mycop
AI code security scanner with 100 built-in rules covering OWASP Top 10 and CWE Top 25
mycop
AI Code Security Scanner — detect and auto-fix vulnerabilities in AI-generated code.
mycop scans Python, JavaScript, TypeScript, Go, and Java codebases for security vulnerabilities using pattern matching, AST analysis, and optional AI-powered explanations and auto-fix. It ships with 200 built-in security rules covering OWASP Top 10 and CWE Top 25 categories.
Why mycop?
AI-generated code is fast, but it is not safe. Research from Veracode shows that 45% of AI-generated code contains security vulnerabilities. Copilot, ChatGPT, and other AI assistants produce functional code that often includes SQL injection, hardcoded secrets, command injection, and other critical flaws.
mycop was built specifically to solve this problem:
- First SAST tool designed for AI-generated code -- 200 rules targeting the exact vulnerability patterns that LLMs produce most often, covering OWASP Top 10 and CWE Top 25.
- AI-powered auto-fix, not just detection -- mycop does not just find vulnerabilities, it fixes them. The
mycop fixcommand rewrites insecure code using AI while preserving functionality. - Multi-language with a single tool -- scan Python, JavaScript, TypeScript, Go, and Java codebases without juggling Bandit, ESLint, and separate configs.
- Zero configuration -- all 200 security rules are compiled into the binary. No rule downloads, no config files, no internet connection required. Just
mycop scan .and go. - MCP server for agentic workflows -- plug mycop directly into Claude Code, Cursor, Windsurf, and other AI coding assistants via the Model Context Protocol.
- Free and open source -- MIT licensed, forever.
Installation
Install script (macOS / Linux)
curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh
Homebrew
brew install AbdumajidRashidov/tap/mycop
Cargo
cargo install mycop
Docker
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .
Build from source
git clone https://github.com/AbdumajidRashidov/mycop.git
cd mycop
cargo install --path .
Quick Start
# Scan current directory
mycop scan .
# Auto-fix all vulnerabilities using AI
mycop fix .
# Deep AI security review of a single file
mycop review src/auth.py
# Initialize config for your project
mycop init
# List all security rules
mycop rules list
Commands
mycop scan
Scan files for security vulnerabilities.
mycop scan . # Scan current directory
mycop scan src/ lib/ # Scan specific directories
mycop scan --severity high # Only report high/critical
mycop scan --fail-on critical # Exit 1 only on critical findings
mycop scan --format json # JSON output
mycop scan --format sarif # SARIF output (for IDE integration)
mycop scan --explain # AI-powered explanations
mycop scan --diff # Only scan git-changed files
mycop scan --fix # Auto-fix (same as `mycop fix`)
Exit code 1 when findings meet the --fail-on threshold (default: high).
mycop fix
Auto-fix security vulnerabilities using AI. Groups all findings per file, sends the entire file to an AI provider, and writes back the fixed version.
mycop fix . # Fix all files
mycop fix src/auth.py # Fix specific file
mycop fix . --severity high # Only fix high/critical
mycop fix . --dry-run # Show diffs without writing
mycop fix . --ai-provider anthropic # Force specific AI provider
mycop fix . --diff # Only fix git-changed files
mycop review
Deep AI-powered security review of a single file. Goes beyond rule matching to find logic flaws, race conditions, and architectural issues.
mycop review src/server.ts
mycop review app.py --ai-provider openai
mycop init
Generate a .scanrc.yml configuration file. Automatically detects your project type (Python, JavaScript/TypeScript, Rust) and pre-populates language-specific ignore patterns.
mycop init
mycop rules list
List all available security rules.
mycop rules list # All rules
mycop rules list --language python # Python rules only
mycop rules list --severity high # High/critical rules only
mycop deps check
Check dependencies for issues (hallucinated packages).
mycop deps check .
