This AI-powered application security platform provides developers with a comprehensive, automated solution to scan codebases for a wide array of vulnerabilities. Targeting developers and security teams, it aims to streamline the security auditing process, enabling faster and more secure software delivery through a single command interface.

How It Works

Ship Safe employs a multi-agent architecture, running 18 specialized agents in parallel to detect a broad spectrum of security vulnerabilities. These agents cover critical areas such as secrets detection, injection flaws, authentication bypass, SSRF, supply chain attacks, and emerging threats like LLM/agentic AI security and RAG poisoning. The platform integrates LLM-powered deep analysis to verify the exploitability of high-severity findings and features a unique secrets verification mechanism that probes provider APIs to confirm if leaked keys are still active. It also provides OWASP 2025 scoring with EPSS exploit probability and compliance mapping to industry standards.

Quick Start & Requirements

• Primary install/run command: npx ship-safe audit .
• Non-default prerequisites: Optional LLM providers (Anthropic, OpenAI, Google, Ollama) for deep analysis.
• Links: shipsafecli.com (official website). Direct links to documentation or blog are not explicitly provided in the README.

Highlighted Details

• Comprehensive coverage with 18 specialized agents addressing 80+ attack classes, including OWASP Top 10 (Web, Mobile, LLM, CI/CD, Agentic AI), PII compliance, and configuration misconfigurations.
• Advanced vulnerability verification through LLM-driven taint analysis for critical findings and active secrets verification by probing provider APIs (e.g., GitHub, Stripe, OpenAI).
• Integrated compliance mapping to SOC 2, ISO 27001, and NIST AI RMF, alongside OWASP 2025 scoring with EPSS exploit probability for risk prioritization.
• Robust CI/CD integration supporting GitHub PR comments, SARIF output, threshold gating, and baseline management for incremental scanning.
• Proactive supply chain hardening measures, including SHA-pinned GitHub Actions, OIDC trusted publishing, and disabled postinstall scripts in CI.

Maintenance & Community

No specific details regarding maintainers, sponsorships, or community channels (like Discord/Slack) were found in the provided README.

Licensing & Compatibility

The project is released under the MIT License, permitting broad use, sharing, and modification, including for commercial purposes.

Limitations & Caveats

The README does not explicitly detail alpha status or known bugs. However, the LLM-powered deep analysis feature is optional and may incur costs if not using local models or if API budgets are exceeded. The effectiveness of AI-driven analysis can vary, and some specialized agents target emerging or niche security concerns.