Free local MCP security scanner checks AI-built web apps for hidden flaws
CodeInspectus is a locally run built for web apps generated by . can produce apps that look functional while quietly containing exposed API keys, overly permissive Supabase access rules, unsafe handling of model output, or paths in connected tools. The scanner combines three existing engines — Opengrep, Gitleaks, and Trivy — with additional JavaScript/TypeScript checks specifically tuned for .
After a one-time setup that installs the verified scanning engines, every scan afterward runs entirely on the local machine with no account signup, no telemetry, and no , and it can plug into MCP-compatible AI agents so source code never needs to be sent to a . The scanner only reports findings — it does not modify code; any fix is proposed by the coding agent and must be approved by the user. The maker replaced earlier illustrative examples with a reproducible report tied to a committed vulnerable code sample: a recorded v0.3.1 run condensed 21 raw engine results down to 18 deduplicated findings, and the published report lists every finding, the engine versions used, the deduplication logic, and the timestamp of the vulnerability database.
The maker is upfront that this tool is not a substitute for a formal security audit or certification. It is MIT-licensed and free, with no paid tier.
Key points
- Free and MIT-licensed, with no paid tier
- Combines Opengrep, Gitleaks, and Trivy plus custom JS/TS checks for AI-generated apps
- Runs fully locally after one-time engine setup — no account, telemetry, or network egress
- Works with MCP-compatible agents; read-only — the agent proposes fixes, the user approves them
- Maker explicitly states it is not a substitute for a formal security audit or certification