10 Security Engines

The security audit your AI‑generated code actually needs

Ship Safe scans your GitHub repos for the vulnerabilities AI assistants introduce, grades your codebase A through F, opens Claude-powered fix PRs, and produces SOC 2 evidence — in under five minutes.

Scan your repo free See a sample report

shipsafe scan — jerkean2139/pocket-coach

$ shipsafe scan jerkean2139/pocket-coach

cloning repository...

running 10 engines in parallel

semgrep⚠3 findings4.2s

ai-patterns⚠1 finding1.8s

gitleaks✓clean0.9s

osv-scanner⚠2 findings2.1s

trivy✓clean3.4s

hallucinated-pkg✓clean1.2s

prompt-injection✓clean0.4s

bundle-secrets⚠1 finding1.6s

vuln-libraries⚠1 finding0.8s

cve-enrichment✓clean0.3s

grade: B risk: 24 8 findings 5 auto-fixable

The Problem

AI assistants introduce vulnerabilities that traditional scanners miss

Traditional SAST tools were built for human-written code. AI assistants introduce an entirely new class of vulnerabilities that off-the-shelf scanners overlook.

Hallucinated packages

AI invents npm and PyPI packages that don't exist. Attackers register them, and your build pulls in malicious code.

Dangerous training patterns

AI copies dangerous patterns from its training set — eval(), dangerouslySetInnerHTML, hardcoded JWTs.

Broken access control

AI doesn't understand your authorization model. It writes open redirects, IDOR vulnerabilities, and missing RBAC checks.

Placeholder secrets ship

AI generates realistic-looking API keys as examples. Developers forget to replace them before pushing to production.

Engines

10 engines, one report

Runs every engine in parallel, deduplicates by fingerprint, and grades your repo A through F. No more stitching dashboards together.

Engine	What it does	Type	Status
Semgrep	Static analysis with 40+ AI-specific rules	SAST	Active
AI Pattern Rules	Custom detections for AI-generated code failure modes	SAST	Active
Secret Detection	Gitleaks + AI placeholder secret patterns	Secrets	Active
Dependency CVEs	OSV-Scanner for known vulnerabilities in lock files	SCA	Active
Container & IaC	Trivy for Dockerfiles, Terraform, Kubernetes	IaC	Active
Hallucinated Packages	Checks if AI-suggested packages actually exist on npm/PyPI	Supply chain	Active
Prompt Injection	Scans markdown and text for injection patterns	LLM	Active
JS Bundle Secrets	Finds API keys and tokens leaked in built JavaScript	Secrets	Active
Vulnerable Libraries	Fingerprints outdated jQuery, lodash, etc. in bundles	SCA	Active
CVE Enrichment	Flags critical CVEs and end-of-life runtimes	SCA	Active

Features

More than a scanner

A letter grade for every repo

Each scan produces a weighted risk score that maps to a letter grade A through F. Severity counts give you instant triage: how many criticals, highs, mediums, and lows — plus how many are auto-fixable.

risk 24/100

8 total · 5 fixable

Critical

High

Medium

Low

fix: sanitize user input in search handler

shipsafe/fix-xss-42

src/handlers/search.ts

- const query = req.query.q;

- db.raw(`SELECT * WHERE name = '${query}'`);

+ const query = sanitizeInput(req.query.q);

+ db.query('SELECT * WHERE name = $1', [query]);

Claude-powered fix PRs

For every fixable finding, Ship Safe generates a patched file with Claude and opens a pull request. Review the diff, merge, and move on. Up to 100 fix PRs per scan on Team plans.

SOC 2 evidence, not just findings

Each scan produces a PDF mapped to Trust Service Criteria. Hand it to your auditor when enterprise prospects ask about compliance. Findings are tagged with the exact TSC codes they satisfy.

soc2-evidence.pdf

SOC 2 Type II — Security Scan Evidence

CC6.1 Logical AccessPassing

CC6.6 System BoundariesRemediated

CC8.1 Change ManagementOpen

3 controls evaluated · 2 passing · 1 open

Your first scan is free

No credit card. No setup. Connect a repo, get a grade in five minutes.

Scan your repo