For people who build with AI

You built your app with AI. Is it secure?

Your secret keys. Your users' private data. AI coding tools can leave them exposed without ever telling you, and you usually can't spot it by looking. CodeInspectus checks your code for you, on your own computer, with nothing uploaded.

How it works in 30 seconds

Four plain steps. No security degree required.

01

Your AI assistant runs it

You don't open a dashboard or learn a tool. The AI coding assistant you already use calls CodeInspectus for you.

02

It checks your code locally

It reads your project on your own machine and looks for exposed secrets, open data, and risky code. Nothing is sent anywhere.

03

It explains problems plainly

Each issue comes with what it is, where it is, and why it matters to you, in normal language.

04

It asks before fixing

Nothing in your code changes until you say yes. You stay in control of every edit.

What it checks for

The mistakes AI-built apps make most.

Four kinds of problem, in plain terms. Each one is something a non-expert can ship by accident, and an attacker can find on purpose.

Exposed secret keys

Keys that were never meant to be public

Passwords, API keys, and tokens that ended up sitting in your code, including ones accidentally bundled into the app your visitors download to their own browsers.

Why it matters: anyone who finds one can run up charges on your accounts or reach the data behind them.

Open databases

Can strangers read your users' private data?

When an AI tool sets up a database, it often leaves the doors open, so any visitor can read, or even change, other people's records.

Why it matters: this is the most common way AI-built apps expose private user data.

AI-specific traps

When your own AI can be tricked

If your app feeds outside text into an AI model, an attacker can hide instructions inside that text and push the model into misusing the access you gave it.

Why it matters: a newer risk older tools don't look for. We flag it as a possibility, never a certainty.

Outdated packages

Known holes in your building blocks

The open-source packages your app is built on can have publicly known weaknesses, often with a fix already available that you simply haven't picked up.

Why it matters: attackers scan for exactly these, because the weakness is already public knowledge.

Works on any language for exposed secrets and vulnerable dependencies. The deeper AI-code checks are built for JavaScript and TypeScript apps today, with more languages coming.

Your code stays yours

Everything stays on your computer.

Your code never leaves your machine. No account. No upload. No company sees your code, not even us. And you can check this yourself.

CodeInspectus runs as a small program on your own computer. Your AI assistant talks to it directly, the checks run locally, and nothing phones home. There is no sign-in and no telemetry, ever. The single time it uses the network is the one-off install, when it downloads the scanning engines and verifies them. After that you can unplug the internet and every scan still works.

How you use it

You don't run it. Your assistant does.

CodeInspectus plugs into the AI coding tools you already use: Claude Code, Cursor, Codex, Windsurf, and Cline. Here is the loop it follows, and the promises built into it.

What you get, and what you don't

What we honestly don't claim.

Trust comes from being precise about the edges. Here is what CodeInspectus is not, said plainly and up front.

Not a certificate

It is not an audit or a pass

CodeInspectus is not a security audit or a certification. It finds real problems. It does not declare your app safe, and a clean run is not a guarantee.

Catches a lot, not everything

No scanner finds every issue

A clean result means nothing obvious was found, not that nothing is wrong. Treat it as a strong first pass, not the last word.

Coverage, not compliance

Compliance mapping is code-level only

Framework mappings show which code-level controls your findings touch. They are drafted with AI and reviewed by one security practitioner, they are not independently audited, and they never mean you pass a framework.

A hint, not a verdict

Prompt-injection is a heuristic

The AI-specific check for prompt injection is a medium-confidence signal. It is reported as a possible weak point, never asserted as certain.

A gap we'll close

Trusting user_metadata for access

If your code decides access from Supabase user_metadata, like if (user.user_metadata.role === 'admin'), CodeInspectus does not yet flag it. A signed-in user can edit their own user_metadata through Supabase's auth API and hand themselves that role, so gate privileged logic on the server-only app_metadata.role instead. Detecting this is planned as our first community-contributed rule. It does already flag a service_role key value in client-reachable code as critical, and a service_role key behind a browser-exposed NEXT_PUBLIC_ prefix as high.

None of this is a disclaimer buried in a footer. It is the point. You should know exactly what a result means before you trust it.

For the technically curious

Now, exactly how it works.

