// Run Ship Safe in CI mode — compact output, exit codes, SARIF generation. Use when the user wants to set up CI/CD security gates or test their pipeline configuration.
Install ship-safe as real-time Claude Code hooks — blocks secrets and dangerous commands before they land on disk. Use when the user wants automatic security scanning on every file write or bash command.
Manage your security baseline — accept current findings as known debt, then only report new regressions on future scans. Use when the user wants to adopt security scanning incrementally or suppress existing findings.
Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives.
Auto-fix security issues — remediate hardcoded secrets and common vulnerabilities (TLS bypass, debug mode, XSS, shell injection, Docker :latest). Use when the user wants to automatically fix security findings.
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
| name | ship-safe-ci |
| description | Run Ship Safe in CI mode — compact output, exit codes, SARIF generation. Use when the user wants to set up CI/CD security gates or test their pipeline configuration. |
| argument-hint | [path] [--threshold <score>] [--fail-on <severity>] [--sarif <file>] |
You are helping the user set up Ship Safe as a security gate in their CI/CD pipeline.
npx ship-safe@latest ci $ARGUMENTS 2>/dev/null
Default: pass/fail based on score >= 75.
--threshold 60 — custom passing score--fail-on critical — only fail on critical findings--fail-on high — fail on critical or high--sarif results.sarif — SARIF output for GitHub Code Scanning--baseline — only check new findings--json — JSON output for custom integrations--no-deps — skip dependency auditThe command outputs a compact one-line summary:
[ship-safe] Score: 82/100 (B) | Findings: 12 (0C 3H 9M) | CVEs: 2 | 4.2s
[ship-safe] PASS
Or on failure:
[ship-safe] Score: 58/100 (C) | Findings: 25 (3C 8H 14M) | CVEs: 5 | 6.1s
[ship-safe] FAIL: Score 58 < threshold 75
Exit code 0 = pass, exit code 1 = fail.
Based on the user's CI platform, offer to create or update their workflow file:
- name: Security Scan
run: npx ship-safe@latest ci . --threshold 75 --sarif results.sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
security-scan:
script:
- npx ship-safe@latest ci . --threshold 75 --json > security-report.json
artifacts:
reports:
sast: security-report.json
npx ship-safe@latest ci . --threshold 75 || exit 1
If there are many findings:
npx ship-safe baseline .--baseline in CI to only catch new vulnerabilities--fail-on critical for a gradual rollout — start strict only for critical issues