npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@codesherlock/codesherlock-prelive-mcp-server

v0.0.11

Published

A TypeScript-based Model Context Protocol (MCP) server

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

shreyansh_04shreyansh_04codesherlockaicodesherlockai

Keywords

mcpmodel-context-protocoltypescriptai

Readme

CodeSherlock MCP Server – Setup & Usage Guide

Configure the Model Context Protocol server once and keep every commit and working tree scan consistent across your team.

Key Features

Analyze Uncommitted Changes

Scan staged and unstaged files before you commit so surprises never reach your repo.

Analyze Committed Changes

Review your latest commit to spot issues before pushing to remote or opening a PR.

Security Framework Coverage

Run checks aligned to OWASP Top 10 and the CWE catalog for focused security feedback.

Works With Your AI Assistant

Connects to AI assistants like Claude Code, Cursor, Windsurf, Cline, VS Code and other MCP-compatible tools via a lightweight server.

Prerequisites

Quick checklist to confirm before you start:

  • Node.js (version 18.0.0 or higher) and npm installed on your system
  • A Git repository with code you want to analyze
  • An AI coding assistant that supports MCP (e.g., Claude Code, Cursor, VS Code, Cline, or similar)

The CodeSherlock MCP Server is available on the npm registry and can be used directly with npx.

Step 1: Get Your API Key

How to obtain it

  1. Visit the API key page: codesherlock.ai/mcp/api/key
  2. Sign in or create an account.
  3. Generate a new API key.
  4. Copy and store the key securely—you will be prompted for it by the MCP server.

Important security notes

  • Never share your API key or commit it to version control.
  • Store it in a password manager or environment variable.
  • If a key is compromised, regenerate it immediately from your dashboard.

Step 2: Configure Your AI Assistant

You need to add the CodeSherlock MCP Server configuration to your AI assistant's settings. Follow the instructions for your preferred IDE/assistant below.

Quick Navigation:

Cursor

Steps to Configure

  1. Click the Settings (gear icon) on the top right corner
  2. Settings panel opens as a new tab in the center of the screen
  3. In the settings sidebar, navigate to Tools & MCP section
  4. Click on New MCP Server/Add a custom MCP Server button
  5. This opens the mcp.json config file
  6. Add the configuration below and save
  7. If you encounter any issues during installation, try running npx -y @codesherlock/codesherlock-mcp-server in your terminal first to ensure the package can be installed correctly
  8. Restart Cursor

Configuration

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Windsurf

Steps to Configure

  1. Click on the Settings (gear icon) on the top right corner and select Windsurf Settings (or press Ctrl+,)
  2. In the settings search box, type mcp
  3. Find the MCP Servers section
  4. Click on Open MCP Marketplace
  5. In the MCP Marketplace, click the Settings (gear icon) to add a custom server
  6. This opens the mcp_config.json config file
  7. Add the configuration below and save
  8. Restart Windsurf

Configuration

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Claude Code

Steps to Configure

  1. Run the following command in your terminal:
claude mcp add --transport stdio codesherlock --env MCP_API_KEY=cs_mcp_abcdef -- cmd /c npx -y @codesherlock/codesherlock-mcp-server
  1. Verify the configuration by running:
claude mcp list
  1. If the connection is successful, start Claude. If claude mcp list fails to connect, try reopening your terminal as an optional troubleshooting step.

Other useful commands:

claude mcp remove codesherlock   # Remove a server

Configuration

Manually add to config file (optional):

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

VS Code

Steps to Configure

Requires GitHub Copilot extension installed

  1. Press Ctrl+Shift+P (Windows) or Cmd+Shift+P (macOS) to open Command Palette
  2. Type MCP:Open User Configuration
  3. This opens the MCP configuration file
  4. Add the configuration below and save
  5. Restart VS Code

Configuration

{
  "servers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Cline

Cline is a VS Code extension. Install it from the VS Code marketplace or other supported IDEs.

Steps to Configure

  1. Open Cline panel in VS Code
  2. Click on Manage MCP Servers
  3. Click on the Settings (gear icon)
  4. Click on Configure MCP Servers button
  5. This opens the cline_mcp_settings.json config file
  6. Add the configuration below and save
  7. Restart VS Code

Configuration

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Step 3: Using CodeSherlock with Your AI Assistant

Once configured, you can start using CodeSherlock by prompting your AI assistant. The assistant will automatically invoke the MCP server tools to perform code analysis.

Analysis Types

CodeSherlock supports four analysis factors:

| Factor | Description | |--------|-------------| | power_analysis | A full-spectrum scan that covers the most essential and critical issues | | owasp | Security analysis based on OWASP Top 10 vulnerabilities | | cwe_mitre | Analyzes code against Common Weakness Enumeration (CWE) MITRE framework | | cwe_kev | Analyzes code against CWE Known Exploited Vulnerabilities (KEV) catalog |

Example Prompts

Drop these into your AI assistant to kick off a scan:

"Review my uncommitted changes using CodeSherlock"
"Use CodeSherlock to check my uncommitted code for CWE MITRE vulnerabilities"
"Analyze my latest commit for OWASP vulnerabilities using CodeSherlock"
"Check the last commit in my current repo for CWE KEV issues with CodeSherlock"

Understanding the Results

When Analysis Completes

The AI assistant will present the analysis results in a readable format, typically including:

  • Number of issues found
  • Severity levels (Critical, High, Medium, Low)
  • Issue categories
  • Affected files and line numbers
  • Descriptions and recommendations for each issue

Troubleshooting

"Server not found" or "MCP server failed to start"

  • Verify the configuration file path is correct
  • Check that Node.js and npm are properly installed

"Authentication failed" or "Invalid API key"

  • Verify your API key is correctly added to the configuration
  • Check for any extra spaces or characters in the API key
  • Regenerate your API key from the CodeSherlock dashboard
  • Ensure you've restarted your AI assistant after adding the key

"Not a Git repository"

  • Ensure you're analyzing a directory that contains a .git folder
  • Initialize a Git repository if needed: git init

"No changes to analyze"

  • For uncommitted analysis: Make sure you have modified files
  • For commit analysis: Verify the commit exists using git log
  • Check that you're in the correct Git repository

Analysis takes too long or times out

  • Start with analyzing specific files or smaller changesets
  • Check your internet connection
  • Break large changes into smaller commits for analysis

Best Practices

1. Integrate into Your Workflow

  • Before committing: Analyze uncommitted changes to catch issues early
  • After committing: Review commits before pushing to remote
  • During code review: Use analysis results to supplement manual reviews

2. Choose the Right Analysis Factor

  • Use OWASP Best for web applications and APIs; focuses on the OWASP Top 10 and other common web security risks.
  • Use CWE MITRE Ideal when you need deeper, classification-based coverage of software weaknesses across all domains.
  • Use CWE KEV Best for identifying known exploited vulnerabilities that are actively being used in attacks.
  • Use Power Analysis A broad, high-coverage analysis designed to catch the most essential and critical issues across any type of project (web, mobile, backend, etc.)

3. Act on Results

  • Prioritize Critical and High severity issues immediately
  • Create tickets for Medium severity issues
  • Document Low severity issues for future refactoring

Getting Help

If you face any issues, please send us a mail at [email protected]. We will help you resolve the issue as soon as possible.