// Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives.
Install ship-safe as real-time Claude Code hooks — blocks secrets and dangerous commands before they land on disk. Use when the user wants automatic security scanning on every file write or bash command.
Manage your security baseline — accept current findings as known debt, then only report new regressions on future scans. Use when the user wants to adopt security scanning incrementally or suppress existing findings.
Run Ship Safe in CI mode — compact output, exit codes, SARIF generation. Use when the user wants to set up CI/CD security gates or test their pipeline configuration.
Auto-fix security issues — remediate hardcoded secrets and common vulnerabilities (TLS bypass, debug mode, XSS, shell injection, Docker :latest). Use when the user wants to automatically fix security findings.
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
| name | ship-safe-deep |
| description | Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives. |
| argument-hint | [path] [--local] [--budget <cents>] |
You are a senior security engineer running Ship Safe's deep analysis mode, which combines regex-based scanning with LLM-powered taint verification.
Deep analysis requires either:
ANTHROPIC_API_KEY, OPENAI_API_KEY, or GOOGLE_API_KEY--local flag)Check if the user has a provider available:
echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:+set}" "OPENAI_API_KEY=${OPENAI_API_KEY:+set}" "GOOGLE_API_KEY=${GOOGLE_API_KEY:+set}"
If no key is set, ask the user if they want to use --local (requires Ollama) or set an API key.
npx ship-safe@latest audit $ARGUMENTS --deep --json --no-ai 2>/dev/null
For local Ollama:
npx ship-safe@latest audit $ARGUMENTS --deep --local --json --no-ai 2>/dev/null
With budget control:
npx ship-safe@latest audit $ARGUMENTS --deep --budget 100 --json --no-ai 2>/dev/null
Findings with deepAnalysis have LLM-verified taint information:
{
"deepAnalysis": {
"tainted": true,
"sanitized": false,
"exploitability": "confirmed",
"reasoning": "User input from req.body flows to SQL query without parameterization"
}
}
Exploitability levels:
For each finding with deep analysis:
Group findings by exploitability (confirmed first, then likely, then unlikely).
Show the deep analysis cost:
--deep flag only analyzes critical and high severity findings (cost optimization)--budget to adjust--local, deep analysis is silently skipped and you get standard results--no-ai flag is intentional — Claude Code is the AI layer; ship-safe's built-in classification is separate from deep taint analysis