ship-safe
GitHub执行ship-safe安全与质量审计,检查密钥、漏洞及风险模式。需在启用环境变量后使用,适用于PR前或合并前。根据严重性分类结果:高危阻断,中低危提示,确保代码发布安全。
触发场景
安装
npx skills add kinncj/Heimdall --skill ship-safe -g -y
SKILL.md
Frontmatter
{
"name": "ship-safe",
"description": "Run ship-safe security and quality audit on the current project. Executes npx ship-safe audit . and reports findings by severity. Use before shipping any feature or PR."
}
SKILL: Ship-Safe Audit
What It Does
Runs ship-safe — a pre-ship security and quality scanner that checks for secrets, vulnerabilities, and risky patterns before code reaches production.
Usage
npx ship-safe audit .
Run from the project root. No install required (npx fetches it on demand).
Opt-In
Ship-safe is disabled by default. To enable it:
- CI/CD: set the repository variable
ENABLE_SHIP_SAFE=truein GitHub → Settings → Variables - Agents / local: set env var
ENABLE_SHIP_SAFE=truebefore invoking/ship-safe
When to Use
Only run if ENABLE_SHIP_SAFE=true is set. When enabled, appropriate moments are:
- Before opening a PR
- After adding new dependencies
- Before merging any feature branch to main
- After touching auth, secrets handling, or infra config
Output Interpretation
| Symbol / keyword | Severity | Action |
|---|---|---|
✓ PASS / ok / no issues |
Clean | Safe to ship |
⚠ WARN / MEDIUM / LOW |
Advisory | Review before shipping |
✗ FAIL / ERROR / CRITICAL / HIGH |
Blocker | Must fix before shipping |
Agent Instructions
- Run
npx ship-safe audit .from the repo root. - Parse stdout for CRITICAL/HIGH findings — these are blockers.
- For each blocker: report the file, line, and finding description.
- For MEDIUM/LOW: report as advisory, do not block.
- If all checks pass: confirm "ship-safe: clean" and proceed.
- If blockers found: halt the task, report findings to Orchestrator.
Example Integration (architect / pre-ship checklist)
/ship-safe
The skill runs the audit, colors findings by severity, and surfaces blockers before any merge action.
版本历史
- f4ea31f 当前 2026-07-05 10:41


