CodeMind v2.0 Documentation

Complete guide to CodeMind's 14 MCP security tools — SAST, Secrets, SCA, IaC, and SARIF reporting.

🛡️ Guardian Mode (v2.0)

CodeMind v2.0 is a comprehensive security platform with 5 engines and 14 MCP tools. Activate everything with a single trigger.

Activating via "use codemind"

In any MCP-compatible IDE (Cursor, Windsurf, Claude Code), simply type:

"use codemind"

This activates the full Guardian v2.0 suite: SAST scanning, secrets detection, SCA, IaC auditing, documentation fetching, and auto-fix.

All MCP Tools (14)

🔍 Static Analysis (SAST)

  • guard_code

    Comprehensive security & quality audit — 50+ patterns for SQLi, XSS, SSRF, command injection, path traversal, credential exposure, and AI slop detection. Returns a scored report.

  • scan_and_fix

    Detects vulnerabilities and auto-fixes them using LLM. Returns original issues, fixed code, and a diff.

  • improve_code

    Automatically refactors code to fix security and quality issues found by the auditor.

🛡️ Deep Security Scan

  • deep_security_scan

    Multi-layer analysis combining SAST + Secrets + Quality in one call. Runs all engines and returns a unified security score, severity breakdown, and formatted report.

🔑 Secrets Detection

  • scan_secrets

    Deep secrets detection with 30+ API key patterns (AWS, GCP, Stripe, GitHub, etc.) plus Shannon entropy analysis to catch unknown/custom secrets. Minimizes false positives via file-type filtering.

📦 Software Composition Analysis (SCA)

  • scan_dependencies

    Scans lockfiles (requirements.txt, package-lock.json, yarn.lock, go.sum, Cargo.lock, etc.) and checks against Google's OSV.dev vulnerability database. Privacy-preserving: only package names & versions are sent.

  • check_package

    Quick single-package CVE lookup. Pass a name, version, and ecosystem (PyPI, npm, Go, etc.) to check for known vulnerabilities.

🏗️ Infrastructure as Code (IaC)

  • scan_iac_file

    Scans Dockerfiles, GitHub Actions workflows, and docker-compose files for security misconfigurations — root user, secrets in ENV, unpinned images, supply chain attacks, excessive permissions.

  • scan_infrastructure

    Scans ALL IaC files in a project directory automatically. Finds and audits Dockerfiles, CI workflows, and compose files.

📋 Reporting

  • export_security_report

    Exports scan results as SARIF v2.1.0 (GitHub Code Scanning compatible), JSON, Markdown, HTML, or CSV. Includes CWE/OWASP mappings and code snippets.

📚 Documentation

  • resolve_library

    Resolve a library name to a documentation ID (like Context7).

  • query_docs

    Fetch up-to-date documentation for any library with code examples.

  • detect_code_libraries

    Detect frameworks and libraries in code snippets and suggest documentation queries.

🔧 Git & Review

  • review_diff

    Generate an AI code review prompt from git diff changes.

  • validate_ai_response

    Validate AI review output format and check for critical issues.

  • get_review_history

    Get recent code review history and statistics.

  • get_git_context

    Get current git repository context (branch, upstream, state).

📖 Resources & Prompts

  • guardian://best-practices

    Resource with authoritative security & clean code best practices.

  • code_review_prompt

    Generate a guided prompt for AI code review (general, security, performance, refactor).

  • secure_implementation_prompt

    Generate a prompt to implement code with security in mind.

  • codemind

    The unified "use codemind" prompt that orchestrates the full workflow.

Getting Started (MCP)

Installation

Install CodeMind with MCP support using pip:

pip 
pip install "codemind[mcp]"
Setup Claude Desktop: Add CodeMind to your claude_desktop_config.json under mcpServers using the command codemind serve.

How It Works

  1. Server Start

    The MCP server runs locally, exposing security and quality tools to your LLM.

  2. AI Interaction

    When you say "use codemind", the AI receives instructions to use our Guardian tools.

  3. Local Audit

    Your code stays 100% local. The audit happens on your machine, never in the cloud.

CLI Commands

codemind install

Install the git pre-push hook in the current repository.

codemind install [--force]
OptionDescription
--force, -f Overwrite existing pre-push hook
Note: This command must be run inside a git repository.

codemind uninstall

Remove the git pre-push hook from the current repository.

codemind uninstall

codemind run

Manually run AI code review on current changes without pushing.

codemind run [OPTIONS]
OptionDescription
--base, -b Base ref for diff (default: auto-detect)
--interactive, -i Interactive Mode: Review and resolve issues in the terminal
--vibe Vibecoding Mode: High-energy, performance-focused review
--no-inject Don't auto-inject, just copy to clipboard
--dry-run Show what would happen without injecting
--preview Show the prompt before injecting

Interactive Mode

When running with -i, CodeMind will prompt you to paste the AI's response. It then parses the feedback and lets you interactively review each issue.

codemind commit

Generate professional AI commit messages from staged changes.

codemind commit [--style STYLE] [--apply]
OptionDescription
--style, -s Style: conventional, simple, descriptive
--apply, -a Apply the commit directly after generating

codemind rules

Manage and run custom review rules.

codemind rules list [--preset PRESET]
codemind rules check [-p PRESET] [-f FILE]

codemind ci

Integrate CodeMind into your CI/CD pipeline.

codemind ci init [--output PATH]
codemind ci info

Automatically generates a GitHub Actions workflow that runs CodeMind on every pull request.

codemind pr create

Generate high-quality Pull Request descriptions from branch changes.

codemind pr create [--base BRANCH] [--copy]

Automates the creation of professional summaries including Overview, Key Changes, and Impact.

codemind gateway

Manage the CodeMind REST API Gateway.

codemind gateway start [--host HOST] [--port PORT] [--reload]

Starts the FastAPI server to expose CodeMind functionality over REST.

codemind notify

Send review summaries to Slack or Discord.

codemind notify slack WEBHOOK_URL
codemind notify discord WEBHOOK_URL

Pushes latest review results to team communication channels.

