npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

shipguard-codex-skill

v0.1.1

Published

Codex skill and CI scanner for practical launch-readiness security audits.

Downloads

325

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

elgaborelgabor

Keywords

codexskillsecurityauditappseccigithub-actionslaunch-readiness

Readme

ShipGuard

npm version GitHub

ShipGuard is a Codex skill plus a dependency-free CI scanner for practical security launch reviews. It is built for codebases, SaaS apps, APIs, mobile backends, GitHub Actions workflows, and MVPs that need a clear go/no-go security pass before release.

Published package:

What It Does

ShipGuard helps Codex run a security review with a concrete workflow instead of a generic checklist. It focuses on:

  • exposed secrets and unsafe env files;
  • auth, authorization, and tenant/data isolation mistakes;
  • injection, unsafe uploads, SSRF, XSS, and dangerous code execution;
  • payment, webhook, and entitlement trust boundaries;
  • GitHub Actions, npm, and dependency supply-chain risk;
  • deployment config, logs, privacy leaks, CORS, CSRF, and security headers.

The bundled scanner is deterministic and dependency-free. It is a first-pass gate for common issues; Codex still performs the manual review and fix plan.

Install In Codex

Install the published npm package:

npx --yes [email protected] install

Or install from the pinned GitHub release tag:

npx --yes github:Elgabor/shipguard-codex-skill#v0.1.1 install

For local development from this checkout:

node bin/shipguard.js install

The installer copies the skill to:

the detected Codex skill root, usually ~/.codex/skills or ~/.agents/skills

Open a new Codex chat if skill autocomplete does not refresh immediately.

Use the skill in Codex:

Use $shipguard-codex-skill to audit this repo before launch.

To force a specific target:

npx --yes [email protected] install --target codex-home
npx --yes [email protected] install --target agents-home
npx --yes [email protected] install --target-root /custom/skills

The installer replaces only a managed <target-root>/shipguard-codex-skill directory. If that directory already exists and was not created by ShipGuard, rerun with --force only after checking its contents.

Verify It Works

From any repository you want to scan:

npx --yes [email protected] --help
npx --yes [email protected] scan --path . --format json
npx --yes [email protected] ci --path . --fail-on high

Expected clean output for a repo with no built-in findings:

{
  "findings": []
}

or:

ShipGuard: no findings from built-in checks.

If you test npx from inside this package's own checkout, npm may prefer local package resolution. For a clean smoke test, run the commands from another directory or a temporary folder.

Use With Codex

Use $shipguard-codex-skill to audit this repo before launch.
Check secrets, auth, authorization, tenant isolation, input validation, uploads,
webhooks, payments, CORS, headers, logging, dependencies, GitHub Actions, and
deployment config. Give me confirmed findings and the fastest safe fix plan.

For fixes:

Use $shipguard-codex-skill and implement the Critical and High fixes only.
Verify with the smallest meaningful tests.

ShipGuard asks Codex to return a structured result:

Security decision: Pass / Pass after fixes / Do not launch yet
Risk level: Low / Medium / High / Critical

Confirmed findings
- Evidence
- Impact
- Fix
- Verify

Needs verification
Fastest safe fix plan
Verification

Run The Scanner

npx --yes [email protected] scan --path .
npx --yes [email protected] scan --path . --format json
npx --yes [email protected] scan --path . --format sarif > shipguard.sarif
npx --yes [email protected] ci --path . --fail-on high

The built-in scanner is a first pass. It finds common exposed secret patterns, client-exposed env names, dangerous code sinks, risky GitHub Actions patterns, and obvious config hazards. It does not replace manual review of authorization, tenant isolation, webhook trust, payment entitlements, or runtime behavior.

GitHub Actions

Create .github/workflows/shipguard.yml:

name: ShipGuard

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  security-gate:
    runs-on: ubuntu-24.04
    steps:
      # actions/checkout v5
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
        with:
          persist-credentials: false
      # actions/setup-node v5
      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
        with:
          node-version: "22"
      - name: Run ShipGuard
        run: npx --yes [email protected] ci --fail-on high

For AI-assisted pull request review with the official Codex GitHub Action, use the optional pattern in skills/shipguard-codex-skill/references/codex-action-ci.md. That requires an OPENAI_API_KEY GitHub secret and tighter workflow permissions.

Thresholds:

  • --fail-on critical: only fail on launch-blocking leaks or takeover paths.
  • --fail-on high: recommended default for pull requests.
  • --fail-on medium: stricter mature-project gate.
  • --fail-on none: report only.

Development

npm test
npm run validate
npm run ci
npm run pack:check
node bin/shipguard.js ci --fail-on high