npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@mrzadexinho/codeguard

v1.2.0

Published

AI code review MCP server — automated pattern detection for bugs, security issues, and silent failures

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mrzadexinhomrzadexinho

Keywords

mcpcode-reviewstatic-analysisaiclaudelintingsecurity

Readme

codeguard

CI npm version License: MIT

Context-aware AI code review MCP server. Automated pattern detection for bugs, security vulnerabilities, insecure defaults, and silent failures.

Problem

AI assistants review code but miss common anti-patterns that automated detection catches instantly. codeguard runs 25 context-aware rules locally with zero API calls, returning structured findings with confidence scores. The context layer understands comments, strings, imports, and file types to eliminate false positives.

Quick Start

As MCP Server (Claude Code)

{
  "mcpServers": {
    "codeguard": {
      "command": "npx",
      "args": ["-y", "@mrzadexinho/codeguard"]
    }
  }
}

As Library

import { RuleEngine } from '@mrzadexinho/codeguard';

const engine = new RuleEngine();
const result = engine.reviewFile('app.ts', sourceCode);

for (const finding of result.findings) {
  console.log(`[${finding.rule}] ${finding.severity}: ${finding.message}`);
  console.log(`  ${finding.file}:${finding.line} (confidence: ${finding.confidence})`);
}

MCP Tools

| Tool | Description | |------|-------------| | review_file | Review a source file for bugs, security issues, and code quality problems | | review_diff | Review a git diff, focuses analysis on changed lines | | check_error_handling | Specialized silent failure detection (empty catches, swallowed errors) | | list_rules | List all available rules with IDs, categories, and severities |

Context-Aware Analysis

Unlike simple pattern matchers, codeguard understands code context:

  • Skips patterns inside comments (single-line, block, Python docstrings)
  • Skips patterns inside string literals (template literals, multi-line strings)
  • Detects file type (test, config, migration, generated) to adjust rule behavior
  • Tracks imports to understand what utilities are available
  • Identifies try-catch regions for error handling analysis

This eliminates false positives like flagging password inside a comment or eval inside a string.

Rules (25 total)

Error Handling (6 rules, ERR001-ERR006)

Detects empty catch blocks, catch-only-log patterns, unhandled promise rejections, pointless re-throws, async functions without error handling, and optional chaining on security-critical paths.

Security (10 rules, SEC001-SEC010)

Detects dynamic code execution, unsafe HTML injection, hardcoded credentials, SQL injection, shell command injection, fail-open environment defaults, debug flags left on, permissive CORS, weak cryptographic algorithms, and unsafe deserialization.

Code Quality (7 rules, QA001-QA007)

Detects debug logging in production, TODO/FIXME/HACK markers, magic numbers, deeply nested control flow, overly long functions, unused imports, and duplicate conditions.

Run list_rules to see all rules with their IDs, severities, and supported languages.

Architecture

codeguard/
  src/
    context/         # Context-aware analysis layer
      analyzer       # Single-pass scanner: comments, strings, imports, regions
      types          # FileContext, LineContext, FileType
    parser/          # Diff and source file parsing
      diff-parser    # Unified diff to structured DiffFile[]
      code-parser    # Source to ParsedFile with language detection
    rules/           # Pattern matching engine
      engine         # RuleEngine: builds context, applies rules, filters, sorts
      error-handling # ERR001-006
      security       # SEC001-005, SEC010
      insecure-defaults # SEC006-009 (TrailOfBits patterns)
      code-quality   # QA001-007
    mcp/             # MCP server layer
      tools/         # 4 MCP tools
  tests/             # 142 tests mirroring src/ structure

Key Design Decisions

| Decision | Why | |----------|-----| | Context layer | Single-pass analyzer eliminates false positives in comments/strings | | Regex pattern matching | Zero dependencies, instant results, no AST parser needed | | Confidence scores (0-100) | Filter noise: use min_confidence: 80 for high-signal only | | Category filtering | Focus analysis: ['security'] for security-only review | | Language detection | Auto-filters rules by file extension | | File type awareness | Skips security rules in test files, adjusts behavior for configs |

Confidence Scoring

  • 90-100: Near-certain detection (empty catch, unsafe deserialization)
  • 80-89: High confidence (hardcoded secrets, injection patterns, insecure defaults)
  • 70-79: Moderate confidence (log-only catches, deep nesting, unused imports)
  • 60-69: Low confidence (magic numbers, optional chain heuristics, async error handling)

Use min_confidence: 80 to get only high-signal findings.

Supported Languages

TypeScript, JavaScript, Python, Java, Go, Rust, Ruby, PHP, C/C++, C#, Swift, Kotlin

Development

git clone https://github.com/mrzadexinho/codeguard.git
cd codeguard
npm install
npm run build
npm test

License

MIT