ShipSafe
Catch production risks before you ship.
AI writes code fast. ShipSafe checks if it's safe to ship.
Works in VS Code, Cursor, and Windsurf — no account, no setup, no cloud required.
What it does
ShipSafe scans your JavaScript, TypeScript, and Python files for production risks the moment you open or save them. Every finding includes a concrete fix, a CWE reference, and an OWASP category so you know exactly what you're dealing with.
Production Readiness Score
Every file gets a score from 0–100 across four categories:
| Category |
Weight |
| Security |
40% |
| Reliability |
25% |
| Maintainability |
20% |
| Config Safety |
15% |
The score lives in your status bar and updates on every save.
What it catches
Security
- Hardcoded passwords, API keys, and tokens →
CWE-259, CWE-798
- Unsafe
eval() → CWE-95
- Shell injection via string concatenation →
CWE-78
- Secrets exposed in client-side code (
NEXT_PUBLIC_, VITE_, REACT_APP_) → CWE-312
- Cryptographically weak
Math.random() → CWE-338
- Route handlers with no auth check →
CWE-306
Database
- SQL queries built with string concatenation →
CWE-89
- Raw queries that may include user input →
CWE-89
Reliability
- Empty
catch blocks that swallow errors → CWE-390
- Unhandled promise rejections →
CWE-755
async functions with no try/catch → CWE-755- Null dereference on request data →
CWE-476
- Request body used without validation →
CWE-20
Config Safety
process.env values used without validation → CWE-15- Hardcoded
localhost / staging URLs → CWE-547
- Security-sensitive env vars with hardcoded fallbacks →
CWE-547
Maintainability
console.log in production code → CWE-532TODO / FIXME comments → CWE-546debug: true flags → CWE-11
Features
- Inline diagnostics in the Problems panel with CWE links to MITRE
- Score panel with per-category bar charts and a clickable findings list — click any finding to jump to that line
- Status bar badge (
🛡 72/100) that updates on every save
- AI Deep Review — optional, uses your own Anthropic API key (BYOK), powered by Claude
- Works offline — all rule-based scanning requires no internet connection
- Zero account required — install and go
Commands
| Command |
Description |
ShipSafe: Scan Current File |
Scan the active file and show results |
ShipSafe: Scan Workspace |
Scan all JS/TS/Python files in the workspace |
ShipSafe: Show Production Readiness Score |
Open the score panel for the active file |
ShipSafe: AI Deep Review (BYOK) |
Send the file to Claude for deep analysis |
ShipSafe: Explain Issue |
Pick an issue from a quick list to see full details |
All commands are also available by right-clicking in the editor.
AI Deep Review (optional)
The AI review sends your file to Claude (Anthropic) for deeper analysis — catching logical flaws, missing auth patterns, and risky assumptions that regex can't find.
How to enable:
- Run
ShipSafe: AI Deep Review (BYOK) from the Command Palette
- Enter your Anthropic API key when prompted (stored in VS Code settings)
- Get a second-opinion score and structured findings
Your API key is stored locally in VS Code settings and never sent anywhere except Anthropic's API.
Get a key at console.anthropic.com.
Settings
| Setting |
Default |
Description |
vibeScanner.anthropicApiKey |
"" |
Anthropic API key for AI Deep Review |
vibeScanner.autoScanOnSave |
true |
Scan automatically on file save |
vibeScanner.autoScanOnOpen |
true |
Scan automatically when a file is opened |
Supported languages
JavaScript, TypeScript, JSX, TSX, Python
Privacy
- All rule-based scanning runs entirely locally — no data leaves your machine
- AI Deep Review sends only the current file to Anthropic's API — never the full workspace
- You are always asked before AI review is triggered
- No telemetry, no analytics, no accounts
License
MIT
