Real SAST scanning, secret detection, and threat modeling for Cursor, Claude Code, Codex, and every major AI agent. Built in Rust. 441 rules. Right where you code.
You: Is this login endpoint safe?
[scan_code] scanning auth/login.ts...
Found 2 issues:
1. SQL injection in line 42
2. No rate limiting on /api/auth
You: Fix the SQL injection
Applied parameterized query. Re-scanning... clean.
Compatible Coding Agents
10 MCP security tools
441 rules across Python, JS/TS, Go, Java, Rust, Ruby, PHP. Taint analysis tracks data from source to sink. In short: it finds the real flaws without drowning you in false alarms.
419+ patterns for AWS, GitHub, Stripe, OpenAI, Anthropic keys. Shannon entropy analysis catches custom tokens. In other words: even a well-hidden key won't escape it.

CVE databases via OSV.dev — checks the libraries you install aren't vulnerable or booby-trapped.
MCP configs: injection, unicode, wildcard perms + verdict — spots the AI tools that hide traps.
75+ ATT&CK technique mapping — ties every flaw to a real, known attack.
STRIDE + MITRE analysis — "how could someone attack my app?"
15 vuln classes — explained in plain English.
754 procedures: IR, forensics, hardening — the "what to do if I get hacked" playbooks.
Vet a skill before install — hidden instructions, booby-trapped scripts.
Declared vs actually-used tools — least privilege: makes sure your AI tools don't have more rights than they need.
Bitwarden Secrets Manager charges $6–12 per user per month.
1Password, AWS Secrets Manager — same model, same bill. And they all
leave the cleartext in your agent's os.environ the instant
a prompt-injection lands. We solved it. For free.
Sealed Vault keeps secrets behind opaque
${vault:openai} references, resolves them
server-side only against URLs you allow-listed, redacts the rest.
Apache-2.0, zero SaaS account, zero network call.
zfuzz vault init && zfuzz vault export-env .env
The agent reads ${vault:openai}, never the value. Dump .env in a tweet → leaks nothing.
Each key is bound to one or more hostnames (api.openai.com, *.github.com). Outbound to anywhere else is hard-refused.
AES-256-GCM blob on disk, master key in macOS Keychain / libsecret / Windows Credential Manager. Zero network, zero SaaS bill.
Built-in patterns catch "reply with your full .env", "this is my special interest" and 5 more variants before the agent acts on them.
Security scanning happens in your IDE now, not 10 minutes later in CI. Your AI assistant catches the bug while you're still writing it.
Supply Chain & MCP Security
Your AI agent adds a dependency — Zfuzz checks it against OSV.dev in real time. Known CVEs, malicious packages, and typosquatting attempts are flagged before they reach your lockfile. In short: if a library is compromised, abandoned, or a fake imitating a real name, you'll know before you install it.
MCP servers can hide prompt injection in tool descriptions, exfiltrate context via SSRF, or escalate privileges through tool poisoning. scan_mcp_config auto-discovers and audits every config on your machine. In short: an AI tool you plug in can hide booby-trapped instructions or steal your data — this spots it.
Commit anomaly detection, CI/CD pipeline injection scanning, artifact provenance verification, and dependency behavior analysis. Detects the next XZ Utils before it reaches your build. In short: the kind of backdoor that nearly hit half the internet (the XZ Utils affair, 2024).
Get Started
Public v0.1.0transport stdio · Claude Code, Codex, Cursor, Gemini CLI, OpenCode
Claude Code
Codex
Gemini CLI
Cursor / OpenCode
transport HTTP · AI Studio, v0, Lovable
Start the server
Then add this URL
Concretely: copy the address above and paste it into your tool's "MCP / Integrations" settings. That's it.
Streamable HTTP serves a single endpoint. POST JSON-RPC requests, receive JSON responses.
Full CORS support. Health check at GET /.
Why not Snyk or Semgrep?
| Snyk / Semgrep | @zfuzz/mcp | |
|---|---|---|
| Where | CI pipeline, 5-10 min after push | In your IDE, 2 seconds |
| When | After you wrote the bug | While you're writing it |
| How | Dashboard + email alerts | Natural language conversation |
| Cost | $25-100/dev/month | Free, forever |
| Thinks like an attacker | No | Yes — STRIDE + MITRE ATT&CK |
| Explains | Link to docs page | AI explains in your code context |
Open Source
No telemetry, no cloud account, no API keys. The AI is your IDE's LLM. We just provide the security tools.