Open-source security scanner
Crates.io CI MIT License

Catch vulnerabilities in
AI-generated code

mycop scans Python, JavaScript, and TypeScript for security issues that AI coding assistants commonly introduce. 100 built-in rules, AI-powered auto-fix, zero config.

$ curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh
View on GitHub
mycop
$ mycop scan src/ Scanning 12 files... CRITICAL src/auth.py:24 PY-SEC-001 SQL injection via string formatting in query query = f"SELECT * FROM users WHERE id = {user_id}" HIGH src/utils.js:8 JS-SEC-002 Dangerous eval() call with user-controlled input const result = eval(req.body.expression) MEDIUM src/config.py:15 PY-SEC-003 Hardcoded secret detected in source code API_KEY = "sk-live-a1b2c3d4e5f6" Found 3 findings (1 critical, 1 high, 1 medium) $ mycop fix src/ --dry-run Fixed src/auth.py — parameterized query Fixed src/utils.js — replaced eval with safe parser Fixed src/config.py — moved secret to environment variable

Security scanning, built for modern dev workflows

Everything you need to keep AI-generated code safe, from detection to automated remediation.

100 Built-in Rules

Covers OWASP Top 10 and CWE Top 25 including SQL injection, XSS, command injection, cryptography flaws, auth issues, and more. All mapped to CWE identifiers.

AI-Powered Auto-Fix

Automatically rewrites vulnerable code using Claude, GPT-4, Ollama, or any supported provider. Review diffs before applying.

Inline Ignore

Suppress specific findings with # mycop-ignore:RULE-ID comments. Supports all rules or specific IDs.

Multiple Output Formats

Terminal output with colored context, JSON for scripting, and SARIF for IDE and CI integration like GitHub Code Scanning.

5 AI Providers

Auto-detects Claude CLI, Anthropic API, OpenAI, Ollama, or falls back to rule-based hints. No AI required for scanning.

Configurable Thresholds

Set minimum severity to report and separate fail threshold for CI gates via CLI flags or .scanrc.yml config.

Scan the languages you ship

Pattern matching and AST-level analysis for the most common AI-assisted languages.

Python
JavaScript
TS TypeScript

Get started in seconds

Choose your preferred installation method.

# macOS & Linux curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh # Verify installation mycop --version
brew install AbdumajidRashidov/tap/mycop
cargo install mycop
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .

Fits into your existing workflow

Use mycop in CI, as a git hook, or directly in your editor.

GitHub Action

Add security scanning to your CI pipeline

- name: mycop Security Scan uses: AbdumajidRashidov/mycop/action@main with: paths: '.' fail-on: 'high' format: 'sarif'

Pre-commit Hook

Catch issues before they reach the repo

# .pre-commit-config.yaml repos: - repo: https://github.com/AbdumajidRashidov/mycop rev: main hooks: - id: mycop

MCP Server New

Agentic security scanning in Claude Code, Cursor, Windsurf

// Claude Code (~/.claude/settings.json) { "mcpServers": { "mycop": { "command": "mycop", "args": ["mcp"] } } } // 5 tools: scan, review, explain & more

VS Code Extension Coming Soon

Real-time security diagnostics in your editor

// Scan on save // Diagnostics in Problems panel // Commands: "mycop: Scan Current File" "mycop: Scan Workspace" // Configure in settings.json: "mycop.severity": "medium" "mycop.scanOnSave": true

