ship-safe 3.1.0 → 4.0.0

package/README.md

@@ -1,434 +1,323 @@
 <p align="center">
   <img src=".github/assets/logo%20ship%20safe.png" alt="Ship Safe Logo" width="180" />
 </p>
-<p align="center"><strong>Don't let vibe coding leak your API keys.</strong></p>
+<p align="center"><strong>AI-powered application security platform for developers.</strong></p>
 
 <p align="center">
   <a href="https://www.npmjs.com/package/ship-safe"><img src="https://badge.fury.io/js/ship-safe.svg" alt="npm version" /></a>
+  <a href="https://www.npmjs.com/package/ship-safe"><img src="https://img.shields.io/npm/dm/ship-safe.svg" alt="npm downloads" /></a>
+  <a href="https://github.com/asamassekou10/ship-safe/actions/workflows/ci.yml"><img src="https://github.com/asamassekou10/ship-safe/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
+  <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/ship-safe" alt="Node.js version" /></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT" /></a>
 </p>
 
 ---
 
-You're shipping fast. You're using AI to write code. You're one `git push` away from exposing your database credentials to the world.
+12 security agents. 50+ attack classes. One command.
 
-**Ship Safe** is a security toolkit for indie hackers and vibe coders who want to secure their MVP in 5 minutes, not 5 days.
+**Ship Safe v4.0** is an AI-powered security platform that runs 12 specialized agents against your codebase — scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Docker/Terraform misconfigs, CI/CD pipeline poisoning, LLM security issues, and more. It produces a prioritized remediation plan so you know exactly what to fix first.
 
 ---
 
 ## Quick Start
 
 ```bash
-# Scan for leaked secrets (no install required!)
-npx ship-safe scan .
-
-# Auto-generate .env.example from found secrets
-npx ship-safe fix
+# Full security audit — secrets + 12 agents + deps + remediation plan
+npx ship-safe audit .
 
-# Block git push if secrets are found
-npx ship-safe guard
+# Red team scan only (12 agents, 50+ attack classes)
+npx ship-safe red-team .
 
-# Run the launch-day security checklist
-npx ship-safe checklist
+# Quick secret scan
+npx ship-safe scan .
 
-# Add security configs to your project
-npx ship-safe init
+# Security health score (0-100)
+npx ship-safe score .
 ```
 
-That's it. Five commands to secure your MVP.
-
 ![ship-safe terminal demo](.github/assets/ship%20safe%20terminal.jpg)
 
-### Let AI Do It For You
-
-Copy this prompt to your AI coding assistant:
-
-```
-Run "npx ship-safe scan ." on my project and fix any secrets you find.
-Then run "npx ship-safe init" to add security configs.
-Explain what you're doing as you go.
-```
-
-[More AI prompts for specific frameworks](./AI_SECURITY_PROMPT.md)
-
 ---
 
-## Why This Exists
-
-Vibe coding is powerful. You can build a SaaS in a weekend. But speed creates blind spots:
+## The `audit` Command
 
-- AI-generated code often hardcodes secrets
-- Default configs ship with debug mode enabled
-- "I'll fix it later" becomes "I got hacked"
+One command that runs everything and generates a full report:
 
-This repo is your co-pilot for security. Copy, paste, ship safely.
+```bash
+npx ship-safe audit .
+```
 
----
+```
+════════════════════════════════════════════════════════════
+  Ship Safe v4.0 — Full Security Audit
+════════════════════════════════════════════════════════════
 
-## CLI Commands
+  [Phase 1/4] Scanning for secrets...         ✔ 49 found
+  [Phase 2/4] Running 12 security agents...   ✔ 103 findings
+  [Phase 3/4] Auditing dependencies...        ✔ 44 CVEs
+  [Phase 4/4] Computing security score...     ✔ 25/100 F
 
-### `npx ship-safe scan [path]`
+  Remediation Plan
+  ════════════════════════════════════════════════════════
 
-Scans your codebase for leaked secrets: API keys, passwords, private keys, database URLs.
+  🔴 CRITICAL — fix immediately
+  ────────────────────────────────────────────────────────
+   1. [SECRETS] Rotate Stripe Live Secret Key
+      .env:67 → Move to environment variable or secrets manager
 