mycop deps check requirements.txt
mycop mcp
Start an MCP (Model Context Protocol) server over STDIO for agentic tool integration. This lets AI coding assistants call mycop's scanning, fixing, and review capabilities directly.
mycop mcp
Tools exposed:
| Tool | Description |
|---|---|
scan | Scan files/directories for vulnerabilities with severity filtering |
list_rules | Browse/filter the 200 built-in security rules |
explain_finding | Detailed explanation of a specific finding with CWE/OWASP info |
review | Deep AI security review of a file |
check_deps | Detect hallucinated packages in dependencies |
Note: The CLI
mycop fixcommand is still available for standalone use. In MCP mode, the agent reads scan findings (withfix_hint) and applies fixes directly — no redundant AI-to-AI call needed.
Resources: mycop://rules/catalog (full JSON catalog) and mycop://config/schema (config template).
Configure in Claude Code (~/.claude/settings.json):
{
"mcpServers": {
"mycop": {
"command": "mycop",
"args": ["mcp"]
}
}
}
Configure in Cursor (.cursor/mcp.json):
{
"mcpServers": {
"mycop": {
"command": "mycop",
"args": ["mcp"],
"type": "stdio"
}
}
}
Configure in Windsurf (.windsurf/mcp.json):
{
"mcpServers": {
"mycop": {
"command": "mycop",
"args": ["mcp"]
}
}
}
Works with any MCP-compatible client including Codex CLI, Gemini CLI, and other agentic IDEs.
Inline Ignore
Suppress specific findings with inline comments:
eval(user_input) # mycop-ignore
# mycop-ignore:PY-SEC-005
eval(user_input)
eval(user_input) # mycop-ignore:PY-SEC-005,PY-SEC-001
Works with # (Python), // (JavaScript/TypeScript/Go/Java) comment styles. Place the comment on the same line or the line above.
AI Providers
mycop auto-detects available AI providers in this order:
- Claude CLI —
claudecommand installed - Anthropic API —
ANTHROPIC_API_KEYenvironment variable - OpenAI API —
OPENAI_API_KEYenvironment variable - Ollama — local Ollama server running on port 11434
- Rule-based — offline fallback using fix hints from rules
Override with --ai-provider:
mycop scan . --explain --ai-provider anthropic
mycop fix . --ai-provider ollama
Configuration
Create a .scanrc.yml (or .mycop.yml) in your project root, or run mycop init to generate one:
# File patterns to ignore (glob syntax)
ignore:
- "**/*_test.py"
- "**/test_*.py"
- "**/*.test.js"
- "**/*.spec.ts"
- "**/node_modules/**"
- "**/venv/**"
# Minimum severity level: critical, high, medium, low
min_severity: medium
# Minimum severity to cause non-zero exit: critical, high, medium, low
fail_on: high
# AI provider override: claude-cli, anthropic, openai, ollama, none
# ai_provider: anthropic
CLI flags always take priority over config file values.
