Open-source security scanner
Crates.io CI MIT License

Catch vulnerabilities in
AI-generated code

mycop scans Python, JavaScript, TypeScript, Go, and Java for security issues that AI coding assistants commonly introduce. 200 built-in rules, AI-powered auto-fix, zero config.

$ curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh
View on GitHub
mycop
$ mycop scan src/ Scanning 12 files... CRITICAL src/auth.py:24 PY-SEC-001 SQL injection via string formatting in query query = f"SELECT * FROM users WHERE id = {user_id}" HIGH src/utils.js:8 JS-SEC-002 Dangerous eval() call with user-controlled input const result = eval(req.body.expression) MEDIUM src/config.py:15 PY-SEC-003 Hardcoded secret detected in source code API_KEY = "sk-live-a1b2c3d4e5f6" Found 3 findings (1 critical, 1 high, 1 medium) $ mycop fix src/ --dry-run Fixed src/auth.py — parameterized query Fixed src/utils.js — replaced eval with safe parser Fixed src/config.py — moved secret to environment variable
Features

Security scanning, built for modern dev workflows

Everything you need to keep AI-generated code safe, from detection to automated remediation.

200 Built-in Rules

Covers OWASP Top 10 and CWE Top 25 including SQL injection, XSS, command injection, cryptography flaws, auth issues, and more. All mapped to CWE identifiers.

AI-Powered Auto-Fix

Automatically rewrites vulnerable code using Claude, GPT-4, Ollama, or any supported provider. Review diffs before applying.

Inline Ignore

Suppress specific findings with # mycop-ignore:RULE-ID comments. Supports all rules or specific IDs.

Multiple Output Formats

Terminal output with colored context, JSON for scripting, and SARIF for IDE and CI integration like GitHub Code Scanning.

5 AI Providers

Auto-detects Claude CLI, Anthropic API, OpenAI, Ollama, or falls back to rule-based hints. No AI required for scanning.

Configurable Thresholds

Set minimum severity to report and separate fail threshold for CI gates via CLI flags or .scanrc.yml config.

Language Support

Scan the languages you ship

Pattern matching and AST-level analysis for the most common AI-assisted languages.

Python
JavaScript
TS TypeScript
Go Go
Java Java
Installation

Get started in seconds

Choose your preferred installation method.

# macOS & Linux curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh # Verify installation mycop --version
brew install AbdumajidRashidov/tap/mycop
cargo install mycop
docker run --rm -v "$(pwd):/src" -w /src ghcr.io/abdumajidrashidov/mycop scan .
Integrations

Fits into your existing workflow

Use mycop in CI, as a git hook, or directly in your editor.

GitHub Action

Add security scanning to your CI pipeline

- name: mycop Security Scan uses: AbdumajidRashidov/mycop/action@main with: paths: '.' fail-on: 'high' format: 'sarif'

Pre-commit Hook

Catch issues before they reach the repo

# .pre-commit-config.yaml repos: - repo: https://github.com/AbdumajidRashidov/mycop rev: main hooks: - id: mycop

MCP Server New

Agentic security scanning in Claude Code, Cursor, Windsurf

// Claude Code (~/.claude/settings.json) { "mcpServers": { "mycop": { "command": "mycop", "args": ["mcp"] } } } // 5 tools: scan, review, explain & more

VS Code Extension Coming Soon

Real-time security diagnostics in your editor

// Scan on save // Diagnostics in Problems panel // Commands: "mycop: Scan Current File" "mycop: Scan Workspace" // Configure in settings.json: "mycop.severity": "medium" "mycop.scanOnSave": true
Security Rules

200 rules covering OWASP Top 10 & CWE Top 25

50 Python + 50 JavaScript + 50 Go + 50 Java rules, each mapped to CWE identifiers for standards compliance.

Category Python JavaScript
SQL Injection (CWE-89) PY-SEC-001, 042 JS-SEC-011
Command Injection (CWE-78) PY-SEC-002, 045, 050 JS-SEC-016
Hardcoded Secrets (CWE-798) PY-SEC-003, 034, 043 JS-SEC-004, 034
Insecure Random (CWE-330) PY-SEC-004 JS-SEC-005
Eval/Exec Injection (CWE-95) PY-SEC-005 JS-SEC-002, 049
Path Traversal / Zip Slip (CWE-22) PY-SEC-006, 037 JS-SEC-006, 037
Insecure Deserialization (CWE-502) PY-SEC-007 JS-SEC-009
XSS (CWE-79) PY-SEC-009, 044 JS-SEC-001, 010, 041
SSRF (CWE-918) PY-SEC-011 JS-SEC-007
XXE (CWE-611) PY-SEC-012 JS-SEC-012
Template Injection (CWE-1336) PY-SEC-014 JS-SEC-013
Weak Crypto (CWE-327/328) PY-SEC-017–021 JS-SEC-017–022
Insecure TLS (CWE-295) PY-SEC-022 JS-SEC-021
JWT None Alg (CWE-345) PY-SEC-023 JS-SEC-023
Open Redirect (CWE-601) PY-SEC-027 JS-SEC-027
CORS Misconfiguration (CWE-942) PY-SEC-028 JS-SEC-028
Mass Assignment (CWE-915) PY-SEC-029 JS-SEC-030
Debug Mode (CWE-215) PY-SEC-031 JS-SEC-031
Timing Attack (CWE-208) PY-SEC-046 JS-SEC-046
ReDoS (CWE-1333) PY-SEC-047 JS-SEC-047
… and 20+ more categories. Run mycop rules list for the full list.
Blog

Latest from the blog

Deep dives into AI code security, vulnerability patterns, and how to defend against them.

