DeepSweep - AI Code Security Scanner

Security scanner for AI-generated code. Know if your Cursor, Claude Code, Copilot, or Windsurf project is safe to ship.

You don't need to understand the code to secure it.

DeepSweep validates code created by AI assistants and gives you instant security grades (A+ to F) with plain English explanations. No security expertise required.

700+ developers protected | Works with Cursor, Copilot, Claude, Windsurf | First MCP security tool

Why DeepSweep?

Features

Security Grades (A+ to F)

See your code's security posture at a glance. No more scrolling through hundreds of warnings.

Plain English Explanations

Instead of "CWE-798: Hardcoded Credentials", you see "API key visible in your code. Anyone who sees your code can access your database."

One-Click Fix Prompts

Copy AI-ready fix prompts directly to Cursor, Claude, or Copilot. The AI assistant that wrote the code can fix it.

MCP Server Security

First extension to validate Model Context Protocol configurations. Detects authentication issues, tool shadowing risks, and prompt injection vulnerabilities.

Activity Bar Panel

Dedicated security report panel in the VS Code sidebar. View findings, passed checks, and export reports.

Works Everywhere

• VS Code
• Cursor
• Windsurf
• VSCodium
• Any VS Code fork (via OpenVSX)

Supported AI Assistants

Quick Start

1. Install this extension from VS Code Marketplace or OpenVSX
2. Open any project built with AI assistants
3. Click the shield icon in the activity bar or run "DeepSweep: Validate Workspace"
4. See your security grade and fix any issues

First time? The extension prompts you to install the CLI (30 seconds, one command).

Security Checks

DeepSweep validates 15+ security patterns including:

• Hardcoded Secrets - API keys, passwords, tokens in code
• SQL Injection - User input going directly to database
• XSS Vulnerabilities - User input rendering in browsers
• Prompt Injection - AI prompts that can be manipulated
• MCP Authentication - Missing auth on MCP servers
• MCP Tool Shadowing - Tools that can be impersonated
• Path Traversal - File paths that can be manipulated
• Debug Mode - Production configs with debug enabled
• Insecure Dependencies - Packages with known CVEs

Commands

Settings

Add Security Badge to Your README

Show your project's security status:

[![DeepSweep Security](https://api.deepsweep.ai/v1/badge/grade/YOUR_REPO)](https://deepsweep.ai)

FAQ

Does DeepSweep work with Cursor?

Yes. DeepSweep is published to both VS Code Marketplace and OpenVSX, so it works with Cursor, Windsurf, and other VS Code forks.

What's the difference between DeepSweep and Snyk/SonarLint?

DeepSweep is purpose-built for AI-generated code and "vibe coders" who don't have security expertise. It shows grades instead of issue counts, uses plain English instead of CWE numbers, and includes MCP security validation that other tools don't have.

Is DeepSweep free?

Yes, DeepSweep has a free tier with 3 checks per month. Paid plans start at $9/month for unlimited checks.

What is MCP security?

MCP (Model Context Protocol) is how AI assistants connect to external tools. It's a top security concern for 2026 with documented CVEs. DeepSweep is the first tool to validate MCP configurations.

Does DeepSweep send my code to the cloud?

DeepSweep analyzes your code locally using the CLI. Only metadata (file names, line numbers, pattern IDs) is sent for generating reports. Your actual source code never leaves your machine.

Keyboard Shortcuts

Links

• DeepSweep Website
• Documentation
• DeepSweep CLI (PyPI)
• GitHub Action
• Report Issues

Telemetry

DeepSweep collects anonymous usage telemetry to improve the product. No personally identifiable information or source code is collected. You can disable telemetry in settings (deepsweep.telemetry.enabled). Learn more.

Know before you ship. Built by DeepSweep.ai for developers who use AI to write code.