100 rules covering OWASP Top 10 & CWE Top 25

50 Python + 50 JavaScript rules, each mapped to CWE identifiers for standards compliance.

Category Python JavaScript
SQL Injection (CWE-89) PY-SEC-001, 042 JS-SEC-011
Command Injection (CWE-78) PY-SEC-002, 045, 050 JS-SEC-016
Hardcoded Secrets (CWE-798) PY-SEC-003, 034, 043 JS-SEC-004, 034
Insecure Random (CWE-330) PY-SEC-004 JS-SEC-005
Eval/Exec Injection (CWE-95) PY-SEC-005 JS-SEC-002, 049
Path Traversal / Zip Slip (CWE-22) PY-SEC-006, 037 JS-SEC-006, 037
Insecure Deserialization (CWE-502) PY-SEC-007 JS-SEC-009
XSS (CWE-79) PY-SEC-009, 044 JS-SEC-001, 010, 041
SSRF (CWE-918) PY-SEC-011 JS-SEC-007
XXE (CWE-611) PY-SEC-012 JS-SEC-012
Template Injection (CWE-1336) PY-SEC-014 JS-SEC-013
Weak Crypto (CWE-327/328) PY-SEC-017–021 JS-SEC-017–022
Insecure TLS (CWE-295) PY-SEC-022 JS-SEC-021
JWT None Alg (CWE-345) PY-SEC-023 JS-SEC-023
Open Redirect (CWE-601) PY-SEC-027 JS-SEC-027
CORS Misconfiguration (CWE-942) PY-SEC-028 JS-SEC-028
Mass Assignment (CWE-915) PY-SEC-029 JS-SEC-030
Debug Mode (CWE-215) PY-SEC-031 JS-SEC-031
Timing Attack (CWE-208) PY-SEC-046 JS-SEC-046
ReDoS (CWE-1333) PY-SEC-047 JS-SEC-047
… and 20+ more categories. Run mycop rules list for the full list.

Frequently asked questions

What developers ask before adopting a security scanner.

Is AI-generated code safe? What security risks does Copilot and ChatGPT code have?
AI-generated code from tools like GitHub Copilot, ChatGPT, and Cursor frequently introduces security vulnerabilities — including SQL injection, hardcoded secrets, command injection, and insecure cryptography. Studies show up to 40% of AI-generated code contains security flaws. mycop is built specifically to catch these issues with 100 rules covering OWASP Top 10 and CWE Top 25 categories.
How do I scan Python or JavaScript code for security vulnerabilities for free?
mycop is a free, open-source security scanner that detects vulnerabilities in Python, JavaScript, and TypeScript. Install it with a single command (curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh), then run mycop scan . in your project directory. It finds SQL injection, XSS, hardcoded secrets, and 20+ more vulnerability categories with zero configuration required.
How does mycop compare to Semgrep, Bandit, and ESLint for security scanning?
Unlike Semgrep (which requires custom rules) or language-specific tools like Bandit (Python only) and ESLint (JavaScript only), mycop scans Python, JavaScript, and TypeScript with a single tool and ships with 100 pre-built security rules. It also uniquely offers AI-powered auto-fix — it can automatically rewrite vulnerable code using Claude, GPT-4, or Ollama, then verify the fix by re-scanning.
Can I automatically fix security vulnerabilities in my code with AI?
Yes. The mycop fix command uses AI to automatically rewrite vulnerable code. It groups all findings per file, sends them to your chosen AI provider (Claude, GPT-4, OpenAI, or Ollama), generates a diff for you to review, and re-scans to verify the fix. Use --dry-run to preview changes before applying. No AI key is needed for scanning — only for auto-fix.
How do I use mycop with Claude Code, Cursor, or Windsurf?
mycop includes a built-in MCP (Model Context Protocol) server that lets agentic coding tools call its scanning, fixing, and review capabilities directly. Run mycop mcp to start the server, then configure your tool to connect. For Claude Code, add {"mcpServers":{"mycop":{"command":"mycop","args":["mcp"]}}} to your settings. It works with Cursor, Windsurf, Codex CLI, Gemini CLI, and any MCP-compatible client.
How do I add security scanning to my CI/CD pipeline or GitHub Actions?
mycop integrates directly with GitHub Actions — add uses: AbdumajidRashidov/mycop/action@main to your workflow to block PRs with high-severity vulnerabilities. It outputs SARIF format for GitHub Code Scanning, works as a pre-commit hook to catch issues before they reach your repo, and supports --diff mode to scan only changed files.