mycop scans Python, JavaScript, and TypeScript for security issues that AI coding assistants commonly introduce. 100 built-in rules, AI-powered auto-fix, zero config.
curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh
Everything you need to keep AI-generated code safe, from detection to automated remediation.
Covers OWASP Top 10 and CWE Top 25 including SQL injection, XSS, command injection, cryptography flaws, auth issues, and more. All mapped to CWE identifiers.
Automatically rewrites vulnerable code using Claude, GPT-4, Ollama, or any supported provider. Review diffs before applying.
Suppress specific findings with # mycop-ignore:RULE-ID
comments. Supports all rules or specific IDs.
Terminal output with colored context, JSON for scripting, and SARIF for IDE and CI integration like GitHub Code Scanning.
Auto-detects Claude CLI, Anthropic API, OpenAI, Ollama, or falls back to rule-based hints. No AI required for scanning.
Set minimum severity to report and separate fail threshold for CI gates via CLI flags or .scanrc.yml config.
Pattern matching and AST-level analysis for the most common AI-assisted languages.
Choose your preferred installation method.
# macOS & Linux
curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh
# Verify installation
mycop --versionbrew install AbdumajidRashidov/tap/mycopcargo install mycopdocker run --rm -v "$(pwd):/src" -w /src mycop scan .
Use mycop in CI, as a git hook, or directly in your editor.
Add security scanning to your CI pipeline
Catch issues before they reach the repo
Real-time security diagnostics in your editor
50 Python + 50 JavaScript rules, each mapped to CWE identifiers for standards compliance.
| Category | Python | JavaScript |
|---|---|---|
| SQL Injection (CWE-89) | PY-SEC-001, 042 | JS-SEC-011 |
| Command Injection (CWE-78) | PY-SEC-002, 045, 050 | JS-SEC-016 |
| Hardcoded Secrets (CWE-798) | PY-SEC-003, 034, 043 | JS-SEC-004, 034 |
| Insecure Random (CWE-330) | PY-SEC-004 | JS-SEC-005 |
| Eval/Exec Injection (CWE-95) | PY-SEC-005 | JS-SEC-002, 049 |
| Path Traversal / Zip Slip (CWE-22) | PY-SEC-006, 037 | JS-SEC-006, 037 |
| Insecure Deserialization (CWE-502) | PY-SEC-007 | JS-SEC-009 |
| XSS (CWE-79) | PY-SEC-009, 044 | JS-SEC-001, 010, 041 |
| SSRF (CWE-918) | PY-SEC-011 | JS-SEC-007 |
| XXE (CWE-611) | PY-SEC-012 | JS-SEC-012 |
| Template Injection (CWE-1336) | PY-SEC-014 | JS-SEC-013 |
| Weak Crypto (CWE-327/328) | PY-SEC-017–021 | JS-SEC-017–022 |
| Insecure TLS (CWE-295) | PY-SEC-022 | JS-SEC-021 |
| JWT None Alg (CWE-345) | PY-SEC-023 | JS-SEC-023 |
| Open Redirect (CWE-601) | PY-SEC-027 | JS-SEC-027 |
| CORS Misconfiguration (CWE-942) | PY-SEC-028 | JS-SEC-028 |
| Mass Assignment (CWE-915) | PY-SEC-029 | JS-SEC-030 |
| Debug Mode (CWE-215) | PY-SEC-031 | JS-SEC-031 |
| Timing Attack (CWE-208) | PY-SEC-046 | JS-SEC-046 |
| ReDoS (CWE-1333) | PY-SEC-047 | JS-SEC-047 |
… and 20+ more categories. Run mycop rules list for the full list.
|
||