ship-safe 6.1.0 → 6.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/README.md +48 -1
  2. package/cli/agents/html-reporter.js +568 -532
  3. package/cli/commands/audit.js +1 -0
  4. package/cli/commands/ci.js +1 -1
  5. package/cli/commands/scan.js +2 -0
  6. package/cli/commands/score.js +1 -0
  7. package/cli/utils/output.js +230 -229
  8. package/package.json +2 -1
  9. package/cli/__tests__/agents.test.js +0 -1301
package/README.md CHANGED
@@ -17,7 +17,11 @@
17
17
 
18
18
  18 security agents. 80+ attack classes. One command.
19
19
 
20
- **Ship Safe v6.1** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
20
+ **Ship Safe v6.1.1** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase, scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
21
+
22
+ **v6.1.1 highlights:** Supply chain hardening against the [March 2026 Trivy/CanisterWorm attack chain](https://shipsafecli.com/blog/supply-chain-attacks-2026-how-we-hardened-ship-safe). All GitHub Actions SHA-pinned, `postinstall` scripts disabled in CI, OIDC trusted publishing with provenance, CODEOWNERS on critical paths.
23
+
24
+ [Documentation](https://shipsafecli.com/docs) | [Blog](https://shipsafecli.com/blog) | [Pricing](https://shipsafecli.com/pricing)
21
25
 
22
26
  ---
23
27
 
@@ -557,6 +561,49 @@ Manual security audits: launch-day checklist, framework-specific guides.
557
561
 
558
562
  ---
559
563
 
564
+ ## Add a Security Badge to Your README
565
+
566
+ Show the world your project is secure. After running `npx ship-safe audit .` or `npx ship-safe vibe-check . --badge`, add one of these to your README:
567
+
568
+ ```markdown
569
+ <!-- Replace GRADE and COLOR with your results -->
570
+ [![Ship Safe](https://img.shields.io/badge/Ship_Safe-A+-22c55e)](https://shipsafecli.com)
571
+ ```
572
+
573
+ | Grade | Badge |
574
+ |-------|-------|
575
+ | A+ | `[![Ship Safe](https://img.shields.io/badge/Ship_Safe-A+-22c55e)](https://shipsafecli.com)` |
576
+ | A | `[![Ship Safe](https://img.shields.io/badge/Ship_Safe-A-22c55e)](https://shipsafecli.com)` |
577
+ | B | `[![Ship Safe](https://img.shields.io/badge/Ship_Safe-B-06b6d4)](https://shipsafecli.com)` |
578
+ | C | `[![Ship Safe](https://img.shields.io/badge/Ship_Safe-C-eab308)](https://shipsafecli.com)` |
579
+ | D | `[![Ship Safe](https://img.shields.io/badge/Ship_Safe-D-ef4444)](https://shipsafecli.com)` |
580
+ | F | `[![Ship Safe](https://img.shields.io/badge/Ship_Safe-F-dc2626)](https://shipsafecli.com)` |
581
+
582
+ ---
583
+
584
+ ## Supply Chain Hardening
585
+
586
+ Ship Safe practices what it preaches. Our own supply chain is hardened against the [2026 Trivy/CanisterWorm attack chain](https://shipsafecli.com/blog/supply-chain-attacks-2026-how-we-hardened-ship-safe):
587
+
588
+ | Defense | What It Blocks |
589
+ |---------|---------------|
590
+ | All GitHub Actions pinned to full commit SHAs | Tag repointing (Trivy-style) |
591
+ | `permissions: contents: read` in CI | Excessive token scope |
592
+ | `npm ci --ignore-scripts` in all pipelines | CanisterWorm postinstall propagation |
593
+ | OIDC trusted publishing with provenance | Stolen npm token publishing |
594
+ | CODEOWNERS on `action.yml`, `.github/`, `package.json` | Unauthorized changes to critical paths |
595
+ | Strict `files` allowlist in package.json | Accidental inclusion of secrets/configs |
596
+ | Self-scanning with ship-safe in CI | Malicious code injection |
597
+ | 5 direct dependencies | Minimal transitive attack surface |
598
+
599
+ Verify provenance on any Ship Safe release:
600
+
601
+ ```bash
602
+ npm audit signatures
603
+ ```
604
+
605
+ ---
606
+
560
607
  ## Contributing
561
608
 
562
609
  1. Fork the repo