Skip to main content

ShipSafe

ShipSafe
ShipSafe
Configuration

Configuration

Customize what ShipSafe scans, which rules it runs, and how to suppress false positives.

.shipsafe.yml

Drop a .shipsafe.yml file in your project root to configure scan behavior. Generate one with:

npx @ship-safe/cli init

Full Example

.shipsafe.yml
# .shipsafe.yml — drop this in your project root

# Rules to include (default: all)
# Available categories: secrets, injection, xss, auth, authz,
# crypto, config, pii, baas, llm, headers, deps
rules:
  include:
    - secrets
    - injection
    - xss
    - auth
    - authz
    - crypto
    - config
    - pii
    - baas
    - llm
    - headers
    - deps
  # exclude:
  #   - deps    # skip dependency checks

# Glob patterns to exclude from scanning
exclude:
  - "node_modules"
  - ".git"
  - "dist"
  - "build"
  - "*.min.js"
  - "*.test.*"
  - "*.spec.*"

# Minimum severity to report: critical, high, medium, low
severity: low

Config Options

rules.include

List of rule categories to enable. If omitted, all categories are enabled.

Categories: secrets, injection, xss, auth, authz, crypto, config, pii, baas, llm, headers, deps

rules.exclude

List of rule categories to skip. Useful when you want most rules but need to disable a specific category.

exclude

Glob patterns for files and directories to skip. These are added on top of the default exclusions.

Default exclusions: node_modules, .git, .next, dist, build, coverage, *.min.js, *.map, lock files, test files

severity

Minimum severity to include in results. Options: critical, high, medium, low (default). Findings below this level are hidden.

.shipsafeignore

Suppress specific rules when they're false positives. Suppressed findings won't block CI and are marked as "suppressed" in the dashboard.

.shipsafeignore
# .shipsafeignore — suppress specific rules
# Format: rule-id # optional reason

# These findings won't block CI or show in reports
secrets/generic-api-key  # Test fixture, not a real key
xss/dangerously-set-html # Sanitized by DOMPurify
injection/eval-usage     # Required for plugin system

Managing rules via CLI

# Suppress a rule
npx @ship-safe/cli ignore secrets/generic-api-key -r "Test API key"

# Re-enable a rule
npx @ship-safe/cli unignore secrets/generic-api-key

Ignore File Format

SyntaxMeaning
secrets/aws-access-keySuppress this rule ID
rule-id # reasonSuppress with a documented reason
# commentComment line (ignored)
(empty line)Ignored

Supported File Types

ShipSafe scans these file types automatically. Files over 1MB are skipped.

JavaScript

.js, .jsx, .mjs, .cjs

TypeScript

.ts, .tsx

Python

.py

Ruby

.rb

Go

.go

Java

.java

PHP

.php

Rust

.rs

C#

.cs

Swift

.swift

Kotlin

.kt

Config

.env, .yml, .json

Tips

Commit your .shipsafeignore to version control so the whole team shares the same suppressions.

Always add a reason when suppressing a rule. Future-you will thank past-you.

ShipSafe respects .gitignore patterns automatically. You don't need to duplicate them in .shipsafe.yml.

← PreviousCLI ReferenceNext →Security Rules
Configuration Guide | ShipSafe