Analysis updated 2026-05-18
Scan an AI-written JavaScript project for exposed API keys and injection vulnerabilities before shipping.
Run a compliance report to see which OWASP Top 10 controls your codebase covers.
Generate a software bill of materials to check dependencies for known security bugs.
Loop through scan, fix, and rescan to verify that security issues are actually resolved.
| synvoya/codeinspectus | abidoo22/pixelorama-mcp | aditya-pandey/slate | |
|---|---|---|---|
| Stars | 1 | 1 | 1 |
| Language | TypeScript | TypeScript | TypeScript |
| Setup difficulty | moderate | moderate | easy |
| Complexity | 3/5 | 3/5 | 2/5 |
| Audience | developer | vibe coder | general |
Figures from each repo's GitHub metadata at analysis time.
Requires registering with an AI coding agent's MCP config and running install-engines to download scanner binaries.
CodeInspectus is a security scanning tool you add to your AI coding assistant to catch real vulnerabilities in the code you write together. You install it once on your machine, register it with your AI agent (such as Claude Code, Cursor, or VS Code), and from that point your agent can call it to scan any folder for security problems. The tool runs entirely on your computer. The only time it touches the internet is during the initial install, when it downloads three scanning programs: one that looks for code-level vulnerabilities like injection flaws (Opengrep), one that hunts for accidentally committed passwords and API keys (Gitleaks), and one that checks your project's dependencies for known security bugs (Trivy). After that download, every scan runs offline with zero network activity and no telemetry. On top of those three tools, CodeInspectus adds its own checks aimed at mistakes that commonly appear in AI-written code. These include detecting secret keys embedded in client-side JavaScript bundles, catching Supabase database permission mistakes (a class of vulnerability tied to a 2025 security advisory), and flagging spots where user input could be injected into AI prompts. These AI-code checks currently focus on JavaScript and TypeScript, Python and Go code still get the secrets and dependency scanning, but not the AI-specific layer. The tool gives your agent six actions to call: a full scan, a rescan to compare results after fixes, a compliance report, a detailed explanation of any single finding, a software bill of materials export, and a list of active detectors. All of these are strictly read-only. CodeInspectus reports problems and suggests fixes, but it never modifies your files. Your agent (or you) applies the changes. One practical note from the developers: the compliance reports show how much of your code matches the control patterns in frameworks like NIST, SOC 2, and OWASP. They do not mean your software is certified or fully compliant. The distinction matters and the tool states it plainly.
A local-first security scanner your AI coding agent can call to find vulnerabilities, exposed secrets, and dependency issues in your code, running entirely offline after a one-time install.
Mainly TypeScript. The stack also includes TypeScript, Node.js, Opengrep.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.