MCPcopy Index your code
hub / github.com/ShipSecAI/studio

github.com/ShipSecAI/studio @v0.2.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.1 ↗ · + Follow
3,678 symbols 10,282 edges 687 files 214 documented · 6%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

ShipSec AI

Version License Discord

ShipSec Studio

Open-Source Security Workflow Orchestration Platform.

ShipSec is currently in active development. We are optimizing the platform for stable production use and high-performance security operations.

ShipSec Studio provides a visual DSL and runtime for building, executing, and monitoring automated security workflows. It decouples security logic from infrastructure management, providing a durable and isolated environment for running security tooling at scale.

ShipSec Studio Demo

Watch the platform in action on YouTube.


🏗️ Core Pillars

  • Durable, resumable workflows powered by Temporal.io for stateful execution across failures.
  • Isolated security runtimes using ephemeral containers with per-run volume management.
  • Unified telemetry streams delivering terminal output, events, and logs via a low-latency SSE pipeline.
  • Visual no-code builder that compiles complex security graphs into an executable DSL.

🚀 Deployment Options

1. Shipsec Self-Host with Docker (Recommended)

The easiest way to run ShipSec Studio on your own infrastructure:

One-Line Install

curl -fsSL https://raw.githubusercontent.com/ShipSecAI/studio/main/install.sh | bash

This installer will:

  • Check and install missing dependencies (docker, just, curl, jq, git)
  • Start Docker if not running
  • Clone the repository and start all services
  • Guide you through any required setup steps

Once complete, visit http://localhost to access ShipSec Studio.

2. ShipSec Cloud (Preview)

The fastest way to test ShipSec Studio without managing infrastructure.

  • Try it out: studio.shipsec.ai
  • Note: ShipSec Studio is under active development. The cloud environment is a technical preview for evaluation and sandbox testing.

3. Self-Host (Docker)

For teams requiring data residency and air-gapped security orchestrations. This setup runs the full stack (Frontend, Backend, Worker, and Infrastructure).

Prerequisites:

  • docker - For running the application and security components
  • just - Command runner for simplified workflows
  • curl and jq - For fetching release information
# Clone and start the latest stable release
git clone https://github.com/ShipSecAI/studio.git
cd studio
just prod start-latest

Access the studio at http://localhost.


🛠️ Capabilities

Integrated Tooling

Native support for industry-standard security tools including:

  • Discovery: Subfinder, DNSX, Naabu, HTTPx
  • Vulnerability: Nuclei, TruffleHog
  • Utility: JSON Transform, Logic Scripts, HTTP Requests

Advanced Orchestration

  • Human-in-the-Loop: Pause workflows for approvals, form inputs, or manual validation before continuing.
  • AI-Driven Analysis: Leverage LLM nodes and MCP providers for intelligent results interpretation.
  • Native Scheduling: Integrated CRON support for recurring security posture and compliance monitoring.
  • API First: Trigger and monitor any workflow execution via a comprehensive REST API.

MCP Integration

  • MCP Library: Centralized MCP server management with multi-server selection and automatic tool registration
  • Built-in MCP Servers: AWS CloudTrail, CloudWatch, and Filesystem support out-of-the-box
  • Seamless Tool Discovery: AI Agents automatically discover and use MCP tools via standardized contracts

🏛️ Architecture Overview

ShipSec Studio is designed for enterprise-grade durability and horizontal scalability.

  • Management Plane (Backend): NestJS service handling DSL compilation, secret management (AES-256-GCM), and identity.
  • Orchestration Plane (Temporal): Manages workflow state, concurrency, and persistent wait states.
  • Execution Plane (Worker): Stateless agents that pull tasks from Temporal and execute tool-bound activities in isolated runtimes.
  • Monitoring (SSE/Loki): Real-time telemetry pipeline for deterministic execution visibility.

Learn more about our design decisions and system components in the Architecture Deep-dive.


🤝 Community & Support

  • 💬 Discord — Real-time support and community discussion.
  • 🗣️ GitHub Discussions — Technical RFCs and feature requests.
  • 📚 Documentation — Full guides on component development and deployment.

🔀 Multi-Instance Development

Run multiple isolated dev instances on one machine for parallel feature work:

# Instance 0 (default)
just dev

# Instance 1 — offset ports (frontend :5273, backend :3311)
SHIPSEC_INSTANCE=1 just dev

Each instance gets its own frontend port, backend port, database, and Temporal namespace while sharing a single Docker infra stack. See Multi-Instance Development Guide for full details.


✍️ Contributing

We welcome contributions to the management plane, worker logic, or new security components. See CONTRIBUTING.md for architectural guidelines and setup instructions.


License

ShipSec Studio is licensed under the Apache License 2.0.

Engineered for security teams by the ShipSec AI team.

Extension points exported contracts — how you extend this code

ISecretsService (Interface)
(no doc) [10 implementers]
packages/component-sdk/src/interfaces.ts
WorkflowLogSink (Interface)
(no doc) [8 implementers]
worker/src/temporal/types.ts
AuthProviderStrategy (Interface)
(no doc) [5 implementers]
backend/src/auth/providers/auth-provider.interface.ts
GraphState (Interface)
* Graph state that is tracked for undo/redo
frontend/src/store/workflowHistoryStore.ts
ClientConfig (Interface)
(no doc)
packages/backend-client/src/api-client.ts
CategoryColorToken (Interface)
(no doc)
packages/shared/src/component-categories.ts
AwsCliResult (Interface)
(no doc)
e2e-tests/helpers/aws-eventbridge.ts
ApiKeyResponse (Interface)
(no doc)
e2e-tests/studio-mcp/studio-mcp-agent.test.ts

Core symbols most depended-on inside this repo

push
called by 487
worker/src/adapters/loki-log.adapter.ts
get
called by 380
packages/component-sdk/src/interfaces.ts
port
called by 350
packages/component-sdk/src/schema-builders.ts
error
called by 285
worker/src/utils/debug-logger.ts
cn
called by 272
frontend/src/lib/utils.ts
parse
called by 266
backend/src/workflows/workflows.service.ts
param
called by 219
packages/component-sdk/src/schema-builders.ts
from
called by 204
packages/component-sdk/src/errors.ts

Shape

Function 1,431
Method 1,165
Class 553
Interface 529

Languages

TypeScript100%

Modules by API surface

packages/backend-client/src/api-client.ts83 symbols
backend/src/workflows/workflows.service.ts66 symbols
packages/component-sdk/src/errors.ts47 symbols
backend/src/integrations/integrations.service.ts43 symbols
backend/src/workflows/workflows.controller.ts39 symbols
frontend/src/pages/McpLibraryPage.tsx38 symbols
frontend/src/components/timeline/AgentTracePanel.tsx33 symbols
backend/src/workflows/dto/workflow-graph.dto.ts32 symbols
backend/src/temporal/temporal.service.ts32 symbols
worker/src/temporal/types.ts30 symbols
frontend/src/types/bun-test.d.ts29 symbols
backend/src/mcp-servers/mcp-servers.service.ts27 symbols

Datastores touched

shipsecDatabase · 1 repos

For agents

$ claude mcp add studio \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact