Package Exports
- ship-safe
- ship-safe/cli/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (ship-safe) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Ship Safe
Don't let vibe coding leak your API keys.
You're shipping fast. You're using AI to write code. You're one git push away from exposing your database credentials to the world.
Ship Safe is a security toolkit for indie hackers and vibe coders who want to secure their MVP in 5 minutes, not 5 days.
Quick Start
# Scan for leaked secrets (no install required!)
npx ship-safe scan .
# Auto-generate .env.example from found secrets
npx ship-safe fix
# Block git push if secrets are found
npx ship-safe guard
# Run the launch-day security checklist
npx ship-safe checklist
# Add security configs to your project
npx ship-safe initThat's it. Five commands to secure your MVP.
Let AI Do It For You
Copy this prompt to your AI coding assistant:
Run "npx ship-safe scan ." on my project and fix any secrets you find.
Then run "npx ship-safe init" to add security configs.
Explain what you're doing as you go.More AI prompts for specific frameworks
Why This Exists
Vibe coding is powerful. You can build a SaaS in a weekend. But speed creates blind spots:
- AI-generated code often hardcodes secrets
- Default configs ship with debug mode enabled
- "I'll fix it later" becomes "I got hacked"
This repo is your co-pilot for security. Copy, paste, ship safely.
CLI Commands
npx ship-safe scan [path]
Scans your codebase for leaked secrets: API keys, passwords, private keys, database URLs.
# Scan current directory
npx ship-safe scan .
# Scan a specific folder
npx ship-safe scan ./src
# Get JSON output (for CI pipelines)
npx ship-safe scan . --json
# Verbose mode (show files being scanned)
npx ship-safe scan . -vExit codes: Returns 1 if secrets found (useful for CI), 0 if clean.
Flags:
--json— structured JSON output for CI pipelines--sarif— SARIF format for GitHub Code Scanning--include-tests— also scan test/spec/fixture files (excluded by default)-v— verbose mode
Suppress false positives:
const apiKey = 'example-key'; // ship-safe-ignoreOr exclude paths with .ship-safeignore (gitignore syntax).
Custom patterns — create .ship-safe.json in your project root:
{
"patterns": [
{
"name": "My Internal API Key",
"pattern": "MYAPP_[A-Z0-9]{32}",
"severity": "high",
"description": "Internal key for myapp services."
}
]
}Detects 50+ secret patterns:
- AI/ML: OpenAI, Anthropic, Google AI, Cohere, Replicate, Hugging Face
- Auth: Clerk, Auth0, Supabase Auth
- Cloud: AWS, Google Cloud, Azure
- Database: Supabase, PlanetScale, Neon, MongoDB, PostgreSQL, MySQL
- Payment: Stripe, PayPal
- Messaging: Twilio, SendGrid, Resend
- And more: GitHub tokens, private keys, JWTs, generic secrets
npx ship-safe checklist
Interactive 10-point security checklist for launch day.
# Interactive mode (prompts for each item)
npx ship-safe checklist
# Print checklist without prompts
npx ship-safe checklist --no-interactiveCovers: exposed .git folders, debug mode, RLS policies, hardcoded keys, HTTPS, security headers, rate limiting, and more.
npx ship-safe init
Initialize security configs in your project.
# Add all security configs
npx ship-safe init
# Only add .gitignore patterns
npx ship-safe init --gitignore
# Only add security headers config
npx ship-safe init --headers
# Force overwrite existing files
npx ship-safe init -fWhat it copies:
.gitignore- Patterns to prevent committing secretssecurity-headers.config.js- Drop-in Next.js security headers
npx ship-safe fix
Scan for secrets and auto-generate a .env.example file.
# Scan and generate .env.example
npx ship-safe fix
# Preview what would be generated without writing it
npx ship-safe fix --dry-runnpx ship-safe guard
Install a git hook that blocks pushes if secrets are found. Works with or without Husky.
# Install pre-push hook (runs scan before every git push)
npx ship-safe guard
# Install pre-commit hook instead
npx ship-safe guard --pre-commit
# Remove installed hooks
npx ship-safe guard removeSuppress false positives:
- Add
# ship-safe-ignoreas a comment on a line to skip it - Create
.ship-safeignore(gitignore syntax) to exclude paths
npx ship-safe mcp
Start ship-safe as an MCP server so AI editors can call it directly.
Setup (Claude Desktop) — add to claude_desktop_config.json:
{
"mcpServers": {
"ship-safe": {
"command": "npx",
"args": ["ship-safe", "mcp"]
}
}
}Works with Claude Desktop, Cursor, Windsurf, Zed, and any MCP-compatible editor.
