ship-safe
GitHub在提交代码前运行ship-safe扫描,检查密钥、漏洞及风险模式。需启用环境变量后使用,解析结果按严重性分类:关键问题必须修复,警告供参考,确保发布安全。
Trigger Scenarios
Install
npx skills add kinncj/Heimdall --skill ship-safe -g -y
SKILL.md
Frontmatter
{
"name": "ship-safe",
"description": "Run ship-safe security and quality audit on the current project. Executes npx ship-safe audit . and reports findings by severity. Use before shipping any feature or PR."
}
SKILL: Ship-Safe Audit
What It Does
Runs ship-safe — a pre-ship security and quality scanner that checks for secrets, vulnerabilities, and risky patterns before code reaches production.
Usage
npx ship-safe audit .
Run from the project root. No install required (npx fetches it on demand).
Opt-In
Ship-safe is disabled by default. To enable it:
- CI/CD: set the repository variable
ENABLE_SHIP_SAFE=truein GitHub → Settings → Variables - Agents / local: set env var
ENABLE_SHIP_SAFE=truebefore invoking/ship-safe
When to Use
Only run if ENABLE_SHIP_SAFE=true is set. When enabled, appropriate moments are:
- Before opening a PR
- After adding new dependencies
- Before merging any feature branch to main
- After touching auth, secrets handling, or infra config
Output Interpretation
| Symbol / keyword | Severity | Action |
|---|---|---|
✓ PASS / ok / no issues |
Clean | Safe to ship |
⚠ WARN / MEDIUM / LOW |
Advisory | Review before shipping |
✗ FAIL / ERROR / CRITICAL / HIGH |
Blocker | Must fix before shipping |
Agent Instructions
- Run
npx ship-safe audit .from the repo root. - Parse stdout for CRITICAL/HIGH findings — these are blockers.
- For each blocker: report the file, line, and finding description.
- For MEDIUM/LOW: report as advisory, do not block.
- If all checks pass: confirm "ship-safe: clean" and proceed.
- If blockers found: halt the task, report findings to Orchestrator.
Example Integration (architect / pre-ship checklist)
/ship-safe
The skill runs the audit, colors findings by severity, and surfaces blockers before any merge action.
Version History
- f4ea31f Current 2026-07-05 10:44


