npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

safeweave-mcp

v0.4.10

Published

SafeWeave MCP server — Free SAST, secrets, and dependency scanning for AI code editors. Upgrade to Self-Hosted Pro for all 8 scanners + compliance profiles.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nickkumar.ggnickkumar.gg

Keywords

securityscannermcpsastsecretsdependenciesvulnerabilitiesaiclaudecursorvscodemodel-context-protocol

Readme

safeweave-mcp

Security scanning MCP server for AI code editors. Scans your code for vulnerabilities, secrets, and dependency issues -- directly inside Claude Code, Cursor, VS Code, and Windsurf.

Available on npm as safeweave-mcp.

Plans

| Plan | Key Prefix | Price | Scanning | Scanners | Dashboard | |------|-----------|-------|----------|----------|-----------| | Unregistered | No key | Free | Refused | -- | -- | | Free | sw_free_ | Free | Local | 3 (SAST, Secrets, Dependencies) | No | | Self-Hosted Pro | sw_shpro_ | $15/mo | Local | All 8 | Metadata only (no source code leaves your machine) | | Cloud | -- | $29/mo | Remote API | All 8 | Full | | Team | -- | $99/mo | Remote API | All 8 | Full + team management |

No key? Scanning is refused. Register for free at safeweave.dev/register to get started.

Scanners

| Scanner | What it detects | Tier | |---------|----------------|------| | SAST | SQL injection, XSS, SSRF, path traversal, insecure crypto | Free | | Secrets | API keys, tokens, passwords, private keys in source code | Free | | Dependencies | Known CVEs in npm/pip/go/cargo packages | Free | | IaC | Terraform, Dockerfile, Kubernetes misconfigurations | Pro | | Container | Vulnerabilities in container images | Pro | | DAST | Runtime API security issues (requires running app) | Pro | | License | GPL, AGPL, and other problematic dependency licenses | Pro | | Posture | Missing auth, rate limiting, CORS, security headers | Pro |

Quick Start

Automatic Setup (recommended)

Run one command -- SafeWeave downloads scanners, asks for your key, and configures every detected editor automatically:

npx safeweave-mcp

What happens:

[1/5] Downloading security scanners...
      ✓ Security scanners ready

[2/5] License key
      Get a free key at: https://safeweave.dev/register

Enter license key (or press Enter for trial mode): sw_free_abc123
      ✓ Key accepted (plan: free)

[3/5] Detecting installed editors...
      ✓ Claude Desktop
      ✓ Cursor
      - Windsurf (not found)
      ✓ Claude Code
      ✓ VS Code / Copilot

[4/5] Configuring editors...

      Claude Desktop:
        ✓ Configured (backup: .../claude_desktop_config.json.backup.1710432000)

      Cursor:
        ✓ Configured (~/.cursor/mcp.json)

      Claude Code:
        Running: claude mcp add safeweave ...
        ✓ Configured via CLI

      VS Code / Copilot:
        (workspace-level — add to .vscode/mcp.json in each project)

[5/5] Setup complete!
      Restart your editor(s) to start scanning.

The installer:

  • Auto-detects Claude Desktop, Cursor, Windsurf, Claude Code, and VS Code
  • Writes the MCP config directly into each editor (with backup)
  • Runs claude mcp add for Claude Code
  • Only asks one question (license key) -- everything else is automatic
  • Press Enter to skip the key and use trial mode

Manual Setup

If you prefer to configure editors yourself, or the auto-installer didn't detect your editor:

  1. Register free at safeweave.dev/register
  2. Copy your license key from the dashboard
  3. Add the config snippet to your editor's MCP config file:

Claude Code (CLI):

claude mcp add safeweave -s user -e SAFEWEAVE_LICENSE_KEY=sw_free_your_key_here -- npx -y safeweave-mcp

Claude Desktop (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "safeweave": {
      "command": "npx",
      "args": ["-y", "safeweave-mcp"],
      "env": { "SAFEWEAVE_LICENSE_KEY": "sw_free_your_key_here" }
    }
  }
}