Available tools:
scan_secrets— scan a directory for leaked secretsget_checklist— return the security checklist as structured dataanalyze_file— analyze a single file for issues
What's Inside
/checklists
Manual security audits you can do in 5 minutes.
- Launch Day Checklist - 10 things to check before you go live
/configs
Secure defaults for popular stacks. Drop-in ready.
| Stack | Files |
|---|---|
| Next.js | Security Headers - CSP, X-Frame-Options, HSTS |
| Supabase | RLS Templates | Security Checklist | Secure Client |
| Firebase | Firestore Rules | Storage Rules | Security Checklist |
/snippets
Copy-paste code blocks for common security patterns.
| Category | Files |
|---|---|
| Rate Limiting | Upstash Redis | Next.js Middleware |
| Authentication | JWT Security Checklist |
| API Security | CORS Config | Input Validation | API Checklist |
/ai-defense
Protect your AI features from abuse and cost explosions.
| File | Description |
|---|---|
| LLM Security Checklist | Based on OWASP LLM Top 10 - prompt injection, data protection, scope control |
| Prompt Injection Patterns | Regex patterns to detect 25+ injection attempts |
| Cost Protection Guide | Prevent $50k surprise bills - rate limits, budget caps, circuit breakers |
| System Prompt Armor | Template for hardened system prompts |
/scripts
Automated scanning tools. Run them in CI or locally.
- Secret Scanner - Python version of the secret scanner
AI/LLM Security
Building with AI? Don't let it bankrupt you or get hijacked.
Quick Setup
import { containsInjectionAttempt } from './ai-defense/prompt-injection-patterns';
async function handleChat(userInput: string) {
// 1. Check for injection attempts
const { detected } = containsInjectionAttempt(userInput);
if (detected) {
return "I can't process that request.";
}
// 2. Rate limit per user
const { success } = await ratelimit.limit(userId);
if (!success) {
return "Too many requests. Please slow down.";
}
// 3. Check budget before calling
await checkUserBudget(userId, estimatedCost);
// 4. Make the API call with token limits
const response = await openai.chat.completions.create({
model: 'gpt-4',
messages,
max_tokens: 500, // Hard cap
});
return response;
}Cost Protection Layers
- Token limits - Cap input/output per request
- Rate limits - Cap requests per user (10/min)
- Budget caps - Daily ($1) and monthly ($10) per user
- Circuit breaker - Disable AI when global budget hit
- Provider limits - Set hard limits in OpenAI/Anthropic dashboard
Database Security
Supabase RLS Templates
-- Users can only see their own data
CREATE POLICY "Users own their data" ON items
FOR ALL USING (auth.uid() = user_id);
-- Read-only public data
CREATE POLICY "Public read access" ON public_items
FOR SELECT USING (true);Firebase Security Rules
// Users can only access their own documents
match /users/{userId} {
allow read, write: if request.auth != null
&& request.auth.uid == userId;
}Full Firestore rules template →
API Security
CORS (Don't use * in production)
const ALLOWED_ORIGINS = [
'https://yourapp.com',
'https://www.yourapp.com',
];
// Only allow specific origins
if (origin && ALLOWED_ORIGINS.includes(origin)) {
headers['Access-Control-Allow-Origin'] = origin;
}CORS configs for Next.js, Express, Fastify, Hono →
Input Validation (Zod)
const createUserSchema = z.object({
email: z.string().email().max(255),
password: z.string().min(8).max(128),
});
const result = createUserSchema.safeParse(body);
if (!result.success) {
return Response.json({ error: result.error.issues }, { status: 400 });
}CI/CD Integration
Add to your GitHub Actions workflow:
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
scan-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan for secrets
run: npx ship-safe scan . --jsonThe scan exits with code 1 if secrets are found, failing your build.
The 5-Minute Security Checklist
- ✅ Run
npx ship-safe scan .on your project - ✅ Run
npx ship-safe initto add security configs - ✅ Add security headers to your Next.js config
- ✅ Run
npx ship-safe checklistbefore launching - ✅ If using AI features, implement cost protection
- ✅ If using Supabase, check the RLS checklist
- ✅ If using Firebase, check the Firebase checklist
Philosophy
- Low friction - If it takes more than 5 minutes, people won't do it
- Educational - Every config has comments explaining why
- Modular - Take what you need, ignore the rest
- Copy-paste friendly - No complex setup, just grab and go
Contributing
Found a security pattern that saved your app? Share it!
- Fork the repo
- Add your checklist, config, or script
- Include educational comments explaining why it matters
- Open a PR
See CONTRIBUTING.md for guidelines.
Security Standards Reference
This toolkit is based on:
License
MIT - Use it, share it, secure your stuff.
Remember: Security isn't about being paranoid. It's about being prepared.
Ship fast. Ship safe.