asamassekou10 / ship-safe

AI-powered application security platform for developers. shipsafecli.com --- 17 security agents. 80+ attack classes. One command. **Ship Safe v6.0** is an AI-powered security platform that runs 17 specialized agents in parallel against your codebase — scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. CI integration with GitHub PR comments, threshold gating, and SARIF output. --- Quick Start --- The Command One command that runs everything and generates a full report: **What it runs:** • **Secret scan** — 50+ patterns with entropy scoring (API keys, passwords, tokens) • **17 security agents** — run in parallel with per-agent timeouts and framework-aware filtering (injection, auth, SSRF, supply chain, config, Supabase RLS, LLM, MCP, agentic AI, RAG, PII, vibe coding, exception handling, mobile, git history, CI/CD, API) • **Dependency audit** — npm/pip/bundler CVE scanning with EPSS exploit probability scores • **Secrets verification** — probes provider APIs (GitHub, Stripe, OpenAI, etc.) to check if leaked keys are still active • **Deep analysis** — LLM-powered taint analysis verifies exploitability of critical/high findings (optional) • **Score computation** — OWASP 2025 weighted scoring across 8 categories (0-100, A-F) • **Context-aware confidence tuning** — downgrades findings in test files, docs, and comments • **Remediation plan** — prioritized fix list grouped by severity • **Interactive HTML report** — standalone dark-themed report with severity filtering, search, collapsible findings, and click-to-copy ignore annotations **Flags:** • — structured JSON output (clean for piping) • — SARIF format for GitHub Code Scanning • — CSV export for spreadsheets • — Markdown report • — custom HTML report path (default: ) • — show per-category score delta vs. last scan • — per-agent timeout (default: 30s) • — skip dependency audit • — skip AI classification • — force full rescan (ignore cached results) • — only show findings not in the baseline • — generate PDF report (requires Chrome/Chromium) • — LLM-powered taint analysis for critical/high findings • — use local Ollama model for deep analysis • — LLM model to use for deep/AI analysis • — max spend in cents for deep analysis (default: 50) • — check if leaked secrets are still active (probes provider APIs) --- 17 Security Agents | Agent | Category | What It Detects | |-------|----------|-----------------| | **InjectionTester** | Code Vulns | SQL/NoSQL injection, command injection, code injection (eval), XSS, path traversal, XXE, ReDoS, prototype pollution, Python f-string SQL injection, Python subprocess shell injection | | **AuthBypassAgent** | Auth | JWT vulnerabilities (alg:none, weak secrets), cookie security, CSRF, OAuth misconfig, BOLA/IDOR, weak crypto, timing attacks, TLS bypass, Django , Flask hardcoded secret keys | | **SSRFProber** | SSRF | User input in fetch/axios, cloud metadata endpoints, internal IPs, redirect following | | **SupplyChainAudit** | Supply Chain | Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts, dependency confusion, lockfile integrity | | **ConfigAuditor** | Config | Dockerfile (running as root, :latest tags), Terraform (public S3/RDS, open SG, CloudFront HTTP, Lambda admin, S3 no versioning), Kubernetes (privileged containers, tags, missing NetworkPolicy), CORS, CSP, Firebase, Nginx | | **SupabaseRLSAgent** | Auth | Supabase Row Level Security — key in client code, without RLS, anon key inserts, unprotected storage operations | | **LLMRedTeam** | AI/LLM | OWASP LLM Top 10 — prompt injection, excessive agency, system prompt leakage, unbounded consumption, RAG poisoning | | **MCPSecurityAgent** | AI/LLM | MCP server security — unvalidated tool inputs, missing auth, excessive permissions, tool poisoning, typosquatting detection, over-permissioned tools, shadow config discovery | | **AgenticSecurityAgent** | AI/LLM | OWASP Agentic AI Top 10 — agent hijacking, privilege escalation, unsafe code execution, memory poisoning | | **RAGSecurityAgent** | AI/LLM | RAG pipeline security — unvalidated embeddings, context injection, document poisoning, vector DB access control | | **PIIComplianceAgent** | Compliance | PII detection — SSNs, credit cards, emails, phone numbers in source code, logs, and configs | | **VibeCodingAgent** | Code Vulns | AI-generated code patterns — no input validation, empty catch blocks, hardcoded secrets, disabled security features, TODO-auth patterns | | **ExceptionHandlerAgent** | Code Vulns | OWASP A10:2025 — empty catch blocks, unhandled promise rejections, missing React error boundaries, leaked stack traces, generic catch-all without rethrow | | **MobileScanner** | Mobile | OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode | | **GitHistoryScanner** | Secrets | Leaked secrets in git commit history (checks if still active in working tree) | | **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection | | **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints, missing rate limiting, OpenAPI spec security issues | | **ReconAgent** | Recon | Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines | **Post-processors:** ScoringEngine (8-category weighted scoring), VerifierAgent (…