npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ship-safe

v9.3.2

Published

AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, a

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

asamassekouasamassekou

Keywords

securitysecretsscannersastdevsecopsred-teampenetration-testingvulnerability-scannersbomowaspsql-injectionxssssrfsupply-chainllm-securityprompt-injectionapi-securitydocker-securitykubernetescicd-securitymobile-securityjwtcorscli

Readme

Type ship-safe and you're in. 23 agents scan your codebase for secrets, injections, AI/LLM vulnerabilities, supply chain attacks, and 80+ other classes. The agent shows a diff for every proposed fix, asks before writing, and verifies the fix worked. Every change is logged and reversible.

npx ship-safe

Quick Start

# Interactive REPL — scan, fix, ask questions in one session
npx ship-safe

# Full audit: secrets + 23 agents + deps + remediation plan
npx ship-safe audit .

# Interactive fix agent: plan → diff → accept → verify
npx ship-safe agent .
npx ship-safe agent . --severity critical   # critical findings only
npx ship-safe agent . --branch --pr         # fix on a branch + open a PR

# Undo the last fix
npx ship-safe undo

# CI/CD mode
npx ship-safe ci . --threshold 80 --sarif results.sarif

No signup. No API key required for scanning. Works offline.

23 Security Agents

All agents run in parallel. Each skips irrelevant projects automatically.

| Agent | Category | What It Detects | |-------|----------|-----------------| | InjectionTester | Code Vulns | SQL/NoSQL injection, command injection, XSS, path traversal, XXE, ReDoS, prototype pollution | | AuthBypassAgent | Auth | JWT flaws (alg:none, weak secrets), CSRF, OAuth misconfig, BOLA/IDOR, TLS bypass | | SSRFProber | SSRF | User input in fetch/axios, cloud metadata endpoints, internal IPs | | SupplyChainAudit | Supply Chain | Typosquatting, wildcard versions, suspicious install scripts, dependency confusion | | ConfigAuditor | Config | Docker (root user, :latest), Terraform, Kubernetes, CORS, CSP, Firebase, Nginx | | SupabaseRLSAgent | Auth | service_role key in client code, tables without RLS, anon key inserts | | LLMRedTeam | AI/LLM | OWASP LLM Top 10: prompt injection, excessive agency, system prompt leakage | | MCPSecurityAgent | AI/LLM | MCP server misuse, tool poisoning, typosquatting, unvalidated inputs | | AgenticSecurityAgent | AI/LLM | OWASP Agentic AI Top 10: agent hijacking, privilege escalation | | RAGSecurityAgent | AI/LLM | Context injection, document poisoning, vector DB access control | | MemoryPoisoningAgent | AI/LLM | Instruction injection in agent memory files, hidden Unicode payloads (ASI-01, ASI-05) | | PIIComplianceAgent | Compliance | SSNs, credit cards, emails, phone numbers in source code | | VibeCodingAgent | Code Vulns | AI-generated code anti-patterns: no validation, empty catches, TODO-auth | | ExceptionHandlerAgent | Code Vulns | Empty catches, unhandled rejections, leaked stack traces (OWASP A10:2025) | | AgentConfigScanner | AI/LLM | Prompt injection in .cursorrules, CLAUDE.md, malicious Claude Code hooks | | MobileScanner | Mobile | OWASP Mobile Top 10 2024: insecure storage, WebView injection, debug mode | | GitHistoryScanner | Secrets | Leaked secrets in git commit history | | CICDScanner | CI/CD | Pipeline poisoning, unpinned actions, secret logging (OWASP CI/CD Top 10) | | APIFuzzer | API | Routes without auth, mass assignment, GraphQL introspection, debug endpoints | | ManagedAgentScanner | AI/LLM | Claude Managed Agent misconfigs: always_allow policies, unrestricted networking (ASI-03–ASI-07) | | HermesSecurityAgent | AI/LLM | Tool registry poisoning, function-call injection, skill permission drift (ASI-01–ASI-10) | | AgentAttestationAgent | Supply Chain | Unpinned agent versions, missing integrity hashes, unsigned manifests (ASI-10, SLSA L0) | | AgenticSupplyChainAgent | Supply Chain | Over-privileged AI CI actions, OAuth scope creep, unsigned AI webhook receivers (ASI-02, ASI-06) |

Post-processors: ScoringEngine · VerifierAgent (secrets liveness) · DeepAnalyzer (LLM taint analysis)

The REPL

$ ship-safe

  ███████╗██╗  ██╗██╗██████╗     ███████╗ █████╗ ███████╗███████╗
  ...

  v9.3.2  ·  DeepSeek  ·  ~/my-project

  /scan to find issues  ·  /agent to fix them  ·  /help for more

shipsafe ›

| Command | What it does | |---------|-------------| | /scan | Re-scan the project | | /agent | Run the interactive fix loop | | /findings | List findings from the last scan | | /show <n> | Full detail on finding n | | /plan <n> | Preview fix plan for finding n (no writes) | | /undo [--all] | Revert the last fix (or all fixes) | | /share | Publish scan report as a public URL (7 days) | | /diff | Show git working-tree diff | | /provider <name> | Switch LLM provider mid-session | | /quit | Exit (also Ctrl-D or Ctrl-C) |

Anything not starting with / is sent to the LLM as a free-form question, with your latest scan results as context.

CI/CD

# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Security gate
        run: npx ship-safe ci . --threshold 75 --sarif results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: results.sarif

LLM Support

Works with any provider — auto-detected from environment variables. Use --provider <name> to override.

Anthropic · OpenAI · Google · DeepSeek · Groq · Together · Mistral · xAI · Perplexity · Ollama · LM Studio · any OpenAI-compatible endpoint

No API key required for scanning. AI is optional.

Suppress False Positives

password = get_password()  # ship-safe-ignore
# .ship-safeignore
tests/fixtures/
docs/

Add a Badge

[![Ship Safe](https://img.shields.io/badge/Ship_Safe-A+-22c55e)](https://shipsafecli.com)

Contributing

  1. Fork · add your pattern, agent, or config · open a PR
  2. See CONTRIBUTING.md

Sponsors

Ship Safe is MIT-licensed and free forever.

Star History

Star History Chart

Ship fast. Ship safe.shipsafecli.com