CodeMore docs
The static analyzer your AI agent reads. CodeMore detects production-blocking bugs in vibe-coded apps and hands a fix-ready report straight to Cursor, Claude Code, Codex, or Copilot.
Quick start
npx codemore@latest scan .Full per-surface install — including MCP server configs, the VS Code extension, the GitHub Action, and the hosted Web Scanner — lives at /docs/install.
What ships in v0.2.1
- 58 native rules across TypeScript, JavaScript, SQL, and Python — grouped into 7 packs (core-security, core-quality, vibe-auth, vibe-frontend, vibe-secrets, vibe-supabase, vibe-llm). Browse them at /docs/rules.
- 8 opt-in external-tool adapters — Ruff, golangci-lint, clippy, Biome, bandit, gitleaks, npm-audit, pip-audit. See /docs/external-tools.
- Schema-stable report at
codemore-report.jsonv1.0.0. AI agents consume the same shape regardless of surface. See /docs/schema. - Agentic fix loop —
apply_fix+validate_fixMCP tools. The agent generates a patch, the validator re-runs the rule and the file-scoped tests, the loop retries up to 3 times. - Byte-identical reports across CLI, MCP, VS Code, and the GitHub Action — same fingerprint
sha256:….
Why this exists
Existing scanners (SonarQube, DeepSource, Snyk) target human reviewers via dashboards. CodeMore targets the LLM that wrote the code in the first place — and emits the report in a shape the LLM can act on without translation.
The 2026-06-12 audit
We scanned 10 real codebases and triaged the BLOCKER findings by hand. Aggregate ~85% true-positive rate. The audit caught real OpenAI keys hidden behind .gitignore, ten Supabase RLS holes in a single Lovable export, real shell + SQL injection in production deployments. Read the full numbers at /docs/limitations (it also lists what we deliberately don't catch).
Get involved
Every rule contribution requires a TP fixture, an FP fixture, a docs page, and a registry entry. The PR bot enforces all four before a human even looks. See /docs/contributing.