Ship Safe

Don't let vibe coding leak your API keys.

You're shipping fast. You're using AI to write code. You're one git push away from exposing your database credentials to the world.

Ship Safe is a security toolkit for indie hackers and vibe coders who want to secure their MVP in 5 minutes, not 5 days.

![npm version](https://www.npmjs.com/package/ship-safe)
![License: MIT](https://opensource.org/licenses/MIT)

---

Quick Start

``bash

`Scan your project for leaked secrets (no install required!)`


npx ship-safe scan .
Run the launch-day security checklist

npx ship-safe checklist
Add security configs to your project

npx ship-safe init


That's it. Three commands to secure your MVP.
$3
Copy this prompt to your AI coding assistant:

`Run "npx ship-safe scan ." on my project and fix any secrets you find. Then run "npx ship-safe init" to add security configs. Explain what you're doing as you go.`

More AI prompts for specific frameworks

---

`Why This Exists`

Vibe coding is powerful. You can build a SaaS in a weekend. But speed creates blind spots:

- AI-generated code often hardcodes secrets - Default configs ship with debug mode enabled - "I'll fix it later" becomes "I got hacked"

This repo is your co-pilot for security. Copy, paste, ship safely.

---

`CLI Commands`

`$3`

Scans your codebase for leaked secrets: API keys, passwords, private keys, database URLs.

`bash

`Scan current directory`


npx ship-safe scan .
Scan a specific folder

npx ship-safe scan ./src
Get JSON output (for CI pipelines)

npx ship-safe scan . --json
Verbose mode (show files being scanned)

npx ship-safe scan . -v

Exit codes: Returns 1 if secrets found (useful for CI), 0 if clean.

Detects 50+ secret patterns: - AI/ML: OpenAI, Anthropic, Google AI, Cohere, Replicate, Hugging Face - Auth: Clerk, Auth0, Supabase Auth - Cloud: AWS, Google Cloud, Azure - Database: Supabase, PlanetScale, Neon, MongoDB, PostgreSQL, MySQL - Payment: Stripe, PayPal - Messaging: Twilio, SendGrid, Resend - And more: GitHub tokens, private keys, JWTs, generic secrets

---

`$3`

Interactive 10-point security checklist for launch day.

`bash

`Interactive mode (prompts for each item)`


npx ship-safe checklist
Print checklist without prompts

npx ship-safe checklist --no-interactive


Covers: exposed .git folders, debug mode, RLS policies, hardcoded keys, HTTPS, security headers, rate limiting, and more.
---
$3
Initialize security configs in your project.

`bash

`Add all security configs`


npx ship-safe init
Only add .gitignore patterns

npx ship-safe init --gitignore
Only add security headers config

npx ship-safe init --headers
Force overwrite existing files

npx ship-safe init -f

What it copies: -.gitignore- Patterns to prevent committing secrets -security-headers.config.js - Drop-in Next.js security headers

---

`What's Inside`

`$3`


Manual security audits you can do in 5 minutes.
- Launch Day Checklist - 10 things to check before you go live
$3

Secure defaults for popular stacks. Drop-in ready.
| Stack | Files |
|-------|-------|
| Next.js | Security Headers - CSP, X-Frame-Options, HSTS |
| Supabase | RLS Templates \| Security Checklist \| Secure Client |
| Firebase | Firestore Rules \| Storage Rules \| Security Checklist |
$3

Copy-paste code blocks for common security patterns.
| Category | Files |
|----------|-------|
| Rate Limiting | Upstash Redis \| Next.js Middleware |
| Authentication | JWT Security Checklist |
| API Security | CORS Config \| Input Validation \| API Checklist |
$3

Protect your AI features from abuse and cost explosions.
| File | Description |
|------|-------------|
| LLM Security Checklist | Based on OWASP LLM Top 10 - prompt injection, data protection, scope control |
| Prompt Injection Patterns | Regex patterns to detect 25+ injection attempts |
| Cost Protection Guide | Prevent $50k surprise bills - rate limits, budget caps, circuit breakers |
| System Prompt Armor | Template for hardened system prompts |
$3

Automated scanning tools. Run them in CI or locally.
- Secret Scanner - Python version of the secret scanner
---
AI/LLM Security
Building with AI? Don't let it bankrupt you or get hijacked.
$3

`typescript import { containsInjectionAttempt } from './ai-defense/prompt-injection-patterns';

async function handleChat(userInput: string) { // 1. Check for injection attempts const { detected } = containsInjectionAttempt(userInput); if (detected) { return "I can't process that request."; }

// 2. Rate limit per user const { success } = await ratelimit.limit(userId); if (!success) { return "Too many requests. Please slow down."; }

// 3. Check budget before calling await checkUserBudget(userId, estimatedCost);