Cursor (~/.cursor/mcp.json):

{
  "mcpServers": {
    "safeweave": {
      "command": "npx",
      "args": ["-y", "safeweave-mcp"],
      "env": { "SAFEWEAVE_LICENSE_KEY": "sw_free_your_key_here" }
    }
  }
}

VS Code / Copilot (.vscode/mcp.json in each project):

{
  "servers": {
    "safeweave": {
      "command": "npx",
      "args": ["-y", "safeweave-mcp"],
      "env": { "SAFEWEAVE_LICENSE_KEY": "sw_free_your_key_here" }
    }
  }
}

Windsurf (~/.codeium/windsurf/mcp_config.json):

{
  "mcpServers": {
    "safeweave": {
      "command": "npx",
      "args": ["-y", "safeweave-mcp"],
      "env": { "SAFEWEAVE_LICENSE_KEY": "sw_free_your_key_here" }
    }
  }
}
  1. Restart your editor.

Upgrading to Self-Hosted Pro

  1. Upgrade at safeweave.dev/pricing
  2. Your new key starts with sw_shpro_ -- replace the old key in each editor config
  3. All 8 scanners activate automatically
  4. Findings metadata appears in your dashboard (no source code sent)

Or re-run npx safeweave-mcp and enter your new key -- it will update all editors.

Environment Variables

The license key is set via the SAFEWEAVE_LICENSE_KEY environment variable inside your editor's MCP config. The auto-installer handles this for you, but you can also set it manually.

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | SAFEWEAVE_LICENSE_KEY | No | -- | License key from safeweave.dev. Without a key, SafeWeave runs in trial mode (10 free scans). Register free for unlimited scans. | | SAFEWEAVE_API_URL | No | https://api.safeweave.dev | Scanner gateway URL | | SAFEWEAVE_SCAN_MODE | No | Auto-detected from plan | Force scan mode: local (run scanners locally) or cloud (send to API) |

Where the key goes

The key is not set as a shell environment variable. It lives inside your editor's MCP config in the env block:

{
  "mcpServers": {
    "safeweave": {
      "command": "npx",
      "args": ["-y", "safeweave-mcp"],
      "env": { "SAFEWEAVE_LICENSE_KEY": "sw_free_your_key_here" }
    }
  }
}

When the editor launches the MCP server, it passes SAFEWEAVE_LICENSE_KEY as an environment variable to the npx safeweave-mcp process. You never need to export it in your shell profile.

Key prefixes

| Prefix | Plan | |--------|------| | sw_free_ | Free (unlimited scans, 3 scanners) | | sw_shpro_ | Self-Hosted Pro (all 8 scanners, local scanning) | | sw_cloud_ | Cloud (all 8 scanners, remote API) | | sw_team_ | Team (all 8 scanners, remote API, team management) |

Changing your key

Auto: Run npx safeweave-mcp again and enter the new key. All detected editors are updated.

Manual: Edit the SAFEWEAVE_LICENSE_KEY value in each editor's config file (see paths above), then restart the editor.

How It Works

Your Editor (Claude Code / Cursor / VS Code / Windsurf)
        |
        | stdio (MCP protocol)
        v
   safeweave-mcp (runs locally on your machine)
        |
        | Free / Self-Hosted Pro: scans run locally
        | Cloud / Team: files sent to SafeWeave API
        v
   Scanner Fleet
        |
        | Free:  3 scanners (SAST, secrets, dependencies)
        | Pro:   All 8 scanners + compliance profiles
        |
        | Semgrep, Gitleaks, npm-audit,
        | Trivy, Nuclei, and custom analyzers
        v
   Findings returned to your editor as structured JSON
  • Files are collected locally with sensible defaults (skips node_modules, .git, dist, etc.)
  • Max 2000 files, 50 MB total, 1 MB per file
  • Supports: .ts, .js, .py, .go, .java, .rb, .rs, .php, .tf, .yaml, .json, .sql, .html, .css, and more
  • Self-Hosted Pro sends only findings metadata to the dashboard -- no source code leaves your machine

What to Expect

Once configured, ask your AI assistant things like:

  • "Scan this project for security issues"
  • "Check if there are any hardcoded secrets"
  • "Audit my dependencies for CVEs"
  • "What's my security score?"
  • "How do I fix finding SAST-001?"

