CodeReap — AI Code Security Scanner

Catches what Copilot, Cursor, and Claude miss — hardcoded API keys, SQL injection, plain-text passwords, weak JWT, and hallucinated packages. Right inside your editor.

What it catches

Issue	Severity
Hardcoded API keys (OpenAI, Stripe, AWS, GitHub…)	Critical
SQL injection via string concatenation / f-strings	Critical
Passwords saved without bcrypt / argon2	Critical
Weak JWT (no expiry, hardcoded secret, `algorithm: none`)	Critical
Hallucinated npm / PyPI packages	High
`eval()` / `exec()` on user input	High
Missing rate limiting on auth endpoints	High
XSS, insecure cookies, path traversal	High / Medium

Quick start

Open any JS, TS, JSX, TSX, or Python file
Click CodeReap in the status bar (bottom-right)
Findings appear inline — red underlines in the editor and entries in the Problems panel
Click Apply fix above any finding to rewrite it automatically

Commands

Ctrl+Shift+P → type CodeReap:

Scan current file — scan the open editor
Scan workspace — scan every supported file in the project
Open last report in browser — share your scan as a public link
Clear all findings — remove all diagnostics

Privacy

Code is sent over HTTPS, scanned in memory, and discarded. No accounts. No telemetry. No storage.

CodeReap — AI Code Security Scanner

Codereap

CodeReap — AI Code Security Scanner

What it catches

Quick start

Commands

Privacy

Links