-```bash
-# Scan current directory
-npx ship-safe scan .
+   2. [INJECTION] Unsafe pickle.loads()
+      backend/ai_processor.py:64 → Use JSON for untrusted data
 
-# Scan a specific folder
-npx ship-safe scan ./src
+  🟠 HIGH — fix before deploy
+  ────────────────────────────────────────────────────────
+   3. [XSS] dangerouslySetInnerHTML without sanitization
+      frontend/src/utils/blogContentRenderer.jsx:50 → Add DOMPurify
 
-# Get JSON output (for CI pipelines)
-npx ship-safe scan . --json
+  ... 149 more items in the full report
 
-# Verbose mode (show files being scanned)
-npx ship-safe scan . -v
+  📊 Full report: ship-safe-report.html
 ```
 
-**Exit codes:** Returns `1` if secrets found (useful for CI), `0` if clean.
+**What it runs:**
+1. **Secret scan** — 50+ patterns with entropy scoring (API keys, passwords, tokens)
+2. **12 security agents** — injection, auth, SSRF, supply chain, config, LLM, mobile, git history, CI/CD, API
+3. **Dependency audit** — npm/pip/bundler CVE scanning
+4. **Score computation** — 8-category weighted scoring (0-100, A-F)
+5. **Remediation plan** — prioritized fix list grouped by severity
+6. **HTML report** — standalone dark-themed report with table of contents
 
 **Flags:**
-- `--json` — structured JSON output for CI pipelines
+- `--json` — structured JSON output (clean for piping)
 - `--sarif` — SARIF format for GitHub Code Scanning
-- `--include-tests` — also scan test/spec/fixture files (excluded by default)
-- `-v` — verbose mode
-
-**Suppress false positives:**
-```bash
-const apiKey = 'example-key'; // ship-safe-ignore
-```
-Or exclude paths with `.ship-safeignore` (gitignore syntax).
+- `--html [file]` — custom HTML report path (default: `ship-safe-report.html`)
+- `--no-deps` — skip dependency audit
+- `--no-ai` — skip AI classification
 
-**Custom patterns** — create `.ship-safe.json` in your project root:
-```json
-{
-  "patterns": [
-    {
-      "name": "My Internal API Key",
-      "pattern": "MYAPP_[A-Z0-9]{32}",
-      "severity": "high",
-      "description": "Internal key for myapp services."
-    }
-  ]
-}
-```
+---
 
-**Detects 50+ secret patterns:**
-- **AI/ML:** OpenAI, Anthropic, Google AI, Cohere, Replicate, Hugging Face
-- **Auth:** Clerk, Auth0, Supabase Auth
-- **Cloud:** AWS, Google Cloud, Azure
-- **Database:** Supabase, PlanetScale, Neon, MongoDB, PostgreSQL, MySQL
-- **Payment:** Stripe, PayPal
-- **Messaging:** Twilio, SendGrid, Resend
-- **And more:** GitHub tokens, private keys, JWTs, generic secrets
+## 12 Security Agents
+
+| Agent | Category | What It Detects |
+|-------|----------|-----------------|
+| **InjectionTester** | Code Vulns | SQL/NoSQL injection, command injection, code injection (eval), XSS, path traversal, XXE, ReDoS, prototype pollution |
+| **AuthBypassAgent** | Auth | JWT vulnerabilities (alg:none, weak secrets), cookie security, CSRF, OAuth misconfig, BOLA/IDOR, weak crypto, timing attacks, TLS bypass |
+| **SSRFProber** | SSRF | User input in fetch/axios, cloud metadata endpoints, internal IPs, redirect following |
+| **SupplyChainAudit** | Supply Chain | Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts |
+| **ConfigAuditor** | Config | Dockerfile (running as root, :latest tags), Terraform (public S3, open SG), Kubernetes (privileged containers), CORS, CSP, Firebase, Nginx |
+| **LLMRedTeam** | AI/LLM | OWASP LLM Top 10 — prompt injection, excessive agency, system prompt leakage, unbounded consumption, RAG poisoning |
+| **MobileScanner** | Mobile | OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode |
+| **GitHistoryScanner** | Secrets | Leaked secrets in git commit history (checks if still active in working tree) |
+| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection |
+| **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints |
+| **ReconAgent** | Recon | Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines |
+| **ScoringEngine** | Scoring | 8-category weighted scoring with trend tracking |
 
 ---
 
-### `npx ship-safe checklist`
+## All Commands
 
-Interactive 10-point security checklist for launch day.
+### Core Audit Commands
 
 ```bash
-# Interactive mode (prompts for each item)
-npx ship-safe checklist
+# Full audit with remediation plan + HTML report
+npx ship-safe audit .
 
