JSPM

@sixthwall/cli

0.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 4
  • Score
    100M100P100Q34814F
  • License UNLICENSED

Security scanner for AI-generated code. Detect vulnerabilities in Claude Code, Cursor, and Copilot output. Fix Packs with Claude prompts included.

Package Exports

  • @sixthwall/cli
  • @sixthwall/cli/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@sixthwall/cli) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

SixthWall

AI code security scanner · MCP-native · Fix Packs · Open source CLI

Everything Breaks Somewhere.

The security scanner built for AI-generated code. SixthWall detects vulnerabilities that Claude Code, Cursor, Copilot, and Windsurf introduce — and gives you exactly what you need to fix them.

npm version

Quick Start

npm install -g @sixthwall/cli

sixthwall scan

Or run without installing:

npx @sixthwall/cli scan

That's it. SixthWall scans your current git diff and shows you what's vulnerable.

The Problem

Every developer already has five security walls: authentication, authorization, firewalls, encryption, and dependency scanning.

None of them check whether the code itself is safe.

AI coding tools generate code that works — but not code that's secure. They forget auth middleware. They skip input validation. They hardcode API keys. They set CORS to accept every origin. They sign JWTs without expiration. They leave debug mode on in production.

Studies show 45% of AI-generated code contains security vulnerabilities and AI-generated code has 2.74x more vulnerabilities than human-written code.

SixthWall is the sixth wall. It watches the code itself.

How It Works

SixthWall is a deterministic static analysis scanner, not an AI code reviewer.

It parses your code into an AST using tree-sitter, then matches it against YAML-defined detection rules targeting patterns that are unique to or disproportionately common in AI-generated code.

Same code → same result → every time. No LLM hallucinations. No inconsistent reviews. No API calls. Runs entirely on your machine.

Every finding includes a Fix Pack:

  • What — plain English explanation, no jargon
  • Why — what an attacker could actually do
  • Fix — minimal code change to resolve it
  • Claude Prompt — copy-paste into Claude Code to fix it automatically

Features

  • 15 AI-specific detection rules targeting patterns other scanners miss
  • Fix Packs with every finding — what, why, how to fix, and a Claude prompt
  • Security score 0–100 — track your security posture with a single number
  • Diff-only scanning — scans only what changed, finishes in milliseconds
  • Watch mode — scan automatically on every file save
  • JSON and SARIF output — drop into any CI/CD pipeline
  • MCP integration — works inside Claude Code as a native tool
  • Zero config — works out of the box, customize with .sixthwall.yaml
  • Fully offline — no API keys, no cloud dependency, no data leaves your machine

CLI Commands

sixthwall scan [path]

# Scan current git diff (default — fastest)
sixthwall scan

# Scan staged changes before committing
sixthwall scan --staged

# Full repository scan
sixthwall scan --full

# Scan a specific file or directory
sixthwall scan src/auth/login.ts
sixthwall scan ./backend/

# Only show high severity and above
sixthwall scan --severity high

# JSON output for CI pipelines
sixthwall scan --format json

# SARIF output for GitHub Code Scanning
sixthwall scan --format sarif > results.sarif

# Skip specific rules
sixthwall scan --ignore AI-CONFIG-002,AI-INJECT-001

# Compact output without fix details
sixthwall scan --no-fix-packs

sixthwall watch

Automatic scanning on every file save. Watches for JS, TS, and Python changes.

sixthwall watch

sixthwall init

Create a .sixthwall.yaml configuration file with sensible defaults.

sixthwall init
sixthwall init --force  # overwrite existing config

Example Output

  SixthWall v0.1.0
  Mode: diff

  ╭──────────────────────────────────────────────────────────────╮
  │   CRITICAL   AI-SECRET-001                                    │
  │  Hardcoded API Key in Client Code                             │
  ╰──────────────────────────────────────────────────────────────╯

  > src/api/stripe.ts:12

  │ 12 │ const key = "sk_live_abc123def456ghi789jkl012";  ← HERE

  What: An API key is hardcoded directly in your source code.