Everything below is for engineers and security folks who want to verify the machine, not just trust it. This console is an illustration of one local scan of code at rest. It is an example, not real output from your code, and not live network monitoring.

codeinspectus_scan offline example scan · illustrative
Code surfacerepo at rest
Severityengines_run 4
critical 0
high 0
medium 0
low 0
info 0
Posture score0–100

63 / 100, severity-weighted, illustrative. not a "% compliant" number

Finding feed0 rows
CI-0001CRITgitleakssrc/lib/payments.ts:42CWE-798
CI-0002HIGHcodeinspectus-aisrc/db/policy.sql:7CWE-863
CI-0003HIGHopengrepsrc/api/query.ts:118CWE-89
CI-0004MEDItrivypackage-lock.jsonCVE-2025-29927
CI-0005MEDIcodeinspectus-aisrc/agent/tools.ts:54CWE-1426
CI-0006MEDIopengrepsrc/utils/render.ts:33CWE-79
CI-0007LOWtrivyinfra/main.tf:21CWE-16
target ./app duration_ms 8420 engines opengrep@1.23.0 gitleaks@8.30.1 trivy@0.71.2 codeinspectus-ai
Dataflow

The architecture, read top to bottom.

For the technically curious, here is exactly what happens on each call. Four analyzers run locally, their output is normalized and deduplicated into one CWE-keyed shape, mapped to framework controls, and returned. Every box is a local step. No step opens a socket.

Agent invokes

An AI coding agent calls a tool over MCP, JSON-RPC across stdio. No HTTP, no daemon.

in codeinspectus_scan(path)

Engines run local

Core spawns Opengrep, Gitleaks and Trivy as subprocesses, plus its own AI-code checks.

out SARIF 2.1.0 ×4

Normalize

A parser folds every SARIF stream into one compact, CWE-keyed schema with severities.

cwe findings

Dedup

Overlapping hits collapse, including the Trivy by Gitleaks secret overlap, so a finding is reported once.

unique set

Map controls

Each finding is tagged CWE to framework control, as honest code-level coverage.

framework tags

Return

The agent receives compact JSON plus a human summary, then drives the fix.

out findings + summary

The commodity floor

Three trusted scanners, set as columns.

Each is a SHA-pinned binary, hash-verified before it executes, and never forked. Each one runs as a local subprocess, emits SARIF, and the normalizer folds it into the shared schema. Best-in-class scanners are the floor you should expect, not the differentiator.

Opengrep

Static analysis · SAST

Pattern-based source analysis tuned to the OWASP Top 10. Injection, broken access paths, unsafe deserialization, the structural mistakes a model repeats because the training data did.

local subprocess → SARIF → normalizer

  • Injection & XSS CWE-79 / 89
  • Path traversal CWE-22
  • Unsafe eval sinks CWE-94

Gitleaks

Secrets detection

Finds the keys, tokens, and credentials the model helpfully pasted inline. Every secret value is redacted in the output you and your agent see. The finding stays, the secret does not travel.

local subprocess → SARIF → normalizer

  • Hard-coded keys CWE-798
  • Live API tokens redacted
  • Private material flagged

Trivy

Dependencies · IaC · SBOM

Dependency CVEs and software composition, infrastructure misconfiguration, license posture, and a software bill of materials. Always run with the offline flags, so the scan stays on your machine.

local subprocess → SARIF → normalizer

  • Dependency CVEs SCA
  • IaC misconfig config
  • SBOM & license inventory

Pinned versions: Opengrep 1.23.0 · Gitleaks 8.30.1 · Trivy 0.71.2. CodeInspectus orchestrates, it never forks: it bundles the official binaries, verifies each SHA before it runs, and a mismatch is refused, not tolerated.

Language support

Honest about what runs where.

Secrets and dependency scanning work on any codebase. Static analysis covers three languages. The AI-code checks are JavaScript and TypeScript today. We would rather name the exact scope than claim "every language" and be wrong.

Any language

Secrets

Gitleaks + CodeInspectus secret checks

Hard-coded credentials and leaked keys. Detection is value and pattern based, not language-parsed, so it runs the same on any codebase in any language.

Many ecosystems

Dependencies, IaC, SBOM, license

Trivy

Vulnerable dependencies (SCA and CVEs), infrastructure misconfiguration, software bill of materials, and license posture, across many package ecosystems and IaC formats: npm, pip, Go modules, Maven and Gradle, Cargo, Composer, NuGet, Bundler, Dart pub, Docker, Terraform, Kubernetes, and more. See Trivy's docs →

JavaScript · TypeScript · Python

Static analysis (SAST)

Opengrep + the security-baseline ruleset

Injection, XSS, SSRF, weak crypto, and insecure deserialization. CodeInspectus ships its own MIT security-baseline ruleset (14 JavaScript/TypeScript rules and 5 Python rules) and runs Opengrep with no network registry packs, so coverage is exactly these three languages, deliberately narrower than Opengrep's full engine. This is not broad multi-language SAST.

