CodeGuard
Ship AI-generated code with confidence.
CodeGuard protects solo founders and indie developers from the most common AI coding mistakes. It catches hallucinated npm packages, exposed API keys, and code quality issues before they become expensive production bugs.
Why CodeGuard?
AI coding assistants are powerful, but they can:
- Invent npm packages that don't exist (hallucinations)
- Suggest outdated or insecure patterns
- Leave hardcoded API keys in your code
- Generate code that looks right but fails silently
CodeGuard runs in the background, continuously checking for these issues and giving you a confidence score for your codebase.
Features
Package Hallucination Detection
AI models sometimes invent npm packages that don't exist. CodeGuard verifies every dependency against the npm registry in real-time.
- Checks
package.json dependencies automatically
- Detects typosquat risks (e.g.,
loadash instead of lodash)
- Warns about wildcard versions (
"*" or "latest")
Secret Detection
Catches hardcoded credentials before they reach your repository:
- OpenAI API keys (
sk-proj-*, sk-*)
- AWS access keys (
AKIA*)
- GitHub tokens (
ghp_*, gho_*)
- Stripe keys (live and test)
- Database connection strings
- JWT tokens
- Private keys (RSA, DSA, EC)
- Generic API key patterns
Vibe Coder Score
A simple 0-100 score that tells you if your code is ready to ship:
| Score |
Status |
What it means |
| 90-100 |
SHIP IT |
Code is clean, deploy with confidence |
| 70-89 |
CAUTION |
Review the warnings before shipping |
| 0-69 |
FIX FIRST |
Critical issues need attention |
The score combines:
- Security (40 points) - No exposed secrets
- Dependencies (30 points) - All packages verified
- Code Quality (30 points) - No obvious anti-patterns
Pre-commit Hooks
Block dangerous commits before they happen:
# Install via command palette
CodeGuard: Setup Pre-commit Hooks
Blocks commits containing:
- Exposed secrets (API keys, tokens)
- Hallucinated packages
- Unignored
.env files
Quick Start
- Install CodeGuard from VS Code Marketplace
- Open a project with
package.json
- CodeGuard automatically scans on startup
- Check your Vibe Coder Score in the status bar
- Click the score to see detailed breakdown
Commands
| Command |
Description |
CodeGuard: Scan Workspace |
Run a full scan of all files |
CodeGuard: Check Package |
Verify if a specific package exists on npm |
CodeGuard: Setup Pre-commit Hooks |
Install git hooks to block risky commits |
CodeGuard: Show Vibe Coder Score |
Open the sidebar with detailed score |
Configuration
{
// Minimum score to show green status
"codeguard.scoreThreshold": 70,
// Auto-scan when files are saved
"codeguard.scanOnSave": true,
// Debounce delay for file scanning (ms)
"codeguard.debounceMs": 1000,
// Patterns to exclude from scanning
"codeguard.excludePatterns": [
"**/node_modules/**",
"**/.git/**",
"**/dist/**",
"**/build/**"
],
// Pre-commit hook settings
"codeguard.hooks.blockOnSecrets": true,
"codeguard.hooks.blockOnHallucinated": true,
"codeguard.hooks.blockOnTyposquat": false,
"codeguard.hooks.warnOnEnvFiles": true
}
What Gets Detected
Secrets (Blockers)
- OpenAI, Anthropic, and other AI API keys
- AWS credentials
- GitHub personal access tokens
- Stripe live keys (test keys are warnings)
- Database URLs with passwords
- Private keys in code
Package Issues (Blockers)
- Non-existent npm packages
- Known hallucinated package names
- Packages with zero downloads
Code Quality (Warnings)
- Files over 300 lines
console.log statements (production code)- Empty
catch blocks
- TODO/FIXME comments
CI/CD Integration
Add CodeGuard to your CI/CD pipeline with our GitHub Action:
name: CodeGuard Scan
on: [push, pull_request]
jobs:
codeguard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: koilabsio/codeguard-action@v1
with:
fail-on-hallucinated: true
fail-on-secrets: true
👉 Get the GitHub Action
Pro Features (Coming Soon)
CodeGuard Free includes everything above. We're building Pro features for teams and power users:
| Feature |
Description |
| AI Code Review |
LLM-powered analysis for deeper pattern detection beyond regex |
| Pattern Memory |
Learn from your codebase's specific patterns and conventions |
| Ship Reports |
Exportable PDF security reports for stakeholders and audits |
| CI/CD Integration |
GitHub Actions, GitLab CI, and CircleCI support |
| Team Dashboard |
Aggregate Vibe Coder Scores across your team's repos |
| Custom Rules |
Define your own detection patterns and scoring weights |
Interested in Pro? Join the waitlist to get early access.
Privacy & Telemetry
CodeGuard collects anonymous usage data to help improve the extension. This includes:
- Extension activation and deactivation events
- Scan counts and aggregate issue counts (e.g., "5 secrets found")
- Feature usage (which commands are used)
What we never collect:
- Your code or file contents
- File paths or project names
- API keys, secrets, or any sensitive data
- Personal information
All telemetry uses an anonymous installation ID (random UUID). You can disable telemetry in settings:
{
"codeguard.telemetry.enabled": false
}
Package verification checks are made to the npm registry. All other scanning happens locally on your machine.
Development
# Clone the repository
git clone https://github.com/koilabsio/codeguard-vscode
# Install dependencies
npm install
# Compile TypeScript
npm run compile
# Run tests
npm test
# Launch extension development host
# Press F5 in VS Code
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
MIT
Built by Koi Labs for indie developers and solo founders.
