CodeMind
OfficialScans Dockerfiles for security misconfigurations and vulnerabilities as part of Infrastructure-as-Code auditing.
Secures FastAPI endpoints by enforcing rate limiting, data isolation with Row Level Security, and strict Zod validation.
Audits GitHub Actions workflow files for security best practices and potential misconfigurations.
Provides automated security hardening for Next.js applications, detecting unsafe patterns such as dangerouslySetInnerHTML, exposed NEXT_PUBLIC secrets, and insecure localStorage.
Offers security auditing for React components, identifying dangerous patterns and enforcing secure default props.
Enforces TypeScript best practices to eliminate security gaps like 'undefined' vulnerabilities.
Enforces strict server-side Zod schema validation to prevent untrusted client data from reaching the database.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@CodeMindScan this code for vulnerabilities and secrets."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
CodeMind — AI Security Guardian
Technical Overview
CodeMind transforms your AI coding assistant (Cursor, Windsurf, Claude Desktop) into a full security platform for the modern web. Specialized for Next.js, React, and TypeScript, it provides real-time oversight of AI-generated code across five security dimensions.
Core Capabilities
Module | Description |
Modular Skills | Plugin-based agentic personas (Security, UI, Docs) with specialized prompts. |
Safety Lock | Hard-coded protection against DROP, TRUNCATE, and unconditional DELETE. |
Intent Discovery | Automatic detection of the optimal skill/persona for any given task. |
SAST Engine | Detection of SQL injection, XSS, SSRF, and command injection patterns. |
Prompt Security | Specialized detection for prompt injection and leak vulnerabilities. |
Secrets Detection | Identification of hardcoded API keys and tokens with entropy analysis. |
IaC Scanning | Security auditing for Dockerfiles, GitHub Actions, and docker-compose. |
Related MCP server: DevSecOps MCP Server
Quick Start
1. Installation
Install the core engine from PyPI:
pip install codemind-mcp2. MCP Configuration
Add CodeMind to your claude_desktop_config.json (or equivalent MCP client config):
{
"mcpServers": {
"codemind": {
"command": "codemind",
"args": ["serve"],
"env": {
"CONTEXT7_API_KEY": "your_optional_key_here"
}
}
}
}Usage
Simply include the trigger phrase in your chat prompt:
"Generate a login endpoint for FastAPI. use codemind"
Instant SaaS Protection
When you use the use codemind trigger, the Guardian automatically enforces essential protections for modern SaaS applications:
Rate Limiting: Automatic protection against DDoS and brute-force attacks.
Data Isolation: Enforcement of Row Level Security (RLS) to ensure users only access their own data.
Zod Validation: Strict server-side schema validation to prevent untrusted client data from reaching your database.
Next.js & React Hardening: Automated detection of unsafe
dangerouslySetInnerHTML, exposedNEXT_PUBLIC_secrets, and insecurelocalStoragepatterns.CSRF Protection: Auditing for missing security headers and insecure client-side data mutations.
Secure Default Props: Enforcement of TypeScript best practices to eliminate "undefined" security gaps.
Prompt Security: Hardened system prompts and injection-resistant templates for AI feature implementations.
Available Tools
CodeMind exposes 15 MCP tools for seamless automated workflows:
guard_code: Static analysis for vulnerabilities (including Prompt Injection).detect_intent: 🧠 Automatically identifies the best Skill for a given task.activate_skill: Manually switch between agentic personas (Security, UI, Docs).run_workflow: 🚀 Execute complex multi-step actions (e.g.,/deploy,/audit-deep).list_skills: View all available modular personas and their capabilities.audit_prompt: Specialized analyzer for AI prompt security and leaks.scan_secrets: Entropy-based credential detection.scan_dependencies: Software Composition Analysis (SCA).scan_iac_file: Infrastructure-as-Code auditing.deep_security_scan: Consolidated multi-layer analysis.
Strategic Roadmap
The transition from a hackathon project to a foundational security primitive.
Phase 1: Foundation (Vibeathon Momentum)
Initial MCP Server: Secure bridge between IDE and AI.
Core SAST Engine: 50+ deep-scan rules for modern web.
Secrets & SCA: Entropy-based scanning and dependency auditing.
Prompt Security: Industry-leading injection & jailbreak detection.
Vibeathon Grand Finale: Winning the vibeathon (goal!!)
Phase 2: Intelligence & Personas (Ahead of Schedule)
Modular Skill System: Plugin-based architecture for Security, UI, and Docs experts.
Intent Discovery: Real-time semantic task classification.
AI Slop Detection: Eliminating redundant commentary from AI responses.
Safety Lock: Hard-coded constraints for destructive database operations.
Semantic Analysis: AST-based auditing for Python & JavaScript.
Phase 3: Total Autonomy (The Scale Phase)
Self-Healing Code: Autonomous fix-verify loops for complex vulnerabilities.
Project-Wide Reasoning: Cross-file dependency analysis and taint-tracking.
CI/CD Native: Seamless integration with GitHub Actions as a first-class security citizen.
Local LLM Fine-tuning: Custom models optimized for security-first code generation.
Phase 4: Global Transformation (YC & Beyond)
Universal Security Primitive: The default security layer for all AI-driven development.
Real-time Runtime Protection: Monitoring AI-agent actions in production environments.
Enterprise Autonomous Guardian: Team-wide security analytics with zero data leak.
The AI-Sec Standard: Leading the certification for secure AI-assistants.
Privacy Policy
CodeMind is built on the principle of Local-First Security.
Your source code never leaves your machine.
All pattern matching and analysis are performed locally.
SCA requests to OSV.dev contain only package names and versions.
No telemetry or tracking scripts are included.
License
Distributed under the MIT License. See LICENSE for more information.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/codemind-ai/codemind'
If you have feedback or need assistance with the MCP directory API, please join our Discord server