Security Rules
200 built-in rules (50 Python + 50 JavaScript + 50 Go + 50 Java) covering OWASP Top 10, CWE Top 25, and more:
| Category | Python | JavaScript |
|---|---|---|
| SQL Injection (CWE-89) | PY-SEC-001, PY-SEC-042 | JS-SEC-011 |
| Command Injection (CWE-78) | PY-SEC-002, PY-SEC-045, PY-SEC-050 | JS-SEC-016 |
| Hardcoded Secrets (CWE-798) | PY-SEC-003, PY-SEC-034, PY-SEC-043 | JS-SEC-004, JS-SEC-034 |
| Insecure Random (CWE-330) | PY-SEC-004 | JS-SEC-005 |
| Eval/Exec Injection (CWE-95) | PY-SEC-005 | JS-SEC-002, JS-SEC-049 |
| Path Traversal (CWE-22) | PY-SEC-006, PY-SEC-037 | JS-SEC-006, JS-SEC-037 |
| Insecure Deserialization (CWE-502) | PY-SEC-007 | JS-SEC-009 |
| Missing Auth (CWE-862) | PY-SEC-008 | — |
| XSS (CWE-79) | PY-SEC-009, PY-SEC-044 | JS-SEC-001, JS-SEC-010, JS-SEC-041 |
| Log Injection (CWE-117) | PY-SEC-010 | — |
| SSRF (CWE-918) | PY-SEC-011 | JS-SEC-007 |
| XXE (CWE-611) | PY-SEC-012 | JS-SEC-012 |
| LDAP Injection (CWE-90) | PY-SEC-013 | JS-SEC-015 |
| Template Injection (CWE-1336) | PY-SEC-014 | JS-SEC-013 |
| Header Injection (CWE-113) | PY-SEC-015 | JS-SEC-014 |
| XPath Injection (CWE-643) | PY-SEC-016 | — |
| Weak Hash MD5/SHA1 (CWE-328) | PY-SEC-017, PY-SEC-018 | JS-SEC-017, JS-SEC-018 |
| Weak Cipher (CWE-327) | PY-SEC-019, PY-SEC-020 | JS-SEC-019, JS-SEC-020, JS-SEC-022 |
| Hardcoded IV (CWE-329) | PY-SEC-021 | — |
| Insecure TLS (CWE-295) | PY-SEC-022 | JS-SEC-021 |
| JWT None Algorithm (CWE-345) | PY-SEC-023 | JS-SEC-023 |
| Weak Password Hash (CWE-916) | PY-SEC-024 | — |
| Session Fixation (CWE-384) | PY-SEC-025 | JS-SEC-024, JS-SEC-025 |
| Missing Security Headers (CWE-319) | PY-SEC-026 | JS-SEC-026 |
| Open Redirect (CWE-601) | PY-SEC-027 | JS-SEC-027 |
| CORS Misconfiguration (CWE-942) | PY-SEC-028 | JS-SEC-028 |
| Mass Assignment (CWE-915) | PY-SEC-029 | JS-SEC-030 |
| IDOR (CWE-639) | PY-SEC-030 | JS-SEC-029 |
| Debug Mode (CWE-215) | PY-SEC-031 | JS-SEC-031 |
| Error Info Leak (CWE-209) | PY-SEC-032 | JS-SEC-032 |
| Sensitive Data Logging (CWE-532) | PY-SEC-033 | JS-SEC-033 |
| Arbitrary File Upload (CWE-434) | PY-SEC-035 | JS-SEC-035 |
| Insecure Temp Files (CWE-377) | PY-SEC-036 | — |
| Zip Slip (CWE-22) | PY-SEC-037 | JS-SEC-037 |
| Unencrypted Transport (CWE-319) | PY-SEC-038 | JS-SEC-038 |
| Prototype Pollution (CWE-1321) | — | JS-SEC-003 |
| NoSQL Injection (CWE-943) | — | JS-SEC-008 |
| Timing Attack (CWE-208) | PY-SEC-046 | JS-SEC-046 |
| ReDoS (CWE-1333) | PY-SEC-047 | JS-SEC-047 |
| TOCTOU (CWE-367) | PY-SEC-048 | JS-SEC-048 |
| Bare/Empty Catch (CWE-390) | PY-SEC-040 | JS-SEC-040 |
Run mycop rules list to see all 200 rules with their severity levels.
Comparison
How does mycop compare to other security tools?
| Feature | mycop | Semgrep | Snyk Code | Bandit | ESLint Security |
|---|---|---|---|---|---|
| AI code focus | Yes | No | No | No | No |
| Built-in rules (no download) | 200 | Requires registry | Cloud-based | ~100 (Python only) | ~30 (JS only) |
| AI auto-fix | Yes | No | Paid | No | No |
| Multi-language | Py, JS, TS, Go, Java | 30+ | 10+ | Python only | JS/TS only |
| MCP server | Yes | No | No | No | No |
| Zero config | Yes | Needs rules config | Needs project setup | Minimal | Needs .eslintrc |
| SARIF output | Yes | Yes | Yes | Yes | Via plugin |
| Price | Free (MIT) | Free tier / Paid | Paid | Free | Free |
mycop is purpose-built for the AI coding era. Other tools are general-purpose scanners that were designed before AI code generation became mainstream.
