// Get your project's security health score (0-100, A-F grade). Use when the user wants a quick security check or asks "is my code safe to ship?"
Install ship-safe as real-time Claude Code hooks — blocks secrets and dangerous commands before they land on disk. Use when the user wants automatic security scanning on every file write or bash command.
Manage your security baseline — accept current findings as known debt, then only report new regressions on future scans. Use when the user wants to adopt security scanning incrementally or suppress existing findings.
Run Ship Safe in CI mode — compact output, exit codes, SARIF generation. Use when the user wants to set up CI/CD security gates or test their pipeline configuration.
Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives.
Auto-fix security issues — remediate hardcoded secrets and common vulnerabilities (TLS bypass, debug mode, XSS, shell injection, Docker :latest). Use when the user wants to automatically fix security findings.
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
| name | ship-safe-score |
| description | Get your project's security health score (0-100, A-F grade). Use when the user wants a quick security check or asks "is my code safe to ship?" |
| argument-hint | [path] [--no-deps] |
You are checking this project's security health score.
npx ship-safe@latest score $ARGUMENTS 2>&1
If $ARGUMENTS is empty, default to .:
npx ship-safe@latest score . 2>&1
If the user mentions skipping dependencies, add --no-deps.
The command outputs styled terminal text (not JSON). Parse the output for the score, grade, and category breakdown.
Extract and present:
Based on the score:
A or B (75+): Congratulate the user. Suggest running npx ship-safe guard to install a pre-push git hook that maintains the score. Mention they can run /ship-safe for a detailed breakdown anytime.
C (60-74): Recommend running /ship-safe for a full audit to see exactly what needs fixing. Mention the most likely problem areas based on the category breakdown.
D or F (below 60): Strongly recommend running /ship-safe immediately. Offer to start the full audit right now. Emphasize that critical findings should be fixed before any deployment.
For any score, mention /ship-safe-baseline to track progress over time and /ship-safe-fix for automated remediation.