mycop

AI Code Security Scanner — detect and auto-fix vulnerabilities in AI-generated code.

mycop scans Python, JavaScript, TypeScript, Go, and Java codebases for security vulnerabilities using pattern matching, AST analysis, and optional AI-powered explanations and auto-fix. It ships with 200 built-in security rules covering OWASP Top 10 and CWE Top 25 categories.

Why mycop?

AI-generated code is fast, but it is not safe. Research from Veracode shows that 45% of AI-generated code contains security vulnerabilities. Copilot, ChatGPT, and other AI assistants produce functional code that often includes SQL injection, hardcoded secrets, command injection, and other critical flaws.

mycop was built specifically to solve this problem:

First SAST tool designed for AI-generated code -- 200 rules targeting the exact vulnerability patterns that LLMs produce most often, covering OWASP Top 10 and CWE Top 25.
AI-powered auto-fix, not just detection -- mycop does not just find vulnerabilities, it fixes them. The mycop fix command rewrites insecure code using AI while preserving functionality.
Multi-language with a single tool -- scan Python, JavaScript, TypeScript, Go, and Java codebases without juggling Bandit, ESLint, and separate configs.
Zero configuration -- all 200 security rules are compiled into the binary. No rule downloads, no config files, no internet connection required. Just mycop scan . and go.
MCP server for agentic workflows -- plug mycop directly into Claude Code, Cursor, Windsurf, and other AI coding assistants via the Model Context Protocol.
Free and open source -- MIT licensed, forever.

Installation

Install script (macOS / Linux)

curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh

Homebrew

brew install AbdumajidRashidov/tap/mycop

Cargo

cargo install mycop

Docker

docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .

Build from source

git clone https://github.com/AbdumajidRashidov/mycop.git
cd mycop
cargo install --path .

Quick Start

# Scan current directory
mycop scan .

# Auto-fix all vulnerabilities using AI
mycop fix .

# Deep AI security review of a single file
mycop review src/auth.py

# Initialize config for your project
mycop init

# List all security rules
mycop rules list

Commands

`mycop scan`

Scan files for security vulnerabilities.

mycop scan .                              # Scan current directory
mycop scan src/ lib/                      # Scan specific directories
mycop scan --severity high                # Only report high/critical
mycop scan --fail-on critical             # Exit 1 only on critical findings
mycop scan --format json                  # JSON output
mycop scan --format sarif                 # SARIF output (for IDE integration)
mycop scan --explain                      # AI-powered explanations
mycop scan --diff                         # Only scan git-changed files
mycop scan --fix                          # Auto-fix (same as `mycop fix`)

Exit code 1 when findings meet the --fail-on threshold (default: high).

`mycop fix`

Auto-fix security vulnerabilities using AI. Groups all findings per file, sends the entire file to an AI provider, and writes back the fixed version.

mycop fix .                               # Fix all files
mycop fix src/auth.py                     # Fix specific file
mycop fix . --severity high               # Only fix high/critical
mycop fix . --dry-run                     # Show diffs without writing
mycop fix . --ai-provider anthropic       # Force specific AI provider
mycop fix . --diff                        # Only fix git-changed files

`mycop review`

Deep AI-powered security review of a single file. Goes beyond rule matching to find logic flaws, race conditions, and architectural issues.

mycop review src/server.ts
mycop review app.py --ai-provider openai

`mycop init`

Generate a .scanrc.yml configuration file. Automatically detects your project type (Python, JavaScript/TypeScript, Rust) and pre-populates language-specific ignore patterns.

mycop init

`mycop rules list`

List all available security rules.

mycop rules list                          # All rules
mycop rules list --language python        # Python rules only
mycop rules list --severity high          # High/critical rules only

`mycop deps check`

Check dependencies for issues (hallucinated packages).

mycop deps check .
mycop deps check requirements.txt

`mycop mcp`

Start an MCP (Model Context Protocol) server over STDIO for agentic tool integration. This lets AI coding assistants call mycop's scanning, fixing, and review capabilities directly.

mycop mcp

Tools exposed:

Tool	Description
`scan`	Scan files/directories for vulnerabilities with severity filtering
`list_rules`	Browse/filter the 200 built-in security rules
`explain_finding`	Detailed explanation of a specific finding with CWE/OWASP info
`review`	Deep AI security review of a file
`check_deps`	Detect hallucinated packages in dependencies

Note: The CLI mycop fix command is still available for standalone use. In MCP mode, the agent reads scan findings (with fix_hint) and applies fixes directly — no redundant AI-to-AI call needed.

Resources: mycop://rules/catalog (full JSON catalog) and mycop://config/schema (config template).

Configure in Claude Code (~/.claude/settings.json):

{
  "mcpServers": {
    "mycop": {
      "command": "mycop",
      "args": ["mcp"]
    }
  }
}

Configure in Cursor (.cursor/mcp.json):

{
  "mcpServers": {
    "mycop": {
      "command": "mycop",
      "args": ["mcp"],
      "type": "stdio"
    }
  }
}

Configure in Windsurf (.windsurf/mcp.json):

{
  "mcpServers": {
    "mycop": {
      "command": "mycop",
      "args": ["mcp"]
    }
  }
}

Works with any MCP-compatible client including Codex CLI, Gemini CLI, and other agentic IDEs.

