Question 1

What is ShipSafe?

Accepted Answer

ShipSafe is a security scanner built specifically for AI-generated code. It scans your actual GitHub repository — not just a URL — using 30+ security checks to find vulnerabilities that AI coding tools like Cursor, Lovable, Bolt, v0, and Replit commonly introduce. Paste a GitHub URL and get a plain-English security report in under 2 minutes.

Question 2

How does ShipSafe work?

Accepted Answer

ShipSafe clones your GitHub repository and performs deep static analysis including authentication flow analysis, authorization boundary checking, secret detection, and OWASP Top 10 vulnerability scanning. Unlike URL-based scanners that only check surface-level issues, ShipSafe reads your actual codebase to find logic-level bugs like inverted auth conditions and missing ownership checks.

Question 3

Is ShipSafe free?

Accepted Answer

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $12/month for CLI access with unlimited scans and CI/CD integration via GitHub Actions.

Question 4

What vulnerabilities does ShipSafe detect?

Accepted Answer

ShipSafe detects IDOR (Insecure Direct Object References), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets, SQL injection, cross-site scripting (XSS), CSRF vulnerabilities, missing rate limiting, and more across the OWASP Top 10 categories. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Question 5

Is Cursor safe?

Accepted Answer

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

Question 6

How is ShipSafe different from other security scanners?

Accepted Answer

ShipSafe scans your actual GitHub repository source code, not just a deployed URL. It uses AI to understand authentication flows and authorization logic — catching bugs like inverted auth conditions that regex-based scanners miss. It's specifically tuned for patterns that AI coding tools like Cursor, Lovable, and Bolt commonly generate.

Security research

Cursor Security Risks: CVEs, Prompt Injection, and Code Vulnerabilities (2026)

Is Cursor Safe? We Scanned 100 Apps — 67% Had Critical Vulnerabilities

5 Security Vulnerabilities Every Lovable App Has (And How to Fix Them)

Bolt.new Security Guide: How to Ship Without Getting Hacked

AI-Generated Code Security: The Risks Nobody Talks About

The Vibe Coding Security Checklist (2026): Ship Fast, Stay Safe

v0 by Vercel: 4 Security Gaps in Every Generated App (And the Fixes)

Replit Agent Security Guide: What It Misses and How to Fix It

Your Supabase App Has No Row Level Security: A Vibe Coder's Fix Guide