// Manage your security baseline — accept current findings as known debt, then only report new regressions on future scans. Use when the user wants to adopt security scanning incrementally or suppress existing findings.
Install ship-safe as real-time Claude Code hooks — blocks secrets and dangerous commands before they land on disk. Use when the user wants automatic security scanning on every file write or bash command.
Run Ship Safe in CI mode — compact output, exit codes, SARIF generation. Use when the user wants to set up CI/CD security gates or test their pipeline configuration.
Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives.
Auto-fix security issues — remediate hardcoded secrets and common vulnerabilities (TLS bypass, debug mode, XSS, shell injection, Docker :latest). Use when the user wants to automatically fix security findings.
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
| name | ship-safe-baseline |
| description | Manage your security baseline — accept current findings as known debt, then only report new regressions on future scans. Use when the user wants to adopt security scanning incrementally or suppress existing findings. |
| argument-hint | [path] [--diff] [--clear] |
You are helping the user manage their security baseline. A baseline lets teams "accept" current findings as known technical debt and only see new regressions on future scans.
--diff → Show what changed since the baseline was created--clear → Remove the baselinenpx ship-safe@latest baseline $ARGUMENTS 2>&1
If $ARGUMENTS is empty, default to .:
npx ship-safe@latest baseline . 2>&1
For diff mode:
npx ship-safe@latest baseline . --diff 2>&1
For clearing:
npx ship-safe@latest baseline --clear 2>&1
.ship-safe/baseline.json was creatednpx ship-safe audit . --baseline (or /ship-safe --baseline) to only see new findings.ship-safe/baseline.json to version control so the whole team shares the same baselineConfirm the baseline was removed. Future scans will show all findings again.
After creating a baseline, suggest this workflow:
npx ship-safe audit . --baseline --json to fail builds only on new findings/ship-safe-baseline --diff to track progress on reducing technical debt/ship-safe-baseline . to update the baselinerule:path:snippet), not line numbers — so the baseline survives code reformatting and line shifts