JavaScript · TypeScript

AI-code checks (the moat)

client-secret bundling, Supabase RLS, prompt-injection sinks

The AI-code and vibe-coding failure modes the engines miss. JavaScript and TypeScript only, including .jsx / .tsx / .mjs / .cjs. The client-secret checks also read frontend files .vue / .svelte / .astro / .html, and the Supabase RLS check reads .sql plus .ts / .js Edge Functions. More languages are planned.

So on a Python, Go, or Rust repo you still get full secrets, dependency, IaC, and SBOM coverage, plus Python static analysis. The AI-code-specific checks simply do not fire there yet.

The differentiator

The checks generic scanners miss.

Borrowed engines are the commodity floor. The moat is CodeInspectus's own checks for the failure classes that AI-generated code introduces, plus a curated detection database that grows weekly.

client-side exposure

Secrets in the bundle

Keys and tokens shipped to the browser in client code or build output, where a vault-only mental model says they cannot be.

CVE-2025-48757

Supabase RLS, inverted auth

The row-level-security failures and inverted authorization that AI scaffolding ships by default. Detected from the code, not a network probe.

heuristic · medium confidence

Prompt-injection sinks

Where untrusted text can reach an LLM call. Reported as a potential sink, a heuristic signal at medium confidence, never asserted as certain.

Behind these checks sits a curated detection database that grows every week through human-reviewed intake. The bundled engines are the floor anyone can stand on. This database is the part you cannot copy by downloading the same binaries.

Agent-native

Scan, fix, rescan.

CodeInspectus never writes to your code. It returns findings with remediation, the agent applies the fix, then a rescan confirms the finding is gone.

codeinspectus_scan

Scan

Run all four analyzers over the path. Get CWE-keyed findings, each with severity, remediation and framework tags.

agent applies

Fix

The agent reads the remediation and edits your code. CodeInspectus touches nothing. Use explain_finding for the why.

codeinspectus_rescan

Rescan

Re-run on the changed files. The closed findings drop out, anything new surfaces, the loop continues until clean.

Integrity layer

Every binary is pinned and verified.

opengrep sha256: 9457…65c5f verified
gitleaks sha256: ba52…0e84f verified
trivy sha256: 7d8b…9127d verified
unpinned no hash on record refused
supply chain

Why hash-verify before exec.

Trivy was supply-chain-compromised twice in early 2026. A bundled scanner is itself an attack surface, so CodeInspectus treats every engine binary as untrusted until proven.

Each binary is SHA-pinned in a locked manifest and hash-verified before it runs. A binary that is unpinned or whose hash does not match is refused. It does not execute.

Coverage, not certification

Compliance as code-level control coverage.

Each finding's CWE maps to controls across frameworks. The numbers below count how many of each framework's code-visible controls CodeInspectus's detectors can reach. It is a coverage view, never a verdict.

OWASP Top 10 · 2021 detectors map to 8 of 8 code-visible controls
OWASP LLM Top 10 · 2025 detectors map to 2 of 4 code-visible controls
NIST CSF 2.0 detectors map to 5 of 5 code-visible controls
ISO/IEC 27001:2022 detectors map to 6 of 7 code-visible controls
SOC 2 detectors map to 3 of 5 code-visible controls
CIS v8.1 detectors map to 6 of 7 code-visible controls
Essential Eight 1 of 1 code-visible control

Essential Eight is shown as a footnote, not a coverage panel: only Patch Applications is meaningfully code-evidenced (1 of 8 mitigations). This is not an Essential Eight assessment.

Built in the open

Review our work. Help us get it right.

CodeInspectus is a solo, free, open-source project by one security practitioner under the Synvoya name. There is no company behind it, which is exactly why outside eyes matter.

If you write code or work in security, your scrutiny is the contribution. The detection rules and the compliance mappings are both open to review, and false-positive reports are as welcome as new rules.

The compliance mappings especially. They are AI-drafted and reviewed by the maintainer, but not yet independently verified. Of the 96 framework-control mappings, zero have been confirmed by an outside contributor. Moving one to community-verified takes a quote from the control's primary source and your basis. We report the count honestly rather than hide it.

workflow: fork → branch → pull request → maintainer review → merge

0 / 96

framework-control mappings community-verified so far. The headline integrity number, reported in the open.

Deep detail

For those who want to verify everything.

The full set, collapsed by default. Open what you need: the enforced security properties, every detection rule, the exact engine versions, and how this is built.