// 4. Make the API call with token limits const response = await openai.chat.completions.create({ model: 'gpt-4', messages, max_tokens: 500, // Hard cap });

return response; }`

`$3`

1. Token limits - Cap input/output per request 2. Rate limits - Cap requests per user (10/min) 3. Budget caps - Daily ($1) and monthly ($10) per user 4. Circuit breaker - Disable AI when global budget hit 5. Provider limits - Set hard limits in OpenAI/Anthropic dashboard

Full cost protection guide →

---

`Database Security`

`$3`

`sql -- Users can only see their own data CREATE POLICY "Users own their data" ON items FOR ALL USING (auth.uid() = user_id);

-- Read-only public data CREATE POLICY "Public read access" ON public_items FOR SELECT USING (true);`

6 more RLS patterns →

`$3`

`javascript // Users can only access their own documents match /users/{userId} { allow read, write: if request.auth != null && request.auth.uid == userId; }`

Full Firestore rules template →

---

`API Security`

`$3`

`typescript const ALLOWED_ORIGINS = [ 'https://yourapp.com', 'https://www.yourapp.com', ];

// Only allow specific origins if (origin && ALLOWED_ORIGINS.includes(origin)) { headers['Access-Control-Allow-Origin'] = origin; }`

CORS configs for Next.js, Express, Fastify, Hono →

`$3`

`typescript const createUserSchema = z.object({ email: z.string().email().max(255), password: z.string().min(8).max(128), });

const result = createUserSchema.safeParse(body); if (!result.success) { return Response.json({ error: result.error.issues }, { status: 400 }); }`

Full validation patterns →

---

`CI/CD Integration`

Add to your GitHub Actions workflow:

`yaml

`.github/workflows/security.yml`


name: Security Scan
on: [push, pull_request]

jobs: scan-secrets: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Scan for secrets run: npx ship-safe scan . --json`

The scan exits with code 1 if secrets are found, failing your build.

---

`The 5-Minute Security Checklist`

1. ✅ Run npx ship-safe scan .on your project 2. ✅ Runnpx ship-safe initto add security configs 3. ✅ Add security headers to your Next.js config 4. ✅ Runnpx ship-safe checklist` before launching
5. ✅ If using AI features, implement cost protection
6. ✅ If using Supabase, check the RLS checklist
7. ✅ If using Firebase, check the Firebase checklist

---

Philosophy

- Low friction - If it takes more than 5 minutes, people won't do it
- Educational - Every config has comments explaining why
- Modular - Take what you need, ignore the rest
- Copy-paste friendly - No complex setup, just grab and go

---

Contributing

Found a security pattern that saved your app? Share it!

1. Fork the repo
2. Add your checklist, config, or script
3. Include educational comments explaining why it matters
4. Open a PR

See CONTRIBUTING.md for guidelines.

---

Security Standards Reference

This toolkit is based on:
- OWASP Top 10 Web 2025
- OWASP Top 10 Mobile 2024
- OWASP LLM Top 10 2025
- OWASP API Security Top 10 2023

---

License

MIT - Use it, share it, secure your stuff.

---

Remember: Security isn't about being paranoid. It's about being prepared.

Ship fast. Ship safe.

Ship Safe

Don't let vibe coding leak your API keys.

You're shipping fast. You're using AI to write code. You're one git push away from exposing your database credentials to the world.

Ship Safe is a security toolkit for indie hackers and vibe coders who want to secure their MVP in 5 minutes, not 5 days.

![npm version](https://www.npmjs.com/package/ship-safe)
![License: MIT](https://opensource.org/licenses/MIT)

---

Quick Start

``bash

`Scan your project for leaked secrets (no install required!)`


npx ship-safe scan .
Run the launch-day security checklist

npx ship-safe checklist
Add security configs to your project

npx ship-safe init


That's it. Three commands to secure your MVP.
$3
Copy this prompt to your AI coding assistant:

`Run "npx ship-safe scan ." on my project and fix any secrets you find. Then run "npx ship-safe init" to add security configs. Explain what you're doing as you go.`

More AI prompts for specific frameworks

---

`Why This Exists`

Vibe coding is powerful. You can build a SaaS in a weekend. But speed creates blind spots:

- AI-generated code often hardcodes secrets - Default configs ship with debug mode enabled - "I'll fix it later" becomes "I got hacked"

This repo is your co-pilot for security. Copy, paste, ship safely.

---

`CLI Commands`

`$3`

Scans your codebase for leaked secrets: API keys, passwords, private keys, database URLs.

`bash

`Scan current directory`


npx ship-safe scan .
Scan a specific folder

npx ship-safe scan ./src
Get JSON output (for CI pipelines)

npx ship-safe scan . --json
Verbose mode (show files being scanned)

npx ship-safe scan . -v

Exit codes: Returns 1 if secrets found (useful for CI), 0 if clean.

---

`$3`

Interactive 10-point security checklist for launch day.

`bash

`Interactive mode (prompts for each item)`


npx ship-safe checklist
Print checklist without prompts

npx ship-safe checklist --no-interactive


Covers: exposed .git folders, debug mode, RLS policies, hardcoded keys, HTTPS, security headers, rate limiting, and more.
---
$3
Initialize security configs in your project.

`bash

`Add all security configs`


npx ship-safe init
Only add .gitignore patterns

npx ship-safe init --gitignore
Only add security headers config

npx ship-safe init --headers
Force overwrite existing files

npx ship-safe init -f

What it copies: -.gitignore- Patterns to prevent committing secrets -security-headers.config.js - Drop-in Next.js security headers

---

`What's Inside`

`$3`


Manual security audits you can do in 5 minutes.
- Launch Day Checklist - 10 things to check before you go live
$3

Secure defaults for popular stacks. Drop-in ready.
| Stack | Files |
|-------|-------|
| Next.js | Security Headers - CSP, X-Frame-Options, HSTS |
| Supabase | RLS Templates \| Security Checklist \| Secure Client |
| Firebase | Firestore Rules \| Storage Rules \| Security Checklist |
$3

Copy-paste code blocks for common security patterns.
| Category | Files |
|----------|-------|
| Rate Limiting | Upstash Redis \| Next.js Middleware |
| Authentication | JWT Security Checklist |
| API Security | CORS Config \| Input Validation \| API Checklist |
$3

Protect your AI features from abuse and cost explosions.
| File | Description |
|------|-------------|
| LLM Security Checklist | Based on OWASP LLM Top 10 - prompt injection, data protection, scope control |
| Prompt Injection Patterns | Regex patterns to detect 25+ injection attempts |
| Cost Protection Guide | Prevent $50k surprise bills - rate limits, budget caps, circuit breakers |
| System Prompt Armor | Template for hardened system prompts |
$3

Automated scanning tools. Run them in CI or locally.
- Secret Scanner - Python version of the secret scanner
---
AI/LLM Security
Building with AI? Don't let it bankrupt you or get hijacked.
$3

`typescript import { containsInjectionAttempt } from './ai-defense/prompt-injection-patterns';

async function handleChat(userInput: string) { // 1. Check for injection attempts const { detected } = containsInjectionAttempt(userInput); if (detected) { return "I can't process that request."; }

// 2. Rate limit per user const { success } = await ratelimit.limit(userId); if (!success) { return "Too many requests. Please slow down."; }

// 3. Check budget before calling await checkUserBudget(userId, estimatedCost);

// 4. Make the API call with token limits const response = await openai.chat.completions.create({ model: 'gpt-4', messages, max_tokens: 500, // Hard cap });

return response; }`

`$3`

Full cost protection guide →

---

`Database Security`

`$3`

`sql -- Users can only see their own data CREATE POLICY "Users own their data" ON items FOR ALL USING (auth.uid() = user_id);

-- Read-only public data CREATE POLICY "Public read access" ON public_items FOR SELECT USING (true);`

6 more RLS patterns →

`$3`

`javascript // Users can only access their own documents match /users/{userId} { allow read, write: if request.auth != null && request.auth.uid == userId; }`

Full Firestore rules template →

---

`API Security`

`$3`

`typescript const ALLOWED_ORIGINS = [ 'https://yourapp.com', 'https://www.yourapp.com', ];

// Only allow specific origins if (origin && ALLOWED_ORIGINS.includes(origin)) { headers['Access-Control-Allow-Origin'] = origin; }`

CORS configs for Next.js, Express, Fastify, Hono →

`$3`

`typescript const createUserSchema = z.object({ email: z.string().email().max(255), password: z.string().min(8).max(128), });

const result = createUserSchema.safeParse(body); if (!result.success) { return Response.json({ error: result.error.issues }, { status: 400 }); }`

Full validation patterns →

---

`CI/CD Integration`

Add to your GitHub Actions workflow:

`yaml

`.github/workflows/security.yml`


name: Security Scan
on: [push, pull_request]

jobs: scan-secrets: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Scan for secrets run: npx ship-safe scan . --json`

The scan exits with code 1 if secrets are found, failing your build.

---

`The 5-Minute Security Checklist`

---

Philosophy

---

Contributing

Found a security pattern that saved your app? Share it!

1. Fork the repo
2. Add your checklist, config, or script
3. Include educational comments explaining why it matters
4. Open a PR

See CONTRIBUTING.md for guidelines.

---

Security Standards Reference

This toolkit is based on:
- OWASP Top 10 Web 2025
- OWASP Top 10 Mobile 2024
- OWASP LLM Top 10 2025
- OWASP API Security Top 10 2023

---

License

MIT - Use it, share it, secure your stuff.

---

Remember: Security isn't about being paranoid. It's about being prepared.

Ship fast. Ship safe.