CodeMore catches the bugs that ship in vibe-coded apps — SQL injection, leaked secrets, broken Supabase RLS, LLM-output-to-eval — and emits a JSON report your coding agent can act on. Same brain across CLI · MCP · VS Code · GitHub Action.
Across 10 real codebases we caught 7 production secrets behind .gitignore, 10 Supabase RLS holes in a single Lovable export, and real shell + SQL injection in deployed apps. ~85% TP rate.
SQL-concat, shell-injection, eval, command-injection. Two-pass detectors confirm user-input reach.
Paste your own code files below or pick one of our reference security patterns. Observe how the abstract structures are dissected instantly.
Our dynamic parser scanned your variables, expressions, and parameters. No loose innerHTML interfaces or plain secrets discovered.
CLI, MCP server, VS Code extension — all three call the same registry, emit the same codemore-report.json v1.0.0, and produce the same fingerprint. Agents never have to learn a second shape.
sha256:7f95f2c62e0d3ecea6f23a4d8c1b2e7f0a9d6c3b5e8f1a4d7c0b3e6f9a2d5c8b1 matches all 3const q = `SELECT * FROM users WHERE id = '${id}'`;
db.query(q);Two-pass detector: AST candidate (db.query + concat) → confirm pass (user input reachable). Confidence 0.92.
The agent that wrote your last feature also wrote a SQL-concat, a permissive Supabase RLS policy, and an OpenAI key in .env.local that .gitignore made invisible to your SAST. The bugs aren't subtle. They are the same ones Veracode flagged on 45% of AI-generated code, and the same ones Symbiotic counted on 98% of 1,072 scanned vibe-coded sites.
The agent that wrote the code can also fix the code — if it can read the report. CodeMore is the structured-feedback bus between the scanner and the coding agent: one schema, one fingerprint, the same bytes from the CLI, the MCP server, the VS Code extension, and the GitHub Action.
We surfaced real OpenAI keys hidden behind .gitignore, ten Supabase RLS holes in a single Lovable export, real shell + SQL injection in production-deployed apps. Read what we deliberately don't catch — context-dependent classes (weak password policy, audit-log completeness, business logic) live elsewhere.