Open-source security scanner

Catch vulnerabilities in
AI-generated code

mycop scans Python, JavaScript, and TypeScript for security issues that AI coding assistants commonly introduce. 100 built-in rules, AI-powered auto-fix, zero config.

$ curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh
View on GitHub
mycop
$ mycop scan src/ Scanning 12 files... CRITICAL src/auth.py:24 PY-SEC-001 SQL injection via string formatting in query query = f"SELECT * FROM users WHERE id = {user_id}" HIGH src/utils.js:8 JS-SEC-002 Dangerous eval() call with user-controlled input const result = eval(req.body.expression) MEDIUM src/config.py:15 PY-SEC-003 Hardcoded secret detected in source code API_KEY = "sk-live-a1b2c3d4e5f6" Found 3 findings (1 critical, 1 high, 1 medium) $ mycop fix src/ --dry-run Fixed src/auth.py — parameterized query Fixed src/utils.js — replaced eval with safe parser Fixed src/config.py — moved secret to environment variable

Security scanning, built for modern dev workflows

Everything you need to keep AI-generated code safe, from detection to automated remediation.

100 Built-in Rules

Covers OWASP Top 10 and CWE Top 25 including SQL injection, XSS, command injection, cryptography flaws, auth issues, and more. All mapped to CWE identifiers.

AI-Powered Auto-Fix

Automatically rewrites vulnerable code using Claude, GPT-4, Ollama, or any supported provider. Review diffs before applying.

Inline Ignore

Suppress specific findings with # mycop-ignore:RULE-ID comments. Supports all rules or specific IDs.

Multiple Output Formats

Terminal output with colored context, JSON for scripting, and SARIF for IDE and CI integration like GitHub Code Scanning.

5 AI Providers

Auto-detects Claude CLI, Anthropic API, OpenAI, Ollama, or falls back to rule-based hints. No AI required for scanning.

Configurable Thresholds

Set minimum severity to report and separate fail threshold for CI gates via CLI flags or .scanrc.yml config.

Scan the languages you ship

Pattern matching and AST-level analysis for the most common AI-assisted languages.

Python
JavaScript
TS TypeScript

Get started in seconds

Choose your preferred installation method.

# macOS & Linux curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh # Verify installation mycop --version
brew install AbdumajidRashidov/tap/mycop
cargo install mycop
docker run --rm -v "$(pwd):/src" -w /src mycop scan .

Fits into your existing workflow

Use mycop in CI, as a git hook, or directly in your editor.

GitHub Action

Add security scanning to your CI pipeline

- name: mycop Security Scan uses: AbdumajidRashidov/mycop/action@main with: paths: '.' fail-on: 'high' format: 'sarif'

Pre-commit Hook

Catch issues before they reach the repo

# .pre-commit-config.yaml repos: - repo: https://github.com/AbdumajidRashidov/mycop rev: main hooks: - id: mycop

VS Code Extension Coming Soon

Real-time security diagnostics in your editor

// Scan on save // Diagnostics in Problems panel // Commands: "mycop: Scan Current File" "mycop: Scan Workspace" // Configure in settings.json: "mycop.severity": "medium" "mycop.scanOnSave": true

100 rules covering OWASP Top 10 & CWE Top 25

50 Python + 50 JavaScript rules, each mapped to CWE identifiers for standards compliance.

Category Python JavaScript
SQL Injection (CWE-89) PY-SEC-001, 042 JS-SEC-011
Command Injection (CWE-78) PY-SEC-002, 045, 050 JS-SEC-016
Hardcoded Secrets (CWE-798) PY-SEC-003, 034, 043 JS-SEC-004, 034
Insecure Random (CWE-330) PY-SEC-004 JS-SEC-005
Eval/Exec Injection (CWE-95) PY-SEC-005 JS-SEC-002, 049
Path Traversal / Zip Slip (CWE-22) PY-SEC-006, 037 JS-SEC-006, 037
Insecure Deserialization (CWE-502) PY-SEC-007 JS-SEC-009
XSS (CWE-79) PY-SEC-009, 044 JS-SEC-001, 010, 041
SSRF (CWE-918) PY-SEC-011 JS-SEC-007
XXE (CWE-611) PY-SEC-012 JS-SEC-012
Template Injection (CWE-1336) PY-SEC-014 JS-SEC-013
Weak Crypto (CWE-327/328) PY-SEC-017–021 JS-SEC-017–022
Insecure TLS (CWE-295) PY-SEC-022 JS-SEC-021
JWT None Alg (CWE-345) PY-SEC-023 JS-SEC-023
Open Redirect (CWE-601) PY-SEC-027 JS-SEC-027
CORS Misconfiguration (CWE-942) PY-SEC-028 JS-SEC-028
Mass Assignment (CWE-915) PY-SEC-029 JS-SEC-030
Debug Mode (CWE-215) PY-SEC-031 JS-SEC-031
Timing Attack (CWE-208) PY-SEC-046 JS-SEC-046
ReDoS (CWE-1333) PY-SEC-047 JS-SEC-047
… and 20+ more categories. Run mycop rules list for the full list.