Skip to content

CodeMore docs

The static analyzer your AI agent reads. CodeMore detects production-blocking bugs in vibe-coded apps and hands a fix-ready report straight to Cursor, Claude Code, Codex, or Copilot.

Quick start

install · 30 seconds
npx codemore@latest scan .

Full per-surface install — including MCP server configs, the VS Code extension, the GitHub Action, and the hosted Web Scanner — lives at /docs/install.

What ships in v0.2.1

  • 58 native rules across TypeScript, JavaScript, SQL, and Python — grouped into 7 packs (core-security, core-quality, vibe-auth, vibe-frontend, vibe-secrets, vibe-supabase, vibe-llm). Browse them at /docs/rules.
  • 8 opt-in external-tool adapters — Ruff, golangci-lint, clippy, Biome, bandit, gitleaks, npm-audit, pip-audit. See /docs/external-tools.
  • Schema-stable report at codemore-report.json v1.0.0. AI agents consume the same shape regardless of surface. See /docs/schema.
  • Agentic fix loopapply_fix + validate_fix MCP tools. The agent generates a patch, the validator re-runs the rule and the file-scoped tests, the loop retries up to 3 times.
  • Byte-identical reports across CLI, MCP, VS Code, and the GitHub Action — same fingerprint sha256:….

Why this exists

Existing scanners (SonarQube, DeepSource, Snyk) target human reviewers via dashboards. CodeMore targets the LLM that wrote the code in the first place — and emits the report in a shape the LLM can act on without translation.

The 2026-06-12 audit

We scanned 10 real codebases and triaged the BLOCKER findings by hand. Aggregate ~85% true-positive rate. The audit caught real OpenAI keys hidden behind .gitignore, ten Supabase RLS holes in a single Lovable export, real shell + SQL injection in production deployments. Read the full numbers at /docs/limitations (it also lists what we deliberately don't catch).

Get involved

Every rule contribution requires a TP fixture, an FP fixture, a docs page, and a registry entry. The PR bot enforces all four before a human even looks. See /docs/contributing.

Next →
Install in 30 seconds
Choose a surface — CLI, MCP server, VS Code extension, GitHub Action, or hosted Web Scanner.