-# Print checklist without prompts
-npx ship-safe checklist --no-interactive
-```
+# Red team: 12 agents, 50+ attack classes
+npx ship-safe red-team .
+npx ship-safe red-team . --agents injection,auth    # Run specific agents
+npx ship-safe red-team . --html report.html         # HTML report
+npx ship-safe red-team . --json                     # JSON output
 
-Covers: exposed .git folders, debug mode, RLS policies, hardcoded keys, HTTPS, security headers, rate limiting, and more.
+# Secret scanner (pattern matching + entropy)
+npx ship-safe scan .
+npx ship-safe scan . --json          # JSON for CI
+npx ship-safe scan . --sarif         # SARIF for GitHub
 
----
+# Security health score (0-100, A-F)
+npx ship-safe score .
 
-### `npx ship-safe init`
+# Dependency CVE audit
+npx ship-safe deps .
+npx ship-safe deps . --fix           # Auto-fix vulnerabilities
+```
 
-Initialize security configs in your project.
+### AI-Powered Commands
 
 ```bash
-# Add all security configs
-npx ship-safe init
-
-# Only add .gitignore patterns
-npx ship-safe init --gitignore
+# AI audit: scan + classify with Claude + auto-fix secrets
+npx ship-safe agent .
 
-# Only add security headers config
-npx ship-safe init --headers
+# Auto-fix hardcoded secrets: rewrite code + write .env
+npx ship-safe remediate .
 
-# Force overwrite existing files
-npx ship-safe init -f
+# Revoke exposed keys — opens provider dashboards
+npx ship-safe rotate .
 ```
 