Output Formats
- Terminal — colored output with code context (default)
- JSON — structured JSON for tool integration
- SARIF — Static Analysis Results Interchange Format for IDE/CI integration
Integrations
MCP Server (Agentic Tools)
mycop includes a built-in MCP server that exposes all capabilities to agentic coding tools. Run mycop mcp and configure your tool — see the mycop mcp section above for setup instructions.
Supported clients: Claude Code, Cursor, Windsurf, Codex CLI, Gemini CLI, and any MCP-compatible IDE or agent.
Available on:
- Glama — Managed MCP registry
- Smithery — MCP server hosting and discovery
- PulseMCP — MCP server directory
- MCP Servers — Curated community list
GitHub Action
Add mycop to your CI pipeline with the official GitHub Action:
- name: mycop Security Scan
uses: AbdumajidRashidov/mycop/action@main
with:
paths: '.'
fail-on: 'high'
format: 'sarif'
| Input | Default | Description |
|---|---|---|
paths | . | Files or directories to scan |
severity | Minimum severity to report | |
fail-on | high | Minimum severity to fail the check |
format | terminal | Output format (terminal, json, sarif) |
version | latest | mycop version to install |
diff-only | false | Only scan files changed in the PR |
Upload SARIF results to GitHub Code Scanning:
- name: mycop Security Scan
uses: AbdumajidRashidov/mycop/action@main
with:
format: 'sarif'
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: mycop-results.sarif
Pre-commit Hook
Add mycop as a pre-commit hook:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/AbdumajidRashidov/mycop
rev: main
hooks:
- id: mycop
VS Code Extension (Coming Soon)
The vscode-extension/ directory contains a VS Code extension that provides:
- Real-time scanning on file save
- Diagnostics in the Problems panel
- "Scan Current File" and "Scan Workspace" commands
- Configurable severity threshold
See vscode-extension/README.md for setup instructions.
Docker
# Scan current directory
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .
# Scan with specific options
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan . --format json --severity high
Contributing
Contributions are welcome! Whether it is a bug report, a new security rule, a feature request, or a pull request, we appreciate your help in making mycop better.
To get started:
- Fork the repository and create your branch from
main. - Make your changes and ensure all checks pass:
cargo fmt --all -- --check cargo clippy --all-targets -- -D warnings cargo test --verbose - Open a pull request with a clear description of your changes.
Browse open issues to find something to work on, or open a new one to suggest an improvement.
If you find mycop useful, consider sponsoring the project to support ongoing development.
Star History
License
MIT
Related Servers
Image
Fetch and process images from URLs, local file paths, and numpy arrays, returning them as base64-encoded strings.
Relay-gateway
Relay is a desktop application for managing Model Context Protocol (MCP) servers. It provides a user-friendly interface to configure, enable/disable, and export MCP servers for use with Claude Desktop and other AI applications.
Overseerr
Interact with the Overseerr API to manage movie and TV show requests.
DealX
MCP Server for DealX platform
Quiz MCP
MCP server for interactive quizzes
Scenario Word
A server for the scenario-word MCP, built with the mcp-framework.
OpenEnded Philosophy MCP Server with NARS Integration
A philosophical reasoning system combining OpenEnded Philosophy with the Non-Axiomatic Reasoning System (NARS) for advanced analysis and synthesis.
OPET Fuel Prices
Provides access to current fuel prices from OPET, a Turkish petroleum distribution company.
Robust Long‑Term Memory
A persistent, human‑like memory system for AI companions
DART-MCP
Analyze and visualize financial data of listed companies using the DART API.