AI Code Security Platform

Frequently asked questions

Straight answers about how SafeWeave secures AI-generated code — the scanners, the editors, MCP, pricing, and self-hosting. Built for developers shipping code with AI assistants.

What is SafeWeave?

SafeWeave is an AI Code Security Platform purpose-built for AI-generated code. It runs 8 specialized security scanners locally on your machine and integrates directly into AI code editors through the Model Context Protocol (MCP), so your AI assistant can scan and fix vulnerabilities as it writes code. SafeWeave is open-core (MIT licensed) and available at https://github.com/nickfluxk/safeweave.

How does SafeWeave secure AI-generated code?

When your AI assistant generates code, SafeWeave scans it with 8 scanners in parallel — covering static analysis, dependencies, secrets, infrastructure-as-code, and more — and returns ranked findings with severity and file location. Because SafeWeave is MCP-native, your AI editor receives those findings as structured tool output and can apply the suggested fix immediately, closing the loop between generation and security review.

Which AI editors does SafeWeave support?

SafeWeave works with any MCP-compatible AI editor, including Cursor, Claude Code, VS Code (with GitHub Copilot agent mode), and Windsurf. You add it once as an MCP server and your assistant can call security scans directly inside your normal workflow.

Does my code leave my machine?

No. The SafeWeave MCP server runs locally via npx safeweave-mcp, and the scanners execute on your machine. Source code is never stored. In self-hosted mode your code stays local; only license verification touches our servers.

What are the 8 scanners?

SafeWeave bundles 8 specialized scanners built on trusted open-source engines: static application security testing (SAST), dependency/SCA scanning, secret detection, infrastructure-as-code scanning, container scanning, dynamic checks (DAST), and posture checks. The engines underneath include Semgrep, Trivy, Gitleaks, and Nuclei.

How fast is a scan?

A typical project scan completes in about 12 seconds because all scanners run in parallel. Results come back ranked by severity so the most important issues surface first.

How many rules does SafeWeave use?

SafeWeave ships with 300+ security rules across its scanners, drawn from open-source rule sets like Semgrep plus its own curated patterns for the vulnerability classes most common in AI-generated code (SQL injection, XSS, SSRF, path traversal, and more).

What is MCP and why does it matter?

MCP (Model Context Protocol) is an open standard that lets AI assistants call external tools. SafeWeave is MCP-native: it registers as a tool your AI editor can invoke, so scanning becomes part of the conversation instead of a separate step. Add it with `claude mcp add safeweave -- npx -y safeweave-mcp` or run `npx safeweave-mcp` directly.

How do I install SafeWeave?

Run `npx safeweave-mcp` to start the MCP server locally, or register it with Claude Code in one command: `claude mcp add safeweave -- npx -y safeweave-mcp`. No signup is required for the free tier.

Is there a free tier? How is it priced?

Yes. SafeWeave is open-core (MIT) with a free self-hosted tier that requires no signup. Paid tiers unlock all 8 scanners, compliance profiles, and scan history. See the pricing page for current plan details.

Can I use SafeWeave in CI/CD?

Yes. Because SafeWeave runs through a single npx command on Node.js, it works in GitHub Actions, GitLab CI, CircleCI, Jenkins, and any pipeline that supports Node. Add `npx safeweave-mcp` as a step to scan on every push or pull request.

How is SafeWeave different from traditional AppSec tools?

Traditional AppSec tools are built for human-driven workflows and bolt scanning on as a separate dashboard or CI gate. SafeWeave is purpose-built for AI-generated code and is MCP-native, so the AI that writes the code is the same agent that scans and fixes it — in real time, locally, before the code is ever committed.

Can I self-host SafeWeave?

Yes. SafeWeave is designed to run locally on your machine via npx, so self-hosting is the default mode. The core is open-source under the MIT license at https://github.com/nickfluxk/safeweave. Only license verification for paid features contacts our servers.

Is SafeWeave open source?

SafeWeave follows an open-core model and the core is MIT licensed. The source is available at https://github.com/nickfluxk/safeweave, and the scanners are built on established open-source engines including Semgrep, Trivy, Gitleaks, and Nuclei.

What languages and frameworks does SafeWeave scan?

SafeWeave inherits broad language coverage from its underlying engines. Semgrep alone supports JavaScript, TypeScript, Python, Go, Java, Ruby, and more, while Trivy and Gitleaks operate across languages and config formats. Dependency, secret, container, and IaC scanning are language-agnostic.

How do I get started?

Add SafeWeave to your AI editor with `npx safeweave-mcp` (or `claude mcp add safeweave -- npx -y safeweave-mcp`), then ask your assistant to scan your project. Review the ranked findings and have your assistant apply the suggested fixes. No signup is needed to start on the free tier.

Start scanning AI-generated code

Add SafeWeave to your AI editor with one command and let your assistant scan and fix vulnerabilities as it writes code. No signup required for the free tier.

npx safeweave-mcp