-**What it copies:**
-- `.gitignore` - Patterns to prevent committing secrets
-- `security-headers.config.js` - Drop-in Next.js security headers
-
----
-
-### `npx ship-safe fix`
-
-Scan for secrets and auto-generate a `.env.example` file.
+### Infrastructure Commands
 
 ```bash
-# Scan and generate .env.example
-npx ship-safe fix
-
-# Preview what would be generated without writing it
-npx ship-safe fix --dry-run
-```
-
----
+# Continuous monitoring (watch files for changes)
+npx ship-safe watch .
 
-### `npx ship-safe guard`
+# Generate CycloneDX SBOM
+npx ship-safe sbom .
 
-Install a git hook that blocks pushes if secrets are found. Works with or without Husky.
+# Policy-as-code (enforce minimum score, fail on severity)
+npx ship-safe policy init
 
-```bash
-# Install pre-push hook (runs scan before every git push)
+# Block git push if secrets found
 npx ship-safe guard
 
-# Install pre-commit hook instead
-npx ship-safe guard --pre-commit
+# Initialize security configs (.gitignore, headers)
+npx ship-safe init
 
-# Remove installed hooks
-npx ship-safe guard remove
-```
+# Launch-day security checklist
+npx ship-safe checklist
 
-**Suppress false positives:**
-- Add `# ship-safe-ignore` as a comment on a line to skip it
-- Create `.ship-safeignore` (gitignore syntax) to exclude paths
+# MCP server for AI editors (Claude Desktop, Cursor, etc.)
+npx ship-safe mcp
+```
 
 ---
 
-### `npx ship-safe mcp`
-
-Start ship-safe as an MCP server so AI editors can call it directly.
+## Multi-LLM Support
 
-**Setup (Claude Desktop)** — add to `claude_desktop_config.json`:
-```json
-{
-  "mcpServers": {
-    "ship-safe": {
-      "command": "npx",
-      "args": ["ship-safe", "mcp"]
-    }
-  }
-}
-```
+Ship Safe supports multiple AI providers for classification:
 
-Works with Claude Desktop, Cursor, Windsurf, Zed, and any MCP-compatible editor.
+| Provider | Env Variable | Model |
+|----------|-------------|-------|
+| **Anthropic** | `ANTHROPIC_API_KEY` | claude-haiku-4-5 |
+| **OpenAI** | `OPENAI_API_KEY` | gpt-4o-mini |
+| **Google** | `GOOGLE_AI_API_KEY` | gemini-2.0-flash |
+| **Ollama** | `OLLAMA_HOST` | Local models |
 
-**Available tools:**
-- `scan_secrets` — scan a directory for leaked secrets
-- `get_checklist` — return the security checklist as structured data
-- `analyze_file` — analyze a single file for issues
+Auto-detected from environment variables. No API key required for scanning — AI is optional.
 
 ---
 
-## What's Inside
-
-### [`/checklists`](./checklists)
-**Manual security audits you can do in 5 minutes.**
-- [Launch Day Checklist](./checklists/launch-day.md) - 10 things to check before you go live
-
-### [`/configs`](./configs)
-**Secure defaults for popular stacks. Drop-in ready.**
-
-| Stack | Files |
-|-------|-------|
-| **Next.js** | [Security Headers](./configs/nextjs-security-headers.js) - CSP, X-Frame-Options, HSTS |
-| **Supabase** | [RLS Templates](./configs/supabase/rls-templates.sql) \| [Security Checklist](./configs/supabase/security-checklist.md) \| [Secure Client](./configs/supabase/secure-client.ts) |
-| **Firebase** | [Firestore Rules](./configs/firebase/firestore-rules.txt) \| [Storage Rules](./configs/firebase/storage-rules.txt) \| [Security Checklist](./configs/firebase/security-checklist.md) |
+## Scoring System
 
-### [`/snippets`](./snippets)
-**Copy-paste code blocks for common security patterns.**
+Starts at 100. Each finding deducts points by severity and category.
 
-| Category | Files |
-|----------|-------|
-| **Rate Limiting** | [Upstash Redis](./snippets/rate-limiting/upstash-ratelimit.ts) \| [Next.js Middleware](./snippets/rate-limiting/nextjs-middleware.ts) |
-| **Authentication** | [JWT Security Checklist](./snippets/auth/jwt-checklist.md) |
-| **API Security** | [CORS Config](./snippets/api-security/cors-config.ts) \| [Input Validation](./snippets/api-security/input-validation.ts) \| [API Checklist](./snippets/api-security/api-security-checklist.md) |
+**8 Categories** (with weight caps):
 
-### [`/ai-defense`](./ai-defense)
-**Protect your AI features from abuse and cost explosions.**
+| Category | Weight | Critical | High | Medium | Cap |
+|----------|--------|----------|------|--------|-----|
+| Secrets | 15% | -25 | -15 | -5 | -15 |
+| Code Vulnerabilities | 15% | -20 | -10 | -3 | -15 |
+| Dependencies | 15% | -20 | -10 | -5 | -15 |
+| Auth & Access Control | 15% | -20 | -10 | -3 | -15 |
+| Configuration | 10% | -15 | -8 | -3 | -10 |
+| Supply Chain | 10% | -15 | -8 | -3 | -10 |
+| API Security | 10% | -15 | -8 | -3 | -10 |
+| AI/LLM Security | 10% | -15 | -8 | -3 | -10 |
 
-| File | Description |
-|------|-------------|
-| [LLM Security Checklist](./ai-defense/llm-security-checklist.md) | Based on OWASP LLM Top 10 - prompt injection, data protection, scope control |
-| [Prompt Injection Patterns](./ai-defense/prompt-injection-patterns.js) | Regex patterns to detect 25+ injection attempts |
-| [Cost Protection Guide](./ai-defense/cost-protection.md) | Prevent $50k surprise bills - rate limits, budget caps, circuit breakers |
-| [System Prompt Armor](./ai-defense/system-prompt-armor.md) | Template for hardened system prompts |
+**Grades:** A (90-100), B (75-89), C (60-74), D (40-59), F (0-39)
 
-### [`/scripts`](./scripts)
-**Automated scanning tools. Run them in CI or locally.**
-- [Secret Scanner](./scripts/scan_secrets.py) - Python version of the secret scanner
+**Exit codes:** `0` for A/B (>= 75), `1` for C/D/F — use in CI to fail builds.
 
 ---
 
-## AI/LLM Security
-
-Building with AI? Don't let it bankrupt you or get hijacked.
-
-### Quick Setup
-
-```typescript
-import { containsInjectionAttempt } from './ai-defense/prompt-injection-patterns';
-
-async function handleChat(userInput: string) {
-  // 1. Check for injection attempts
-  const { detected } = containsInjectionAttempt(userInput);
-  if (detected) {
-    return "I can't process that request.";
-  }
+## Policy-as-Code
 
-  // 2. Rate limit per user
-  const { success } = await ratelimit.limit(userId);
-  if (!success) {
-    return "Too many requests. Please slow down.";
-  }
+Create `.ship-safe.policy.json` to enforce team-wide security standards:
 
-  // 3. Check budget before calling
-  await checkUserBudget(userId, estimatedCost);
-
-  // 4. Make the API call with token limits
-  const response = await openai.chat.completions.create({
-    model: 'gpt-4',
-    messages,
-    max_tokens: 500, // Hard cap
-  });
+```bash
+npx ship-safe policy init
+```
 
-  return response;
+```json
+{
+  "minimumScore": 70,
+  "failOn": "critical",
+  "requiredScans": ["secrets", "injection", "deps", "auth"],
+  "ignoreRules": [],
+  "customSeverityOverrides": {},
+  "maxAge": { "criticalCVE": "7d", "highCVE": "30d", "mediumCVE": "90d" }
 }
 ```
 
