mycop

AI Code Security Scanner — detect and auto-fix vulnerabilities in AI-generated code.

mycop scans Python, JavaScript, TypeScript, Go, and Java codebases for security vulnerabilities using pattern matching, AST analysis, and optional AI-powered explanations and auto-fix. It ships with 200 built-in security rules covering OWASP Top 10 and CWE Top 25 categories.

Why mycop?

AI-generated code is fast, but it is not safe. Research from Veracode shows that 45% of AI-generated code contains security vulnerabilities. Copilot, ChatGPT, and other AI assistants produce functional code that often includes SQL injection, hardcoded secrets, command injection, and other critical flaws.

mycop was built specifically to solve this problem:

• First SAST tool designed for AI-generated code -- 200 rules targeting the exact vulnerability patterns that LLMs produce most often, covering OWASP Top 10 and CWE Top 25.

• AI-powered auto-fix, not just detection -- mycop does not just find vulnerabilities, it fixes them. The mycop fix command rewrites insecure code using AI while preserving functionality.

• Multi-language with a single tool -- scan Python, JavaScript, TypeScript, Go, and Java codebases without juggling Bandit, ESLint, and separate configs.

• Zero configuration -- all 200 security rules are compiled into the binary. No rule downloads, no config files, no internet connection required. Just mycop scan . and go.

• MCP server for agentic workflows -- plug mycop directly into Claude Code, Cursor, Windsurf, and other AI coding assistants via the Model Context Protocol.

• Free and open source -- MIT licensed, forever.

Installation

Install script (macOS / Linux)

curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh

Homebrew

brew install AbdumajidRashidov/tap/mycop

Cargo

cargo install mycop

Docker

docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .

Build from source

git clone https://github.com/AbdumajidRashidov/mycop.git
cd mycop
cargo install --path .

Quick Start

# Scan current directory
mycop scan .

# Auto-fix all vulnerabilities using AI
mycop fix .

# Deep AI security review of a single file
mycop review src/auth.py

# Initialize config for your project
mycop init

# List all security rules
mycop rules list

Commands

mycop scan

Scan files for security vulnerabilities.

mycop scan .                              # Scan current directory
mycop scan src/ lib/                      # Scan specific directories
mycop scan --severity high                # Only report high/critical
mycop scan --fail-on critical             # Exit 1 only on critical findings
mycop scan --format json                  # JSON output
mycop scan --format sarif                 # SARIF output (for IDE integration)
mycop scan --explain                      # AI-powered explanations
mycop scan --diff                         # Only scan git-changed files
mycop scan --fix                          # Auto-fix (same as `mycop fix`)

Exit code 1 when findings meet the --fail-on threshold (default: high).

mycop fix

Auto-fix security vulnerabilities using AI. Groups all findings per file, sends the entire file to an AI provider, and writes back the fixed version.

mycop fix .                               # Fix all files
mycop fix src/auth.py                     # Fix specific file
mycop fix . --severity high               # Only fix high/critical
mycop fix . --dry-run                     # Show diffs without writing
mycop fix . --ai-provider anthropic       # Force specific AI provider
mycop fix . --diff                        # Only fix git-changed files

mycop review

Deep AI-powered security review of a single file. Goes beyond rule matching to find logic flaws, race conditions, and architectural issues.

mycop review src/server.ts
mycop review app.py --ai-provider openai

mycop init

Generate a .scanrc.yml configuration file. Automatically detects your project type (Python, JavaScript/TypeScript, Rust) and pre-populates language-specific ignore patterns.

mycop init

mycop rules list

List all available security rules.

mycop rules list                          # All rules
mycop rules list --language python        # Python rules only
mycop rules list --severity high          # High/critical rules only

mycop deps check

Check dependencies for issues (hallucinated packages).

mycop deps check .
mycop deps check requirements.txt

mycop mcp

Start an MCP (Model Context Protocol) server over STDIO for agentic tool integration. This lets AI coding assistants call mycop's scanning, fixing, and review capabilities directly.

mycop mcp

Tools exposed:

Note: The CLI mycop fix command is still available for standalone use. In MCP mode, the agent reads scan findings (with fix_hint) and applies fixes directly — no redundant AI-to-AI call needed.

Resources: mycop://rules/catalog (full JSON catalog) and mycop://config/schema (config template).