Inline Ignore

Suppress specific findings with inline comments:

eval(user_input)  # mycop-ignore

# mycop-ignore:PY-SEC-005
eval(user_input)

eval(user_input)  # mycop-ignore:PY-SEC-005,PY-SEC-001

Works with # (Python), // (JavaScript/TypeScript/Go/Java) comment styles. Place the comment on the same line or the line above.

AI Providers

mycop auto-detects available AI providers in this order:

Claude CLI — claude command installed
Anthropic API — ANTHROPIC_API_KEY environment variable
OpenAI API — OPENAI_API_KEY environment variable
Ollama — local Ollama server running on port 11434
Rule-based — offline fallback using fix hints from rules

Override with --ai-provider:

mycop scan . --explain --ai-provider anthropic
mycop fix . --ai-provider ollama

Configuration

Create a .scanrc.yml (or .mycop.yml) in your project root, or run mycop init to generate one:

# File patterns to ignore (glob syntax)
ignore:
  - "**/*_test.py"
  - "**/test_*.py"
  - "**/*.test.js"
  - "**/*.spec.ts"
  - "**/node_modules/**"
  - "**/venv/**"

# Minimum severity level: critical, high, medium, low
min_severity: medium

# Minimum severity to cause non-zero exit: critical, high, medium, low
fail_on: high

# AI provider override: claude-cli, anthropic, openai, ollama, none
# ai_provider: anthropic

CLI flags always take priority over config file values.

Security Rules

200 built-in rules (50 Python + 50 JavaScript + 50 Go + 50 Java) covering OWASP Top 10, CWE Top 25, and more:

Category	Python	JavaScript
SQL Injection (CWE-89)	PY-SEC-001, PY-SEC-042	JS-SEC-011
Command Injection (CWE-78)	PY-SEC-002, PY-SEC-045, PY-SEC-050	JS-SEC-016
Hardcoded Secrets (CWE-798)	PY-SEC-003, PY-SEC-034, PY-SEC-043	JS-SEC-004, JS-SEC-034
Insecure Random (CWE-330)	PY-SEC-004	JS-SEC-005
Eval/Exec Injection (CWE-95)	PY-SEC-005	JS-SEC-002, JS-SEC-049
Path Traversal (CWE-22)	PY-SEC-006, PY-SEC-037	JS-SEC-006, JS-SEC-037
Insecure Deserialization (CWE-502)	PY-SEC-007	JS-SEC-009
Missing Auth (CWE-862)	PY-SEC-008	—
XSS (CWE-79)	PY-SEC-009, PY-SEC-044	JS-SEC-001, JS-SEC-010, JS-SEC-041
Log Injection (CWE-117)	PY-SEC-010	—
SSRF (CWE-918)	PY-SEC-011	JS-SEC-007
XXE (CWE-611)	PY-SEC-012	JS-SEC-012
LDAP Injection (CWE-90)	PY-SEC-013	JS-SEC-015
Template Injection (CWE-1336)	PY-SEC-014	JS-SEC-013
Header Injection (CWE-113)	PY-SEC-015	JS-SEC-014
XPath Injection (CWE-643)	PY-SEC-016	—
Weak Hash MD5/SHA1 (CWE-328)	PY-SEC-017, PY-SEC-018	JS-SEC-017, JS-SEC-018
Weak Cipher (CWE-327)	PY-SEC-019, PY-SEC-020	JS-SEC-019, JS-SEC-020, JS-SEC-022
Hardcoded IV (CWE-329)	PY-SEC-021	—
Insecure TLS (CWE-295)	PY-SEC-022	JS-SEC-021
JWT None Algorithm (CWE-345)	PY-SEC-023	JS-SEC-023
Weak Password Hash (CWE-916)	PY-SEC-024	—
Session Fixation (CWE-384)	PY-SEC-025	JS-SEC-024, JS-SEC-025
Missing Security Headers (CWE-319)	PY-SEC-026	JS-SEC-026
Open Redirect (CWE-601)	PY-SEC-027	JS-SEC-027
CORS Misconfiguration (CWE-942)	PY-SEC-028	JS-SEC-028
Mass Assignment (CWE-915)	PY-SEC-029	JS-SEC-030
IDOR (CWE-639)	PY-SEC-030	JS-SEC-029
Debug Mode (CWE-215)	PY-SEC-031	JS-SEC-031
Error Info Leak (CWE-209)	PY-SEC-032	JS-SEC-032
Sensitive Data Logging (CWE-532)	PY-SEC-033	JS-SEC-033
Arbitrary File Upload (CWE-434)	PY-SEC-035	JS-SEC-035
Insecure Temp Files (CWE-377)	PY-SEC-036	—
Zip Slip (CWE-22)	PY-SEC-037	JS-SEC-037
Unencrypted Transport (CWE-319)	PY-SEC-038	JS-SEC-038
Prototype Pollution (CWE-1321)	—	JS-SEC-003
NoSQL Injection (CWE-943)	—	JS-SEC-008
Timing Attack (CWE-208)	PY-SEC-046	JS-SEC-046
ReDoS (CWE-1333)	PY-SEC-047	JS-SEC-047
TOCTOU (CWE-367)	PY-SEC-048	JS-SEC-048
Bare/Empty Catch (CWE-390)	PY-SEC-040	JS-SEC-040

Run mycop rules list to see all 200 rules with their severity levels.