-### Cost Protection Layers
-
-1. **Token limits** - Cap input/output per request
-2. **Rate limits** - Cap requests per user (10/min)
-3. **Budget caps** - Daily ($1) and monthly ($10) per user
-4. **Circuit breaker** - Disable AI when global budget hit
-5. **Provider limits** - Set hard limits in OpenAI/Anthropic dashboard
-
-[Full cost protection guide →](./ai-defense/cost-protection.md)
-
 ---
 
-## Database Security
+## CI/CD Integration
 
-### Supabase RLS Templates
+```yaml
+# .github/workflows/security.yml
+name: Security Audit
 
-```sql
--- Users can only see their own data
-CREATE POLICY "Users own their data" ON items
-  FOR ALL USING (auth.uid() = user_id);
+on: [push, pull_request]
 
--- Read-only public data
-CREATE POLICY "Public read access" ON public_items
-  FOR SELECT USING (true);
-```
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
 
-[6 more RLS patterns →](./configs/supabase/rls-templates.sql)
+      - name: Full security audit
+        run: npx ship-safe audit . --no-ai --json
 
-### Firebase Security Rules
+      - name: Upload SARIF to GitHub Security tab
+        run: npx ship-safe audit . --no-ai --sarif > results.sarif
 
-```javascript
-// Users can only access their own documents
-match /users/{userId} {
-  allow read, write: if request.auth != null
-    && request.auth.uid == userId;
-}
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
 ```
 
-[Full Firestore rules template →](./configs/firebase/firestore-rules.txt)
-
 ---
 
-## API Security
-
-### CORS (Don't use `*` in production)
-
-```typescript
-const ALLOWED_ORIGINS = [
-  'https://yourapp.com',
-  'https://www.yourapp.com',
-];
+## Suppress False Positives
 
-// Only allow specific origins
-if (origin && ALLOWED_ORIGINS.includes(origin)) {
-  headers['Access-Control-Allow-Origin'] = origin;
-}
+**Inline:** Add `# ship-safe-ignore` comment on a line:
+```python
+password = get_password()  # ship-safe-ignore
 ```
 
-[CORS configs for Next.js, Express, Fastify, Hono →](./snippets/api-security/cors-config.ts)
-
-### Input Validation (Zod)
+**File-level:** Create `.ship-safeignore` (gitignore syntax):
+```gitignore
+# Exclude test fixtures
+tests/fixtures/
+*.test.js
 