Go Java v0.4.0

mycop v0.4.0: Go and Java Support — 200 Security Rules

100 new security rules for Go and Java, bringing the total to 200 across five languages. Full OWASP Top 10 coverage, comprehensive test fixtures, zero config.

February 16, 2026 Read article →
Security Copilot CWE

Top 10 Security Vulnerabilities GitHub Copilot Keeps Writing

The 10 most common vulnerabilities Copilot introduces — SQL injection, XSS, hardcoded secrets, and more. Vulnerable code, CWE references, detection with mycop, and secure alternatives.

February 15, 2026 · 18 min Read article →
Guide OWASP CI/CD

The Complete Guide to Securing AI-Generated Code in 2026

Statistics, OWASP Top 10 mapping, automated scanning setup, GitHub Actions integration, AI auto-fix workflows, and a comprehensive best practices checklist.

February 15, 2026 · 22 min Read article →
Comparison SAST Tools

mycop vs Semgrep vs Snyk: Which Security Scanner for AI Code?

Detailed comparison of three security scanners for AI-generated code. Built-in rules, auto-fix, MCP integration, pricing, and honest recommendations for when to use each.

February 15, 2026 · 20 min Read article →
MCP Agentic Integration

mycop Now Speaks MCP: Security Scanning Inside Your AI Coding Assistant

mycop ships with a built-in MCP server. Claude Code, Cursor, Windsurf, and other agentic tools can now scan and review code for vulnerabilities without leaving the conversation.

February 15, 2026 Read article →
Security Python JavaScript AI

The Security Bugs AI Coding Assistants Keep Writing

I analyzed the patterns of security vulnerabilities that AI coding assistants repeatedly introduce — SQL injection, eval(), hardcoded secrets, and more. Real code examples and how to catch them.

February 15, 2026 Read article →
Pricing

Simple, transparent pricing

Start free, upgrade when your team needs more.

Community

Free forever
Everything you need for individual security scanning.
  • Full CLI scanner
  • 200 built-in security rules
  • All scan modes (full, diff, file)
  • Terminal, JSON, and SARIF output
  • MCP server for agentic tools
  • GitHub Actions integration
  • Pre-commit hook
Get Started Free
Most Popular

Pro

$19 /dev/month
For developers who want AI-powered remediation.
  • Everything in Community
  • AI auto-fix (unlimited)
  • Deep review
  • Priority rule updates
  • Email support
Join Waitlist

Team

$39 /dev/month
For teams that need visibility and control.
  • Everything in Pro
  • Cloud dashboard
  • Team policies
  • Centralized config
  • Usage analytics
  • Slack alerts
Join Waitlist

Enterprise

Custom
For organizations with compliance and scale needs.
  • Everything in Team
  • SSO / SAML
  • Audit logs
  • Custom rules
  • SLA
  • Dedicated support
  • SOC 2 reports
Contact Sales
Early Access

Get early access to mycop Pro

We're building Pro and Team tiers with AI auto-fix, cloud dashboard, and team management. Join the waitlist to be first in line.

No spam. We'll only email you about mycop Pro launch.
FAQ

Frequently asked questions

What developers ask before adopting a security scanner.

Is AI-generated code safe? What security risks does Copilot and ChatGPT code have?
AI-generated code from tools like GitHub Copilot, ChatGPT, and Cursor frequently introduces security vulnerabilities — including SQL injection, hardcoded secrets, command injection, and insecure cryptography. Studies show up to 40% of AI-generated code contains security flaws. mycop is built specifically to catch these issues with 200 rules covering OWASP Top 10 and CWE Top 25 categories.
How do I scan Python or JavaScript code for security vulnerabilities for free?
mycop is a free, open-source security scanner that detects vulnerabilities in Python, JavaScript, TypeScript, Go, and Java. Install it with a single command (curl -fsSL https://raw.githubusercontent.com/AbdumajidRashidov/mycop/main/install.sh | sh), then run mycop scan . in your project directory. It finds SQL injection, XSS, hardcoded secrets, and 20+ more vulnerability categories with zero configuration required.
How does mycop compare to Semgrep, Bandit, and ESLint for security scanning?
Unlike Semgrep (which requires custom rules) or language-specific tools like Bandit (Python only) and ESLint (JavaScript only), mycop scans Python, JavaScript, TypeScript, Go, and Java with a single tool and ships with 200 pre-built security rules. It also uniquely offers AI-powered auto-fix — it can automatically rewrite vulnerable code using Claude, GPT-4, or Ollama, then verify the fix by re-scanning.
Can I automatically fix security vulnerabilities in my code with AI?
Yes. The mycop fix command uses AI to automatically rewrite vulnerable code. It groups all findings per file, sends them to your chosen AI provider (Claude, GPT-4, OpenAI, or Ollama), generates a diff for you to review, and re-scans to verify the fix. Use --dry-run to preview changes before applying. No AI key is needed for scanning — only for auto-fix.
How do I use mycop with Claude Code, Cursor, or Windsurf?
mycop includes a built-in MCP (Model Context Protocol) server that lets agentic coding tools call its scanning, fixing, and review capabilities directly. Run mycop mcp to start the server, then configure your tool to connect. For Claude Code, add {"mcpServers":{"mycop":{"command":"mycop","args":["mcp"]}}} to your settings. It works with Cursor, Windsurf, Codex CLI, Gemini CLI, and any MCP-compatible client.
How do I add security scanning to my CI/CD pipeline or GitHub Actions?
mycop integrates directly with GitHub Actions — add uses: AbdumajidRashidov/mycop/action@main to your workflow to block PRs with high-severity vulnerabilities. It outputs SARIF format for GitHub Code Scanning, works as a pre-commit hook to catch issues before they reach your repo, and supports --diff mode to scan only changed files.