CodeMoreThe static analyzer your AI agent reads.AI agents ship code fast — and ship bugs fast. CodeMore scans the code, then hands the agent that wrote it a machine-readable report with the exact fix and the criteria to verify it. The agent closes its own findings. Website · Docs · Rule Catalog · Report Schema · Changelog
59 native rules · 8 external adapters · CLI · MCP server · VS Code extension · GitHub Action — one report, byte-identical on every surface. Table of contents
Why CodeMoreAI-assisted coding ships vulnerabilities at a measured, growing rate:
Existing scanners (SonarQube, DeepSource, Snyk) target human reviewers sitting at dashboards. But this code wasn't written by a human — and the LLM that wrote it is fully capable of fixing its own bug, if the report is shaped for a machine reader. That's the wedge. CodeMore is not another SAST dashboard. It's the report contract between a scanner and a coding agent: every finding carries a
Quick startCLI
Emits
MCP server — Cursor, Claude Code, Codex, Claude Desktop
Manual config snippet
Six tools exposed: VS Code extension
Inline diagnostics; code-action quick-fix invokes the agentic loop (plan → generate → validate → retry, max 3 attempts). Marketplace listing coming — until then, install from the packaged GitHub Action
PR-comment bot; only fails the build on findings new since the committed Web Scanner (hosted)Sign in at codemore.tech, paste a public GitHub URL or upload a ZIP — same report, same fingerprint, zero install. What it catches59 native rules across 6 packs, every rule mapped to a cited real-world incident class — not a hypothetical:
8 external adapters (off by default, opt in via The walker catches what Per-rule documentation: The report is the productEvery surface emits the same schema-stable
One brain, four skins. The schema is the API; surfaces are interchangeable. Full report example —
|
| Project | Findings | BLOCKERs | TP rate | Notes |
|---|---|---|---|---|
| EchoVault | 122 | 10 | 100% | Real Supabase RLS holes |
| ProofSnap | 134 | 4 | 100% | |
| AImentor | 224 | 5 | 100% | Real OpenAI keys hidden by .gitignore |
| Hackathonnn | 129 | 3 | 100% | |
| shopsec | 113 | 5 | 100% | |
| Senti | 155 | 8 | 100% | |
| open-design | 8,615 | 101 | ~80% | |
| Gen ai | 63 | 4 | 75% | Real Firebase admin SDK creds |
| codemore self | 282 | 6 | 17% | Intentional landing-demo data |
| Aggregate (excl. self) | 9,755 | 140 | ~85% |
Quality gates, enforced in CI
- 100% TP / 100% FP on the 116-fixture corpus regression suite — every rule ships with at least one true-positive and one false-positive fixture under
corpus/rules/<rule-id>/{tp,fp}/ - Lifecycle gating: rules are
experimental→beta→stable, promotion requires fixture pairs plus real-world FP-rate evidence via opt-in telemetry; rules below the precision bar are gated behind--enable-experimentalor ship with reduced confidence so agents weight them lower
| Lifecycle | Default | Promotion bar |
|---|---|---|
experimental |
off by default | one fixture pair |
beta |
on by default | ≥ 3 fixture pairs + 14-day FP rate < 15% |
stable |
ships in default pack | 30-day FP rate < 5% + reference apps clean |
deprecated |
warns, removed next major | — |
What CodeMore does not catch
Out of scope by design — static analysis can't judge these, and an agent can't auto-fix them from a source diff. The rule is "agent-actionable or it's not a rule":
Weak password policies · audit-log completeness · business-logic flaws · race conditions · open S3/GCS buckets · DAST findings · MFA presence.
Full list with reasoning: docs/limitations.md. For these, pair CodeMore with OWASP ZAP, Burp Suite, checkov, or your IdP's compliance dashboard.
Telemetry — opt-in only
Off by default. Enable per-scan with --telemetry. Collected: tool version, hashed project fingerprint, surface, rule-fire events. Never collected: file paths, contents, snippets, evidence text — the endpoint enforces a Zod strict() schema and rejects any payload containing those keys with HTTP 400. 64 KB payload cap, per-fingerprint rate limiting, RLS denies all reads.
Architecture
codemore/
├── shared/ ← one brain, shared across all surfaces
│ ├── packs/ ← 58 rule modules across 6 packs
│ ├── rules/ ← registry, lifecycle gating, suppression, AST helpers (TS + Python)
│ └── report/ ← codemore-report.json v1.0.0 schema + types + writer
├── daemon/
│ ├── cli/ ← CLI entry · walker · ignore resolver · baseline diff
│ ├── mcp/ ← MCP server (6 tools)
│ ├── external/ ← 8 opt-in adapters, fail-loud parsers
│ ├── services/ ← agentic fixer · validator harness · scan orchestrator
│ └── llm/ ← OpenAI · Anthropic · Gemini · local provider plug-ins
├── src/ ← VS Code extension (forks daemon, renders diagnostics)
├── web/ ← Next.js: landing · dashboard · docs · /api/telemetry
├── corpus/rules/<id>/{tp,fp}/ ← 116 TP/FP fixture pairs, 1:1 with the rule catalog
├── docs/ ← schema · limitations · security-gate · 58 per-rule pages
└── templates/ ← copy-paste GitHub Action workflows
One brain (shared/), four skins (CLI, MCP, extension, Action), one report schema — kept honest by the parity test, not by a slogan.
Development
git clone https://github.com/abhinavteja123/codemore
cd codemore
CODEMORE_SKIP_BINARY_DOWNLOAD=1 npm ci # skip binary downloads in dev
npx tsc -p tsconfig.publish.json # type-check the publishable surface
npm run test:unit # unit tests (mocha + ts-node)
npx mocha --require ts-node/register test/parity.test.ts # surface-parity proof
node cli.js scan corpus/rules/vibe-no-rate-limit/tp --json --enable-experimental
cd web && npm ci && npm run dev # landing + dashboard + docs → localhost:3000
VS Code extension: F5 in VS Code, or npm run watch + code --extensionDevelopmentPath=.
Contributing
Two paths:
- New rules — read
CONTRIBUTING-RULES.md. The PR bot gates every submission: rule module + TP fixture (must fire) + FP fixture (must not fire) + docs page + pack registration. The bot is the first reviewer; humans review after it passes. - Everything else (CLI, MCP, extension, daemon, web, docs) — read
CONTRIBUTING.md.
Before opening a PR:
npx tsc -p tsconfig.publish.json # type-check
node scripts/validate-rule-pr.js # rule-PR bot equivalent (must report "passed")
node scripts/measure-accuracy.js # corpus regression (must stay 100% TP / 100% FP)
npm run test:unit # full unit suite
Found a false positive? Open a rule-FP report — FP reports directly feed the beta→stable promotion pipeline.
Security findings: do not open a public issue — use GitHub's private vulnerability reporting flow (SECURITY.md).
Roadmap
- VS Code Marketplace + MCP registry listings
- Demo video: open a real vibe-coded app, scan, hand the report to Claude Code, watch every BLOCKER close
- 50-app benchmark study with published dataset
- Telemetry-driven rule auto-demotion (nightly workflow)
- JetBrains plugin · cross-language taint tracking (research)
Details: docs/roadmap.md.
License
MIT — see LICENSE. CodeMore is open source from line one and stays that way. The wedge is the report contract, not gatekeeping.