-```typescript
-const createUserSchema = z.object({
-  email: z.string().email().max(255),
-  password: z.string().min(8).max(128),
-});
-
-const result = createUserSchema.safeParse(body);
-if (!result.success) {
-  return Response.json({ error: result.error.issues }, { status: 400 });
-}
+# Exclude documentation with code examples
+docs/
 ```
 
-[Full validation patterns →](./snippets/api-security/input-validation.ts)
-
 ---
 
-## CI/CD Integration
-
-Add to your GitHub Actions workflow:
-
-```yaml
-# .github/workflows/security.yml
-name: Security Scan
-
-on: [push, pull_request]
-
-jobs:
-  scan-secrets:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Scan for secrets
-        run: npx ship-safe scan . --json
-```
+## OWASP Coverage
 
-The scan exits with code `1` if secrets are found, failing your build.
+| Standard | Coverage |
+|----------|----------|
+| **OWASP Top 10 Web 2025** | A01-A10: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Auth Failures, Data Integrity, Logging Failures, SSRF |
+| **OWASP Top 10 Mobile 2024** | M1-M10: Improper Credential Usage, Inadequate Supply Chain, Insecure Auth, Insufficient Validation, Insecure Communication, Inadequate Privacy, Binary Protections, Security Misconfiguration, Insecure Data Storage, Insufficient Cryptography |
+| **OWASP LLM Top 10 2025** | LLM01-LLM10: Prompt Injection, Sensitive Info Disclosure, Supply Chain, Data Poisoning, Improper Output Handling, Excessive Agency, System Prompt Leakage, Vector/Embedding Weaknesses, Misinformation, Unbounded Consumption |
+| **OWASP CI/CD Top 10** | CICD-SEC-1 to 10: Insufficient Flow Control, Identity Management, Dependency Chain Abuse, Poisoned Pipeline Execution, Insufficient PBAC, Credential Hygiene, Insecure System Config, Ungoverned Usage, Improper Artifact Integrity, Insufficient Logging |
 
 ---
 
-## The 5-Minute Security Checklist
+## What's Inside
 
-1. ✅ Run `npx ship-safe scan .` on your project
-2. ✅ Run `npx ship-safe init` to add security configs
-3. ✅ Add security headers to your Next.js config
-4. ✅ Run `npx ship-safe checklist` before launching
-5. ✅ If using AI features, implement [cost protection](./ai-defense/cost-protection.md)
-6. ✅ If using Supabase, check the [RLS checklist](./configs/supabase/security-checklist.md)
-7. ✅ If using Firebase, check the [Firebase checklist](./configs/firebase/security-checklist.md)
+### [`/configs`](./configs)
+Drop-in security configs for Next.js, Supabase, and Firebase.
 
----
+### [`/snippets`](./snippets)
+Copy-paste security patterns: rate limiting, JWT, CORS, input validation.
 
-## Philosophy
+### [`/ai-defense`](./ai-defense)
+LLM security: prompt injection detection, cost protection, system prompt hardening.
 
-- **Low friction** - If it takes more than 5 minutes, people won't do it
-- **Educational** - Every config has comments explaining *why*
-- **Modular** - Take what you need, ignore the rest
-- **Copy-paste friendly** - No complex setup, just grab and go
+### [`/checklists`](./checklists)
+Manual security audits: launch-day checklist, framework-specific guides.
 
 ---
 
 ## Contributing
 
-Found a security pattern that saved your app? Share it!
-
 1. Fork the repo
-2. Add your checklist, config, or script
-3. Include educational comments explaining *why* it matters
+2. Add your security pattern, agent, or config
+3. Include comments explaining *why* it matters
 4. Open a PR
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines.
@@ -437,11 +326,11 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines.
 
 ## Security Standards Reference
 
-This toolkit is based on:
 - [OWASP Top 10 Web 2025](https://owasp.org/Top10/)
 - [OWASP Top 10 Mobile 2024](https://owasp.org/www-project-mobile-top-10/)
 - [OWASP LLM Top 10 2025](https://genai.owasp.org/llm-top-10/)
 - [OWASP API Security Top 10 2023](https://owasp.org/API-Security/)
+- [OWASP CI/CD Top 10](https://owasp.org/www-project-top-10-ci-cd-security-risks/)
 
 ---
 
@@ -451,6 +340,10 @@ MIT - Use it, share it, secure your stuff.
 
 ---
 
-**Remember: Security isn't about being paranoid. It's about being prepared.**
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=asamassekou10/ship-safe&type=Date)](https://star-history.com/#asamassekou10/ship-safe&Date)
+
+---
 
-Ship fast. Ship safe.
+**Ship fast. Ship safe.**