Configure in Claude Code (~/.claude/settings.json):

{
  "mcpServers": {
    "mycop": {
      "command": "mycop",
      "args": ["mcp"]
    }
  }
}

Configure in Cursor (.cursor/mcp.json):

{
  "mcpServers": {
    "mycop": {
      "command": "mycop",
      "args": ["mcp"],
      "type": "stdio"
    }
  }
}

Configure in Windsurf (.windsurf/mcp.json):

{
  "mcpServers": {
    "mycop": {
      "command": "mycop",
      "args": ["mcp"]
    }
  }
}

Works with any MCP-compatible client including Codex CLI, Gemini CLI, and other agentic IDEs.

Inline Ignore

Suppress specific findings with inline comments:

eval(user_input)  # mycop-ignore

# mycop-ignore:PY-SEC-005
eval(user_input)

eval(user_input)  # mycop-ignore:PY-SEC-005,PY-SEC-001

Works with # (Python), // (JavaScript/TypeScript/Go/Java) comment styles. Place the comment on the same line or the line above.

AI Providers

mycop auto-detects available AI providers in this order:

1. Claude CLI — claude command installed

2. Anthropic API — ANTHROPIC_API_KEY environment variable

3. OpenAI API — OPENAI_API_KEY environment variable

4. Ollama — local Ollama server running on port 11434

5. Rule-based — offline fallback using fix hints from rules

Override with --ai-provider:

mycop scan . --explain --ai-provider anthropic
mycop fix . --ai-provider ollama

Configuration

Create a .scanrc.yml (or .mycop.yml) in your project root, or run mycop init to generate one:

# File patterns to ignore (glob syntax)
ignore:
  - "**/*_test.py"
  - "**/test_*.py"
  - "**/*.test.js"
  - "**/*.spec.ts"
  - "**/node_modules/**"
  - "**/venv/**"

# Minimum severity level: critical, high, medium, low
min_severity: medium

# Minimum severity to cause non-zero exit: critical, high, medium, low
fail_on: high

# AI provider override: claude-cli, anthropic, openai, ollama, none
# ai_provider: anthropic

CLI flags always take priority over config file values.

Security Rules

200 built-in rules (50 Python + 50 JavaScript + 50 Go + 50 Java) covering OWASP Top 10, CWE Top 25, and more:

Run mycop rules list to see all 200 rules with their severity levels.

Comparison

How does mycop compare to other security tools?

mycop is purpose-built for the AI coding era. Other tools are general-purpose scanners that were designed before AI code generation became mainstream.

Output Formats

• Terminal — colored output with code context (default)

• JSON — structured JSON for tool integration

• SARIF — Static Analysis Results Interchange Format for IDE/CI integration

Integrations

MCP Server (Agentic Tools)

mycop includes a built-in MCP server that exposes all capabilities to agentic coding tools. Run mycop mcp and configure your tool — see the mycop mcp section above for setup instructions.

Supported clients: Claude Code, Cursor, Windsurf, Codex CLI, Gemini CLI, and any MCP-compatible IDE or agent.

Available on:

• Glama — Managed MCP registry

• Smithery — MCP server hosting and discovery

• PulseMCP — MCP server directory

• MCP Servers — Curated community list

GitHub Action

Add mycop to your CI pipeline with the official GitHub Action:

- name: mycop Security Scan
  uses: AbdumajidRashidov/mycop/action@main
  with:
    paths: '.'
    fail-on: 'high'
    format: 'sarif'

Upload SARIF results to GitHub Code Scanning:

- name: mycop Security Scan
  uses: AbdumajidRashidov/mycop/action@main
  with:
    format: 'sarif'

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: mycop-results.sarif

Pre-commit Hook

Add mycop as a pre-commit hook:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/AbdumajidRashidov/mycop
    rev: main
    hooks:
      - id: mycop

VS Code Extension (Coming Soon)

The vscode-extension/ directory contains a VS Code extension that provides:

• Real-time scanning on file save

• Diagnostics in the Problems panel

• "Scan Current File" and "Scan Workspace" commands

• Configurable severity threshold

See vscode-extension/README.md for setup instructions.

Docker

# Scan current directory
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .

# Scan with specific options
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan . --format json --severity high

Contributing

Contributions are welcome! Whether it is a bug report, a new security rule, a feature request, or a pull request, we appreciate your help in making mycop better.

To get started:

1. Fork the repository and create your branch from main.

2. Make your changes and ensure all checks pass:

   cargo fmt --all -- --check
   cargo clippy --all-targets -- -D warnings
   cargo test --verbose

3. Open a pull request with a clear description of your changes.

Browse open issues to find something to work on, or open a new one to suggest an improvement.

If you find mycop useful, consider sponsoring the project to support ongoing development.

Star History

License

MIT