asamassekou10/ship-safe-fix
claude-code-plugin/skills/ship-safe-fix/SKILL.md
Auto-fix security issues — remediate hardcoded secrets and common vulnerabilities (TLS bypass, debug mode, XSS, shell injection, Docker :latest). Use when the user wants to automatically fix security findings.
$ install --global
skillsauthnpx skillsauth add asamassekou10/ship-safe ship-safe-fixInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:53 PM1.8s1 file scanned
SKILL.md
- name:
- ship-safe-fix
- description:
- Auto-fix security issues — remediate hardcoded secrets and common vulnerabilities (TLS bypass, debug mode, XSS, shell injection, Docker :latest). Use when the user wants to automatically fix security findings.
- argument-hint:
- [path] [--all] [--dry-run]
Ship Safe — Auto-Fix Security Issues
You are using Ship Safe's remediation engine to automatically fix security issues in this project.
Step 1: Preview the fixes
Always start with a dry run to show what will change:
npx ship-safe@latest remediate $ARGUMENTS --dry-run 2>&1
If $ARGUMENTS is empty, default to . --all (fix both secrets and agent findings):
npx ship-safe@latest remediate . --all --dry-run 2>&1
Flags:
- No
--allflag → only fixes hardcoded secrets (moves to env vars) - With
--all→ also fixes: TLS bypass (rejectUnauthorized: false), Docker:latesttags, debug mode enabled,dangerouslySetInnerHTMLwithout sanitization,shell: truein exec/spawn
Step 2: Present the preview
Show the user what will be changed:
- List each file that will be modified
- Show the before/after for each change
- Group by fix type (secrets, TLS, Docker, debug, XSS, shell)
- Note any files that will be created (
.env.example,.env)
Step 3: Apply fixes (with confirmation)
Ask the user if they want to proceed. If yes:
npx ship-safe@latest remediate . --all --yes 2>&1
If the user only wants to fix secrets (not agent findings):
npx ship-safe@latest remediate . --yes 2>&1
Step 4: Post-fix verification
After applying fixes:
-
Run a quick scan to verify secrets were removed:
npx ship-safe@latest scan . --json 2>/dev/null -
Report the results — how many issues were fixed vs. remaining
-
For remaining issues that couldn't be auto-fixed, offer to fix them manually by reading the code and applying targeted changes
Step 5: Follow-up actions
Suggest:
- Review
.env.example— make sure variable names make sense - Add
.envto.gitignoreif not already there - Rotate exposed secrets — run
npx ship-safe rotate .for step-by-step guides - Update baseline — run
/ship-safe-baseline .to update after fixes - Stage changes — offer to stage the modified files with git
Important Notes
- Ship Safe creates a backup before modifying files — the user can revert if something breaks
- The
--allflag is important for fixing agent-level findings beyond just secrets - Never display actual secret values, even in the dry run output
- If a fix might break functionality (e.g.,
shell: falsein exec), warn the user to test - For
dangerouslySetInnerHTMLfixes, note thatDOMPurifyneeds to be installed:npm install dompurify
Related Skills
asamassekou10/ship-safe
tools
VerifiedTrustedCommunity
Run a full security audit on this project — 16 agents scan for secrets, injections, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a security audit, vulnerability scan, or asks if their code is safe to ship.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-score
development
VerifiedTrustedCommunity
Get your project's security health score (0-100, A-F grade). Use when the user wants a quick security check or asks "is my code safe to ship?"
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-scan
development
VerifiedTrustedCommunity
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-red-team
tools
VerifiedTrustedCommunity
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
420SKILL.mdUpdated Apr 16, 2026