Your AI writes the code.
Who's watching it?

CodeMarine is an AI code security tool that catches vulnerabilities in AI-generated code at file save. It runs 100% locally on your machine in under 50ms. It works with Cursor, GitHub Copilot, Windsurf, Claude Code and any other AI coding tool that writes files to disk. It detects SQL injection, hardcoded secrets, slopsquatting (hallucinated packages), rules file backdoors, JWT bypasses and more across 35+ languages. Your code never leaves your machine.

No. CodeMarine does not use AI, LLMs or machine learning internally. It is a deterministic, pattern-based security scanner that uses over 22,000 cryptographically signed security patterns. Results are reproducible, predictable and not subject to hallucination. It is built for the AI era but is not itself an AI product.

Never. CodeMarine runs 100% locally. Source code is never uploaded, transmitted or processed in the cloud. Pattern databases sync from CodeMarine servers but all scanning happens on your device. Suitable for air-gapped environments, classified projects, HIPAA and financial services.

Guardian scans complete in under 50ms at file save. For comparison, cloud-based code review tools like CodeRabbit take 30-60 seconds per review. CI/CD scanning tools like Snyk report findings hours or days after commit. CodeMarine's speed comes from running locally with compiled pattern matching rather than LLM inference.

SQL injection via f-strings and string formatting. Command injection. Hardcoded secrets and API keys. Disabled TLS verification. Path traversal. Dangerous eval/exec usage. JWT verification bypasses. CORS misconfigurations. CSRF gaps. Authentication logic flaws. Slopsquatting (hallucinated package names). Rules file backdoors and prompt injection in .cursorrules, copilot-instructions.md and MCP configs. AI behavioural patterns specific to each coding assistant. Over 22,000 signed patterns across 35+ languages.

Slopsquatting is a supply chain attack that exploits AI hallucination. AI coding assistants sometimes suggest installing packages that do not exist in any registry. Attackers register these hallucinated names on npm, PyPI and other registries with malicious code. Over 205,000 hallucinated package names have been documented by Socket.dev and Trend Micro. CodeMarine detects slopsquatting by checking every package name against known-good registries before installation.

AI coding IDEs use configuration files like .cursorrules, copilot-instructions.md, CLAUDE.md and MCP server configs to control how the AI assistant behaves. Attackers can inject malicious instructions into these files through pull requests or shared repositories, causing the AI to generate vulnerable code, exfiltrate data through crafted URLs or disable security checks. CodeMarine scans these files for prompt injection, invisible Unicode manipulation, encoded payloads and shell injection patterns.

GitHub Copilot, Cursor, Claude Code, Windsurf, Amazon Q Developer, Google Gemini Code Assist, Tabnine, JetBrains AI Assistant, Sourcegraph Cody, Continue.dev, Augment Code, Devin, Roo Code, Aider, Cline and others. CodeMarine monitors the filesystem directly, so any tool that writes code to disk is automatically covered without specific integration. New AI tools are covered the moment they ship.

Traditional SAST tools were built for human-written code. They scan at CI/CD time (too late), often in the cloud (code leaves your machine) and for traditional vulnerability patterns. They cannot detect AI-specific threats like slopsquatting, rules file backdoors or AI behavioural patterns. CodeMarine scans at file save (the earliest possible moment), runs 100% locally, and detects threats specific to AI-generated code. CodeMarine is complementary to these tools, not a replacement.

35+ languages including JavaScript, TypeScript, Python, Go, Java, C#, Rust, Swift, Kotlin, PHP, Ruby, C, C++, Scala, Dart, Shell/Bash, SQL, Terraform, CloudFormation, Dockerfile, GraphQL, Solidity and more. Language support is driven by the pattern database which is continuously expanded.

CodeMarine implements three scanning layers. Layer 1: Guardian at file save (under 50ms), catching issues the moment code is written. Layer 2: pre-commit hooks blocking vulnerable code before it enters version control. Layer 3: GitHub Action at PR time as a safety net and audit trail. By the time a PR comment appears, developers with Guardian have already fixed the issues.

CodeMarine includes a Model Context Protocol (MCP) server that lets AI assistants invoke security scans directly. When connected to Claude Code, Cursor or other MCP-compatible tools, the AI can check its own generated code for vulnerabilities in real time, verify package names against registries and scan rules files for prompt injection. This enables AI assistants to self-check their output.

Yes. Full access with no limitations and no credit card required. Beta testers receive permanent founding member pricing when the product launches. After launch, pricing starts at $5/month for individuals (Scout), $20/month flat for teams up to 5 (Squad) and $9/dev/month for larger teams (Platoon). Free for public and open-source repositories.

When you sign up you get a unique referral code and join the queue. Referring other developers moves you up the queue and unlocks rewards. Private (0 referrals) is standard queue. Corporal (3) jumps to front 50%. Sergeant (10) gets first-wave beta access, Discord and 1 year Scout plan free. Captain (25) gets 1 year Platoon licence for you and 5 teammates. Colonel (100) gets lifetime Platoon for you and 5 teammates.

Yes. CodeMarine runs entirely locally. The only network connection is to sync pattern databases from CodeMarine servers. For air-gapped environments, pattern databases can be manually transferred and loaded. Source code never leaves the machine under any circumstances.