The only security tool built for AI-generated code. Catches hallucinated packages, slopsquatting attacks, and leaked secrets — inside VS Code, Claude Code, Cursor, and Windsurf.
$ claude mcp add codeguard -- npx -y @koilabs/codeguard-mcp
Works with VS Code, Cursor, Windsurf, Claude Code & any MCP client • View on npm →
The Problem
Your AI assistant writes great code — until it doesn't. These are the risks it will never warn you about.
AI models confidently suggest npm packages that were never published. You install, get a 404, and waste hours debugging. Worse — attackers know which packages AI hallucinates.
Attackers register the fake package names that AI commonly hallucinates, then fill them with malware. Your AI suggests it, you install it, your app is compromised.
AI doesn't think about security context. It embeds API keys, database URLs, and auth tokens directly in source files. Bots scrape public repos and exploit them within minutes.
AI misspells package names just often enough. lodahs instead of lodash. Attackers register these near-miss names and wait for installs.
What CodeGuard Catches
Every scan checks for hallucinated packages, supply chain attacks, leaked secrets, and code quality issues. Works inside your editor and your terminal.
Curated database of 30+ packages AI commonly hallucinates. Knows which LLM generates each one and suggests the real alternative.
Multi-signal analysis catches packages registered after AI started hallucinating them. Flags: low downloads + recently published + hallucination match.
Levenshtein distance analysis against 18 popular npm packages catches look-alike names designed to deliver malware.
28 patterns covering AWS, OpenAI, Stripe, Supabase, Firebase, Vercel, and 20+ more. Catches hardcoded credentials before they reach your repo.
Gamified 0-100 score across security, code quality, and dependencies. Know at a glance if your codebase is ready to ship.
Runs inside Claude Code, Cursor, and Windsurf via MCP. Your AI assistant scans code in real-time as it writes — zero extra steps.
Architecture scanning, performance analysis, TypeScript audit, and deep code review. Powered by your own LLM API keys (BYOK).
Pre-deploy confidence report with go/no-go decision. Quality gate for CI/CD pipelines with configurable thresholds.
How It Works
One command for MCP. One click for VS Code. Works in under 30 seconds.
Use your AI assistant normally. CodeGuard monitors in the background, scanning as you work.
Hallucinated packages blocked. Secrets caught. Dependencies verified. Ship with confidence.
One number that tells you if your codebase is ready to ship.
Review before shipping
Free tools work fully with no monthly limits. Pro unlocks the full arsenal.
🚀 Launch Special: $7/mo or $49/yr for the first 200 subscribers
Full scanning tools. No limits.
No credit card required
Launch pricing for first 200 subscribers
Set CODEGUARD_LICENSE to activate
BYOK (Bring Your Own Key): Pro analysis tools use your own LLM API keys. That's how we keep free tools free and Pro at $9/mo.
Choose your workflow. CodeGuard works everywhere you write AI code.
For Claude Code, Cursor & Windsurf
$ claude mcp add codeguard -- npx -y @koilabs/codeguard-mcp
For VS Code, Cursor & Windsurf
Or via command line:
$ code --install-extension koilabsio.koilabs-codeguard
CI/CD Integration
# .github/workflows/codeguard.yml
- uses: koilabsio/codeguard-action@v1
Run CodeGuard on every pull request. Block PRs that fail security checks.
Yes. Free tier includes 4 fully functional tools (scan_file, scan_workspace, check_package, vibe_score) with no monthly limits. Basic HAD (10 entries) and secret detection (10 patterns) are bundled and work offline.
Full HAD database (30+ entries vs 10), full secret detection (28 patterns vs 10), slopsquatting detection, plus 6 advanced analysis tools: deep review, architecture scan, performance scan, TypeScript audit, ship report, and quality gate.
Bring Your Own Key. Pro analysis tools use your own LLM API keys (e.g., OpenAI, Anthropic). We never store or proxy your keys. This keeps our costs near zero, which is why Pro is only $9/mo.
A supply chain attack where malicious actors register npm package names that AI commonly hallucinates. When your AI suggests the package and you install it, you get malware instead. CodeGuard detects this using multi-signal analysis: low downloads + recently published + hallucination match.
VS Code, Cursor, and Windsurf (via extension). Claude Code, Cursor, and Windsurf (via MCP server). Any MCP-compatible AI assistant. GitHub Actions coming soon.