak sensitive logic to a third-party API
• !0 open issues and 0 good_first_issues labels despite the project being new — either issues are disabled or the maintainer hasn't set up contribution infrastructure beyond the template files

Code quality

The code is readable and consistently structured — every agent follows the same analyze({rootPath, files, recon, options}) interface, error handling in audit.js uses try/catch with spinner failure states, and the remediate.js command has thoughtful safety guarantees (atomic writes, path traversal checks, .gitignore-before-.env ordering). However, the entire project is a single commit from one contributor with commit_frequency_30d of 1, which makes it hard to assess revision history quality. The scanFile() function is duplicated nearly identically in both agent.js and remediate.js — a clear refactor opportunity. The ReDoS safety test (2000ms per agent per file) is a good sign of awareness, but the adversarial inputs tested are fairly mild.

What makes it unique

This occupies the same space as Semgrep, Gitleaks, and Trivy but packages them into a single zero-config npx command targeting indie developers who won't configure a full SAST pipeline. The differentiator is the all-in-one UX (one command, scored output, HTML report, baseline support) rather than detection breadth — the regex-based agents won't outperform dedicated tools like Semgrep for true-positive rates. The LLM classification layer for reducing false positives is genuinely useful but is optional and requires an Anthropic key.