Examples

# Review current changes
codemind run

# Preview the prompt without injecting
codemind run --preview

# Compare against specific branch
codemind run --base main

# Copy to clipboard instead of auto-inject
codemind run --no-inject

codemind status

Show CodeMind status including config, hook, and detected IDE.

codemind status

Output includes:

  • Config file location (or "using defaults")
  • Hook installation status
  • Currently detected IDE

codemind config

Manage configuration files and team sharing.

codemind config init [--wizard]
codemind config show
codemind config export [--output PATH]
codemind config import SOURCE

Interactive Wizard

Run codemind config init --wizard for a guided 30-second setup experience including IDE detection and hook installation.

Team Sharing

Sync your review standards across the team by exporting your config and sharing the file, or a URL to the config.

codemind doctor

Run comprehensive system health and diagnostic checks.

codemind doctor

Checks Git repo health, hook integrity, config validity, IDE connectivity, and Standalone LLM status.

# Create config file
codemind config --init

# View current config
codemind config --show

codemind template

Manage and customize prompt templates.

codemind template [OPTIONS]
OptionDescription
--export, -e Export default template to file
--output, -o Output file name (default: codemind-template.txt)
--show Show default template content

Template Placeholders

  • {max_comments} - Maximum number of comments
  • {branch_name} - Current branch name
  • {file_count} - Number of files changed
  • {additions} - Lines added
  • {deletions} - Lines deleted
  • {diff_content} - The actual diff

codemind detect

Detect running IDEs and show their details.

codemind detect

Shows all detected IDEs with:

  • IDE name and version
  • Window title
  • AI chat shortcut key

codemind history

View review history and statistics.

codemind history [OPTIONS]
OptionDescription
--list, -l Show recent reviews
--stats, -s Show review statistics
--clear Clear all history
--count, -n Number of entries to show (default: 10)

codemind serve

Run CodeMind as an MCP (Model Context Protocol) server.

codemind serve [OPTIONS]
OptionDescription
--transport, -t Transport type: stdio or streamable-http
--host Host for HTTP transport (default: localhost)
--port Port for HTTP transport (default: 8000)

Available MCP Tools (14)

  • 🔍 guard_code — SAST audit (50+ patterns)
  • 🔧 scan_and_fix — Detect + auto-fix vulnerabilities
  • improve_code — Refactor and improve code
  • 🛡️ deep_security_scan — Multi-layer security analysis
  • 🔑 scan_secrets — 30+ API key patterns + entropy
  • 📦 scan_dependencies — SCA via OSV.dev
  • 🔍 check_package — Single package CVE check
  • 🏗️ scan_iac_file — Dockerfile/Actions/Compose security
  • 🏗️ scan_infrastructure — Full project IaC scan
  • 📋 export_security_report — SARIF/JSON/MD/HTML/CSV
  • 📚 resolve_library — Library ID resolution
  • 📖 query_docs — Documentation fetching
  • 🔎 detect_code_libraries — Framework detection
  • 📝 review_diff — Git diff review prompt

Configuration

Config File

Create a .codemind.yml file in your project root:

.codemind.yml
# When to run reviews: always, ask, never
enabled: always

ide:
  # Preferred IDEs (in order)
  preferred:
    - cursor
    - claude-code
    - windsurf
    - vscode
  # Auto-inject prompt into IDE
  auto_inject: true
  # Auto-submit the prompt
  auto_submit: false

review:
  # Maximum comments per review
  max_comments: 10
  # Enforce strict JSON output format
  strict_format: true

prompt:
  # Custom template file (optional)
  template_path: null
  # Extra rules to include
  extra_rules: []

Options Reference

OptionTypeDefaultDescription
enabled string always When to run reviews: always, ask, never
ide.preferred array [cursor, claude-code, ...] Priority order for IDE detection
ide.auto_inject boolean true Automatically inject prompt into IDE
ide.auto_submit boolean false Auto-submit prompt after injection
review.max_comments integer 10 Maximum comments per review
prompt.template_path string null Path to custom template file
prompt.extra_rules array [] Additional review rules

Custom Templates

Create custom prompt templates for your team:

# Export the default template
codemind template --export -o my-template.txt

# Edit my-template.txt with your customizations

# Reference in config
prompt:
  template_path: my-template.txt

IDE Support

Cursor

Status: Full Support

CodeMind auto-injects prompts via Ctrl+L into Cursor's AI chat.

Claude Code

Status: Full Support

Native integration with Claude's AI assistant.

Windsurf

Status: Full Support

Works with Codeium's Cascade AI.

VS Code

Status: Copilot Required

Works with GitHub Copilot Chat extension. You can configure CodeMind as an MCP server in your settings.json or settings.json:

{
  "mcp": {
    "servers": {
      "CodeMind": {
        "command": "codemind",
        "args": ["serve"]
      }
    }
  },
  "github.copilot.chat.codeGeneration.instructions": [
    {
      "text": "When generating code, use CodeMind to audit for security and quality."
    }
  ]
}

Need help? Open an issue on GitHub.