Comparison

How does mycop compare to other security tools?

Feature	mycop	Semgrep	Snyk Code	Bandit	ESLint Security
AI code focus	Yes	No	No	No	No
Built-in rules (no download)	200	Requires registry	Cloud-based	~100 (Python only)	~30 (JS only)
AI auto-fix	Yes	No	Paid	No	No
Multi-language	Py, JS, TS, Go, Java	30+	10+	Python only	JS/TS only
MCP server	Yes	No	No	No	No
Zero config	Yes	Needs rules config	Needs project setup	Minimal	Needs .eslintrc
SARIF output	Yes	Yes	Yes	Yes	Via plugin
Price	Free (MIT)	Free tier / Paid	Paid	Free	Free

mycop is purpose-built for the AI coding era. Other tools are general-purpose scanners that were designed before AI code generation became mainstream.

Output Formats

Terminal — colored output with code context (default)
JSON — structured JSON for tool integration
SARIF — Static Analysis Results Interchange Format for IDE/CI integration

Integrations

MCP Server (Agentic Tools)

mycop includes a built-in MCP server that exposes all capabilities to agentic coding tools. Run mycop mcp and configure your tool — see the mycop mcp section above for setup instructions.

Supported clients: Claude Code, Cursor, Windsurf, Codex CLI, Gemini CLI, and any MCP-compatible IDE or agent.

Available on:

Glama — Managed MCP registry
Smithery — MCP server hosting and discovery
PulseMCP — MCP server directory
MCP Servers — Curated community list

GitHub Action

Add mycop to your CI pipeline with the official GitHub Action:

- name: mycop Security Scan
  uses: AbdumajidRashidov/mycop/action@main
  with:
    paths: '.'
    fail-on: 'high'
    format: 'sarif'

Input	Default	Description
`paths`	`.`	Files or directories to scan
`severity`		Minimum severity to report
`fail-on`	`high`	Minimum severity to fail the check
`format`	`terminal`	Output format (`terminal`, `json`, `sarif`)
`version`	`latest`	mycop version to install
`diff-only`	`false`	Only scan files changed in the PR

Upload SARIF results to GitHub Code Scanning:

- name: mycop Security Scan
  uses: AbdumajidRashidov/mycop/action@main
  with:
    format: 'sarif'

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: mycop-results.sarif

Pre-commit Hook

Add mycop as a pre-commit hook:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/AbdumajidRashidov/mycop
    rev: main
    hooks:
      - id: mycop

VS Code Extension (Coming Soon)

The vscode-extension/ directory contains a VS Code extension that provides:

Real-time scanning on file save
Diagnostics in the Problems panel
"Scan Current File" and "Scan Workspace" commands
Configurable severity threshold

See vscode-extension/README.md for setup instructions.

Docker

# Scan current directory
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .

# Scan with specific options
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan . --format json --severity high

Contributing

Contributions are welcome! Whether it is a bug report, a new security rule, a feature request, or a pull request, we appreciate your help in making mycop better.

To get started:

Fork the repository and create your branch from main.

Make your changes and ensure all checks pass:

cargo fmt --all -- --check
cargo clippy --all-targets -- -D warnings
cargo test --verbose

Open a pull request with a clear description of your changes.

Browse open issues to find something to work on, or open a new one to suggest an improvement.

If you find mycop useful, consider sponsoring the project to support ongoing development.

Star History

License

MIT

mycop

mycop

Why mycop?

Installation

Install script (macOS / Linux)

Homebrew

Cargo

Docker

Build from source

Quick Start

Commands

mycop scan

mycop fix

mycop review

mycop init

mycop rules list

mycop deps check

mycop mcp

Inline Ignore

AI Providers

Configuration

Security Rules

Comparison

Output Formats

Integrations

MCP Server (Agentic Tools)

GitHub Action

Pre-commit Hook

VS Code Extension (Coming Soon)

Docker

Contributing

Star History

License

Related Servers

AFL (Australian Football League)

PolicyLayer MCP

VMS Integration

MCP Epic Free Games

Sitecore MCP server

SmartThings MCP

httpay x402 MCP Server

Global Entry Alerts

Bazi Calculation

Fonparam MCP

`mycop scan`

`mycop fix`

`mycop review`

`mycop init`

`mycop rules list`

`mycop deps check`

`mycop mcp`