Show HN: Free local security checks for AI coding in VSCode, Cursor and Windsurf

9•jaimefjorge•5h ago

Hi HN!

We just launched Codacy Guardrails, an IDE extension with a CLI for code analysis and MCP server that enforces security & quality rules on AI-generated code in real-time. It hooks into AI coding assistants (like VS Code Agent Mode, Cursor, Windsurf), silently scanning and fixing AI-suggested code that has vulnerabilities or violates your coding standards, while the code it’s being generated.

We built this because coding agents can be a double-edged sword. They do boost productivity, but can easily introduce insecure or non-compliant code. One recent research team at NYU found that 40% of Copilot’s outputs were buggy or exploitable [1]. Other surveys mention that people are spending more time debugging AI-generated code [2].

That's why we created “guardrails” to catch security problems early.

Codacy Guardrails uses a collection of open-source static analyzers (like Semgrep and Trivy) to scan the AI’s output against 2000+ rules. We currently support JavaScript/TypeScript, Python, and Java, focusing on things like OWASP Top 10 vulns, hardcoded secrets, dependency checks, code complexity and styling violations, and you can customize the rules to match your project’s needs. We're not using any AI models, it's “classic” static code analysis working alongside your AI assistant.

Here’s a quick demo: https://youtu.be/pB02u0ntQpM

The extension is free for all developers. (We do have paid plans for teams to apply rules centrally, but that’s not needed to use the extension and local code analysis with agents.)

Setup is pretty straightforward: Install the extension and enable Codacy’s CLI and MCP Server from the sidebar.

We’re eager to hear what the HN community thinks! Does this approach sound useful in your AI coding workflow? Have you encountered security issues from AI-generated code?

We hope Codacy Guardrails can make AI-assisted development a bit safer and more trustworthy. Thanks for reading!

Get extension: https://www.codacy.com/get-ide-extension Docs: https://docs.codacy.com/codacy-guardrails/codacy-guardrails-...

Sources [1]: NYU Research: https://www.researchgate.net/publication/388193053_Asleep_at... [2]: https://devops.com/survey-ai-tools-are-increasing-amount-of-...

Comments

tosh•4h ago

kudos @ shipping this jaime

Can you explain how/when the "guardrails" are run in Cursor? I mean: how does the extension hook in so that the code in the diff view gets changed?

Does this also work with agents like Claude Code and Amp? I guess since there is an MCP it can already work even though it's not explicitly mentioned in the docs?

What are your thoughts on running something like guardrails during dev-time vs CI time?

jaimefjorge•4h ago

thanks tosh!

The guardrails are ran every time there is code being generated by the agent. We give instructions to the coding agents to run the guardrails on the code that is changed. It doesn't YET work with Claude Code and Amp but because it leverages an MCP server, we can easily do it. It's in the plans to do.

I think dev-time is critical, because AI is producing large swaths of code as we speak. We also make sure that regardless of what happens in dev time, we can always run our cloud checks in CI time. Thanks for your questions!

rdevzw•4h ago

Just gave this a try, pretty interesting how a simple python script generated with two un-named models uses requests library version with CVE's. The scary part is, the script ran. This changes things in terms of leveraging AI. I will come back with more feedback soon, but for now, this is amazing

jaimefjorge•3h ago

Hey thanks for testing! That's been my experience well, it's very frequent to see libraries with vulnerable versions being introduced in code. What's also interesting is that, despite using incredible AI coding models like Sonnet 4, you still get CVEs in your code. Try this with Codacy Guardrails: "create a Java server using undertow".

Thanks for testing. Please do share your feedback when you test further!

SpikedCola•3m ago

On the https://www.codacy.com/get-ide-extension page, clicking the logo in the top-left corner of your webpage goes to https://www.codacy.com/home?hsLang=en which is 404. The logo link on other pages is working.

Show HN: Cozypkg: How We Simplified Local Development with Helm and Flux

Better Images for Humans and Computers

The unexpected payoffs of basic research: From Woese to Wired

LexisNexis Partners with Harvey to Bring Its Content to the Harvey App

Show HN: Interactive Literature Reviews with Visual Knowledge Maps

RaptorCast: Designed to enable fast and reliable communication on Monad

A.I. Might Take Your Job. Here Are 22 New Ones It Could Give You

Zed Debugger

Show HN: I made a A.I trading journal to stop overtrading

Zed Editor – The Debugger Is Here

CEO Andy Jassy shares 7 ways Amazon operates like 'the largest startup'

iPhone Sales Jump 15% in April-May as Apple Reclaims China Lead

Record-High Foreign Ownership of the US Equity Market

I built an easy way to wipe your X/Twitter posts periodically

Show HN: Turn long form videos into short form clips

Show HN: Issu - CLI for Markdown issue management and time tracking

Money sent home by international migrants is ~3x as much as global foreign aid

Iowa S.C. upholds 2023 law, says police can now search trash without warrants

The reason people buy new iPhones (hint: it's not AI)

Show HN: Built a tool to help you spot emotional patterns before they spiral

Show HN: VerifyWise, an open-source governance platform for AI compliance

Show HN: Brand Stori – AI audits your website like an enterprise buyer in 2min

The Value of Chess Pieces

Bad Apples Spoil the Barrel: Negative Members and Dysfunctional Groups

HashChain: A family of fast factor-based sublinear exact-matching string se

Sam Altman on AGI, GPT-5, and what’s next

Arcee AI releases 4.5B foundation LLM model

Fenic: The dataframe (re)built for LLM inference

Beat Saber Is Ending Playstation VR and PS VR2 Support

The Tesla Brain Drain