Security properties CodeInspectus enforces guardrails

These are the guarantees enforced in the code and the lockfile, drawn from the engine manifest, the source guardrail comments, the README's honest-claims, and the verify checklist. Each is a property the tool holds itself to, not a marketing line.

never writes code

Reads and reports, never edits

CodeInspectus never writes to or deletes your files. Your agent applies fixes; the SBOM is the only output, written to a managed directory.

README · no tool writes your code
redaction

Secret values are redacted

Output carries the type, location, and a redacted preview only. A raw secret value is never written back into any result.

eval E03 · verify.md
verify-before-exec

SHA-pinned, checked before exec

Every engine binary's SHA256 is verified against the lockfile before it runs. An unpinned or mismatched binary is refused.

engines.lock.json · src/engines/resolve.ts
fail-closed

Signature verification fails closed

Publisher signatures are mandatory: cosign for Opengrep and Trivy, signed checksums for Gitleaks, sigstore for Trivy. No valid signature, no execution.

engines.lock.json sigstore_identities
zero egress

No network at scan time, no telemetry

Trivy runs with offline flags and the scan path opens no socket. There is no account, no sign-in, and no telemetry of any kind, ever.

README · src/engines/trivy.ts
coverage-only

Compliance is code-level coverage

Output never says "% compliant" or "you pass". It always shows the code-visible denominator and the standing disclaimer.

verify.md guardrail spot-checks
dedup

Cross-engine secret dedup

Overlapping hits collapse, including the Trivy and Gitleaks secret overlap, so a single finding is reported once.

README dataflow
no forks

Engines orchestrated, never forked

CodeInspectus bundles the official engine binaries and calls them as local subprocesses. It does not fork or patch them.

README
pure transport

stdout is pure JSON-RPC

The stdio MCP transport keeps stdout pure JSON-RPC; all human text goes to stderr. No stray console output leaks into the protocol.

src/logger.ts · src/index.ts
ai-scope

AI checks stay in scope

The custom AI checks target the AI-code and framework failure modes the generic engines miss. Generic SAST is left to the engines, not duplicated.

detection-db/manifest.json
Full detection rule catalogue 33 custom rules

CodeInspectus's own curated detections: 11 AI-code checks, 19 Opengrep security-baseline rules, and 3 Gitleaks secret rules. The generic engine corpora run alongside these and are not listed here. Plain-English label, then the rule id and CWE for the technical reader.

AI-code checks · engine codeinspectus-ai · 11

What it catchesRule idCWE
Hard-coded secret in client-reachable codeci-ai-client-hardcoded-secretCWE-798 / 312
Secret compiled into the shipped bundleci-ai-secret-in-bundleCWE-798 / 312
Secret exposed via a client-visible env prefixci-ai-public-env-secretCWE-798 / 312
Supabase service_role key in client codeci-ai-supabase-service-role-clientCWE-798 / 285
LLM SDK set to allow browser useci-ai-llm-key-browser-exposedCWE-798 / 312
RLS policy USING (true), table fully openci-ai-rls-using-trueCWE-863 / 285
Public table created without Row Level Securityci-ai-rls-missingCWE-862 / 285
RLS policy tests role instead of user identityci-ai-rls-inverted-authCWE-863
Supabase Edge Function with no auth checkci-ai-edge-fn-no-authCWE-862
Permissive RLS on storage objectsci-ai-storage-rls-publicCWE-863 / 285
Potential prompt-injection sink (heuristic)ci-ai-prompt-injection-sinkCWE-1426

Opengrep security-baseline · engine opengrep · 19

What it catchesRule idCWE
SQL injection via string-built query (JS/TS)ci-baseline-sql-injection-string-buildCWE-89
SQL injection via string-built query (Python)ci-baseline-sql-injection-pythonCWE-89
Command injection via shell string (JS/TS)ci-baseline-command-injectionCWE-77
Command injection via shell=True (Python)ci-baseline-command-injection-pythonCWE-77
Dynamic code evaluation of non-literal (JS/TS)ci-baseline-dangerous-evalCWE-94
Dynamic eval/exec of non-literal (Python)ci-baseline-eval-pythonCWE-94
NoSQL injection from request dataci-baseline-nosql-injectionCWE-943
Path traversal from request inputci-baseline-path-traversalCWE-22
DOM XSS via innerHTML/outerHTML sinkci-baseline-dom-xss-innerhtmlCWE-79
SSRF: outbound request URL from inputci-baseline-ssrf-request-from-inputCWE-918
Weak hash algorithm (MD5/SHA1)ci-baseline-weak-hashCWE-327
Weak or broken cipher (DES/RC4/3DES)ci-baseline-weak-cipherCWE-327
Weak hash algorithm (Python)ci-baseline-weak-hash-pythonCWE-327
Math.random() for a security valueci-baseline-insecure-random-securityCWE-338
JWT verification accepts alg "none"ci-baseline-jwt-alg-noneCWE-347
CORS wildcard origin with credentialsci-baseline-cors-wildcard-credentialsCWE-942
Session cookie without httpOnly/secureci-baseline-insecure-cookieCWE-1004
Insecure deserialization (node unserialize)ci-baseline-insecure-deserialization-nodeCWE-502
Insecure deserialization (untrusted loader)ci-baseline-insecure-deserialization-pythonCWE-502

