Open Source Apache-2.0

The security engineer
your AI agent never had.

Real SAST scanning, secret detection, and threat modeling for Cursor, Claude Code, Codex, and every major AI agent. Built in Rust. 441 rules. Right where you code.

$ claude mcp add zfuzz -- npx -y @zfuzz/mcp COPY COPIED!
claude code

You: Is this login endpoint safe?

[scan_code] scanning auth/login.ts...

Found 2 issues:

1. SQL injection in line 42

2. No rate limiting on /api/auth

You: Fix the SQL injection

Applied parameterized query. Re-scanning... clean.

Compatible Coding Agents

Works with every agent.

441
Vulnerabilities covered (SAST)
419
Keys & secrets caught
75+
Attack techniques (MITRE)
754
Security playbooks
8
Compatible agents
$0
Cost

Your AI agent ships fast.
It also ships vulnerabilities.

10 MCP security tools

Real scanners, not generic knowledge.

Finds the flaws a hacker would exploit

scan_code · SAST

441 rules across Python, JS/TS, Go, Java, Rust, Ruby, PHP. Taint analysis tracks data from source to sink. In short: it finds the real flaws without drowning you in false alarms.

Just ask: "scan this file for vulnerabilities"

Spots passwords & keys left in your code

scan_secrets · Secrets

419+ patterns for AWS, GitHub, Stripe, OpenAI, Anthropic keys. Shannon entropy analysis catches custom tokens. In other words: even a well-hidden key won't escape it.

Just ask: "check for leaked API keys in this repo"
Zee

scan_dependencies

CVE databases via OSV.dev — checks the libraries you install aren't vulnerable or booby-trapped.

scan_mcp_config

MCP configs: injection, unicode, wildcard perms + verdict — spots the AI tools that hide traps.

check_mitre

75+ ATT&CK technique mapping — ties every flaw to a real, known attack.

threat_model

STRIDE + MITRE analysis — "how could someone attack my app?"

explain_finding

15 vuln classes — explained in plain English.

search_security_procedures

754 procedures: IR, forensics, hardening — the "what to do if I get hacked" playbooks.

scan_skill

Vet a skill before install — hidden instructions, booby-trapped scripts.

reconcile_permissions

Declared vs actually-used tools — least privilege: makes sure your AI tools don't have more rights than they need.

$0 · OPEN SOURCE · SEALED VAULT

Sealed. Sure.
Free.

Bitwarden Secrets Manager charges $6–12 per user per month. 1Password, AWS Secrets Manager — same model, same bill. And they all leave the cleartext in your agent's os.environ the instant a prompt-injection lands. We solved it. For free. Sealed Vault keeps secrets behind opaque ${vault:openai} references, resolves them server-side only against URLs you allow-listed, redacts the rest. Apache-2.0, zero SaaS account, zero network call.

$ zfuzz vault init && zfuzz vault export-env .env

Opaque references

The agent reads ${vault:openai}, never the value. Dump .env in a tweet → leaks nothing.

URL allow-listing

Each key is bound to one or more hostnames (api.openai.com, *.github.com). Outbound to anywhere else is hard-refused.

OS keychain master key

AES-256-GCM blob on disk, master key in macOS Keychain / libsecret / Windows Credential Manager. Zero network, zero SaaS bill.

Exfil-prompt detection

Built-in patterns catch "reply with your full .env", "this is my special interest" and 5 more variants before the agent acts on them.

Stop shipping vulnerabilities
to production.

Security scanning happens in your IDE now, not 10 minutes later in CI. Your AI assistant catches the bug while you're still writing it.

Supply Chain & MCP Security

Block malicious packages.
Audit your AI tools.

Catch CVEs before they ship

Your AI agent adds a dependency — Zfuzz checks it against OSV.dev in real time. Known CVEs, malicious packages, and typosquatting attempts are flagged before they reach your lockfile. In short: if a library is compromised, abandoned, or a fake imitating a real name, you'll know before you install it.

npm pip Cargo Go Maven Composer

Audit every MCP server you install

MCP servers can hide prompt injection in tool descriptions, exfiltrate context via SSRF, or escalate privileges through tool poisoning. scan_mcp_config auto-discovers and audits every config on your machine. In short: an AI tool you plug in can hide booby-trapped instructions or steal your data — this spots it.

Prompt Injection Tool Poisoning SSRF Path Traversal

75+ supply chain rules

Commit anomaly detection, CI/CD pipeline injection scanning, artifact provenance verification, and dependency behavior analysis. Detects the next XZ Utils before it reaches your build. In short: the kind of backdoor that nearly hit half the internet (the XZ Utils affair, 2024).

Typosquatting Dependency Confusion CI/CD Injection SLSA

Get Started

Public v0.1.0

One command. One URL.

Your tools on your computer

transport stdio · Claude Code, Codex, Cursor, Gemini CLI, OpenCode

Claude Code

claude mcp add zfuzz -- npx -y @zfuzz/mcp

Codex

codex mcp add zfuzz npx -y @zfuzz/mcp

Gemini CLI

gemini mcp add zfuzz npx -y @zfuzz/mcp

Cursor / OpenCode

{ "mcpServers": { "zfuzz": { "command": "npx", "args": ["-y", "@zfuzz/mcp"] }}}

Your tools in the browser

transport HTTP · AI Studio, v0, Lovable

Start the server

npx -y @zfuzz/mcp --transport http --port 8099

Then add this URL

http://localhost:8099/mcp

Concretely: copy the address above and paste it into your tool's "MCP / Integrations" settings. That's it.
Streamable HTTP serves a single endpoint. POST JSON-RPC requests, receive JSON responses. Full CORS support. Health check at GET /.

Why not Snyk or Semgrep?

We replaced the dashboard
with a conversation.

Snyk / Semgrep @zfuzz/mcp
WhereCI pipeline, 5-10 min after pushIn your IDE, 2 seconds
WhenAfter you wrote the bugWhile you're writing it
HowDashboard + email alertsNatural language conversation
Cost$25-100/dev/monthFree, forever
Thinks like an attackerNoYes — STRIDE + MITRE ATT&CK
ExplainsLink to docs pageAI explains in your code context

Open Source

Built in Rust. Apache-2.0.

No telemetry, no cloud account, no API keys. The AI is your IDE's LLM. We just provide the security tools.

Star on GitHub
$ claude mcp add zfuzz -- npx -y @zfuzz/mcp COPY COPIED!