shipsafe 0.2.1

AI-Powered Pre-Deploy Security Gate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

# CLI Reference

```
shipsafe [GLOBAL OPTIONS] <COMMAND>
```

## Global options

| Option | Default | Description |
|---|---|---|
| `-c, --config <PATH>` | `.shipsafe.yml` | Configuration file path |
| `--lang <LANG>` | `en` | Output language: `en`, `ja` |
| `-v, --verbose` | off | Debug-level logging |

## Commands

### `shipsafe scan`

Run the security gate.

| Option | Default | Description |
|---|---|---|
| `-p, --path <PATH>` | `.` | Directory to scan |
| `-s, --scanners <LIST>` | `sast,sca,secrets` | Comma-separated scanners |
| `-f, --format <FMT>` | `table` | `table`, `json`, `sarif` |
| `-o, --output <PATH>` | stdout | Write the report to a file |
| `--fail-on <SEV>` | `critical` | Exit 1 when findings at/above this severity exist: `critical`, `high`, `medium`, `low` |
| `--exclude-tests` | off | Drop findings in common test directories / test files |
| `--json-output <PATH>` || Additionally write JSON results (for CI integrations) |
| `--ai-triage` | off | AI triage via the Claude API (requires `ANTHROPIC_API_KEY`) |

Exit codes:

- `0` — no findings at or above the `--fail-on` threshold
- `1` — threshold exceeded (offending findings are listed on stderr)

SCA findings additionally honor `scanners.sca.fail-on-severity` from the
config; the stricter of the two thresholds wins.

With `--ai-triage` (or `ai.triage: true` in the config), findings the AI
classifies as false positives are excluded from the threshold check. They
remain in every report, annotated with the verdict, confidence, and reason.
Triage failures (missing key, network, API errors) print a warning and the
gate behaves exactly as if triage had not run.

### `shipsafe init`

Write a default `.shipsafe.yml` to the current directory.

### `shipsafe validate`

Validate `.shipsafe.yml` (or `--config <path>`): unknown keys (with
suggestions), enum values, regex/glob compilation, and `rules-paths`
existence. Exits 1 when problems are found.

### `shipsafe doctor`

Show which external scanners are installed:

```
ShipSafe Doctor

  ✔ Found semgrep      SAST scanner
  ✔ Found trivy        SCA / Container / IaC scanner
  ✘ Not found gitleaks Secret scanner
```

### `shipsafe version`

Print the version.

## Examples

```bash
# Gate a CI build on high-or-worse findings, writing SARIF for upload
shipsafe scan --fail-on high --format sarif --output results.sarif

# JSON results for both humans and machines
shipsafe scan --format table --json-output results.json

# Scan another directory in Japanese
shipsafe --lang ja scan -p ../my-app

# Only secrets, including git history (set scan-history: true in config)
shipsafe scan -s secrets
```