Gitleaks secrets · engine gitleaks · 3

What it catchesRule idCWE
Stripe live-mode secret keycodeinspectus-stripe-live-secretCWE-798
Supabase service_role JWTcodeinspectus-supabase-service-roleCWE-798
Anthropic API keycodeinspectus-anthropic-keyCWE-798
Engine versions & verification SHA-pinned

The exact pinned versions and how each is verified before execution. SHA256 values shown are the darwin-arm64 pins; the full per-platform set lives in engines.lock.json.

EngineVersionVerified bySHA256 (darwin-arm64)
Opengrep1.23.0cosign945739e5…0265c5f
Gitleaks8.30.1signed checksumsba52fb1b…bc0e84f
Trivy0.71.2cosign + sigstore7d8bf184…d619127d

Re-verify any time with npx codeinspectus verify-engines. A null pin, or a hash that does not match, means the binary will not run on that platform.

How this tool is built auditable

The repository is generated from an auditable, allow-list seed and built end-to-end with a clean type-check, a build step, and a regression eval suite over fixtures. The full story, including what is and is not published, is written down.

Install in three steps

Hand your agent a security reviewer.

CodeInspectus runs as a local MCP server. Register it once, then Claude Code, Cursor, Codex, Windsurf, and Cline can all call it. The first scan runs fully on your machine.

01

Install the engines

One time, and disclosed. This fetches and SHA256-verifies the three engine binaries and the initial Trivy database. It is the only step that touches the network; every scan after it runs offline.

$ npx -y codeinspectus install-engines
02

Add it to your agent

Drop this into your agent's MCP config. It is the standard mcpServers block, so the same three lines work across MCP-capable agents.

{
  "mcpServers": {
    "codeinspectus": { "command": "npx", "args": ["-y", "codeinspectus"] }
  }
}
03

Ask for the first scan

No restart, no dashboard. Your agent now has six tools that never touch your code; they read and report. Ask it to scan: CodeInspectus surfaces findings in plain language, your agent proposes fixes, you approve each one, and a rescan confirms. Your agent writes only what you okay.

Then just say: "scan this project for security issues"

Register it with your agent

The block above is the standard. Here is where it goes, per agent.

one command

Claude Code

claude mcp add --scope user codeinspectus -- npx -y codeinspectus

mcpServers json

Cursor

Add the block to ~/.cursor/mcp.json, or .cursor/mcp.json for one project.

mcpServers json

Windsurf

Add the block to ~/.codeium/windsurf/mcp_config.json.

mcpServers json

Cline

Open the MCP Servers panel, choose Configure, and add the block to cline_mcp_settings.json.

toml config

Codex

Add a [mcp_servers.codeinspectus] table to ~/.codex/config.toml with the same command and args.

no account no upload zero egress at scan

Architecture and console, described

An AI coding agent calls CodeInspectus over MCP using JSON-RPC across stdio. The CodeInspectus core runs three bundled engines as local subprocesses, Opengrep for static analysis, Gitleaks for secrets and Trivy for dependency CVEs, infrastructure misconfiguration, secrets, license checks and SBOM, plus its own AI-code-specific checks. Each engine emits SARIF 2.1.0. A normalizer parses the SARIF into one compact CWE-keyed schema, deduplicates overlapping findings including the Trivy and Gitleaks secret overlap, and a compliance mapper tags each finding from CWE to framework controls. The core returns compact JSON and a human summary to the agent. Every step runs locally on your machine. There is no network egress at scan time.

The console is an illustration of a single local scan of code at rest. It reads seven findings: one critical, two high, three medium and one low. The severity-weighted posture score is 63 out of 100, which is a distinct console reading and not a compliance percentage. The console does not perform live network monitoring.