Example output:

Found 3 issues:

1. HIGH: Hardcoded API key in src/config.ts (line 12)
   CWE-798 | Remediation: Move to environment variable

2. MEDIUM: SQL injection risk in src/db.ts (line 45)
   CWE-89 | Remediation: Use parameterized queries

3. LOW: Dependency [email protected] has known CVE-2021-23337
   Remediation: Upgrade to [email protected]

Tools

| Tool | Description | Tier | |------|-------------|------| | scan_project | Full security scan -- collects all source files and runs all available scanners | Free | | scan_file | Scan a single file for vulnerabilities | Free | | scan_dependencies | Audit dependencies for known CVEs | Free | | get_findings | Filter and view scan results | Free | | get_security_score | Overall security posture score (0-100) | Free | | suggest_fix | Get remediation guidance for a specific finding | Free | | set_profile | Switch compliance profile (standard is free; others require Pro) | Free | | scan_iac | Scan Terraform, Dockerfiles, Kubernetes configs | Pro | | check_container | Scan container images for vulnerabilities | Pro | | check_license | Check dependency license compliance | Pro | | check_posture | Detect missing auth, rate limiting, security headers | Pro | | dast_check | Dynamic security testing on running endpoints | Pro |

Compliance Profiles

Switch profiles to focus scans on specific compliance frameworks:

  • standard -- OWASP Top 10, common CVEs, secrets (default, included in free tier)
  • hardened -- Strict thresholds, crypto requirements (Pro)
  • owasp -- OWASP Top 10 focused (Pro)
  • soc2 -- SOC 2 Type II compliance (Pro)
  • pci-dss -- PCI DSS v4.0 (Pro)
  • hipaa -- HIPAA Security Rule (Pro)

Self-Hosted Pro vs Cloud

| | Self-Hosted Pro ($15/mo) | Cloud ($29/mo) | Team ($99/mo) | |---|---|---|---| | How it runs | npx safeweave-mcp in your editor | Remote API | Remote API | | Scanners | All 8 | All 8 | All 8 | | Compliance profiles | All profiles | All profiles | All profiles | | Dashboard | Metadata only | Full | Full | | Source code leaves machine | No | Yes (sent to API) | Yes (sent to API) | | CI/CD integration | No | Yes | Yes | | Team management | No | No | Yes | | Best for | Solo devs who want privacy | Solo devs who want full dashboard | Teams needing visibility |

Claude Code Skill: Auto-Scan Before Push

Install the secure-before-push skill to have Claude automatically scan your code with SafeWeave before every git commit, git push, or PR creation.

Install

Run in your terminal:

mkdir -p ~/.claude/skills/secure-before-push
curl -sL https://raw.githubusercontent.com/nickfluxk/safeweave/main/skills/secure-before-push/SKILL.md \
  -o ~/.claude/skills/secure-before-push/SKILL.md

Then restart Claude Code. The skill activates automatically.

Behavior

| Severity | Action | Blocks push? | |----------|--------|-------------| | Critical / High | Fix immediately, re-scan | Yes | | Medium | Warns, asks confirmation | User decides | | Low / Info | No action | No |

Once installed, you never need to remember to scan -- it happens automatically every time you commit or push.

Prompts

| Prompt | Description | |--------|-------------| | security_review | Conduct a security review of specific code | | threat_model | Generate a STRIDE threat model for a system | | secure_code_guide | Get secure coding guidelines for a topic |

License

MIT