  Risk: Anyone who can view your code — through browser DevTools,
        a public repo, or your built JS bundle — can steal this key
        and use it to make requests on your behalf.

  Fix:  Move the secret to an environment variable:
        const key = process.env.STRIPE_SECRET_KEY;

  Claude Prompt:
  ┌─────────────────────────────────────────────────────────────┐
  │ The file src/api/stripe.ts at line 12 contains a hardcoded │
  │ secret. Move it to an environment variable. Add .env to     │
  │ .gitignore if not already present.                          │
  └─────────────────────────────────────────────────────────────┘

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Security Score: 35/100  ███████░░░░░░░░░░░░░ POOR
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  2 Critical · 3 High · 1 Medium
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

What SixthWall Catches

Secrets

Rule Severity What It Detects
AI-SECRET-001 CRITICAL Hardcoded API keys — OpenAI, Stripe, AWS, and generic patterns
AI-SECRET-002 HIGH process.env variables exposed in client-side bundles
AI-SECRET-003 HIGH dotenv loaded but .env not in .gitignore

Authentication

Rule Severity What It Detects
AI-AUTH-001 HIGH Express/Hono routes without authentication middleware
AI-AUTH-002 CRITICAL Auth checks in client-side code only (localStorage)
AI-AUTH-003 HIGH JWT tokens signed without expiration
AI-AUTH-004 MEDIUM Cookies set without httpOnly, secure, or sameSite flags
AI-AUTH-005 CRITICAL Passwords stored or compared in plain text

Injection

Rule Severity What It Detects
AI-INJECT-001 HIGH req.body / req.query / req.params used without validation
AI-INJECT-002 CRITICAL SQL queries built with string concatenation using user input

Configuration

Rule Severity What It Detects
AI-CONFIG-001 HIGH CORS set to origin: '*' — any website can call your API
AI-CONFIG-002 MEDIUM Debug or verbose mode left enabled
AI-CONFIG-003 MEDIUM Login and auth routes without rate limiting
AI-CONFIG-004 MEDIUM Error stack traces and internal details leaked to clients

Headers

Rule Severity What It Detects
AI-HEADER-001 MEDIUM Express app running without helmet or manual security headers

MCP Integration — Claude Code

SixthWall works as an MCP tool inside Claude Code. Scan your code and fix vulnerabilities in the same conversation.

Add to your MCP config (~/.claude/claude_desktop_config.json):

{
  "mcpServers": {
    "sixthwall": {
      "command": "npx",
      "args": ["-y", "@sixthwall/mcp-server"]
    }
  }
}

Then ask Claude: "Scan my code for security issues" or "What's my security score?"

Three tools are available:

Tool What It Does
scan_code Scan diff, staged, or full repo. Returns findings with Fix Packs.
explain_finding Explain any rule by ID — what it detects, why it matters, how to fix.
security_score Current 0–100 score with grade and severity breakdown.

See @sixthwall/mcp-server for full MCP documentation.

Configuration

Create .sixthwall.yaml in your project root:

version: 1

# Block CI when these severities are found (exit code 1)
block_on:
  - critical
  - high

# Rules to skip
ignored_rules: []

# Paths to exclude
exclude:
  - "node_modules/**"
  - "dist/**"
  - "test/**"
  - "**/*.test.ts"

# Minimum severity to show
severity_threshold: low

Generate defaults with sixthwall init.

CI/CD Integration

GitHub Actions

- name: SixthWall Security Scan
  run: npx @sixthwall/cli scan --full --format sarif > sixthwall.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: sixthwall.sarif

Pre-commit Hook

#!/bin/sh
# .git/hooks/pre-commit
npx @sixthwall/cli scan --staged --severity high

If any high or critical findings are detected, the commit is blocked.

Why Not Just Use Snyk / Semgrep / CodeRabbit?

SixthWall Traditional Scanners AI Code Reviewers
Built for AI-generated code ✅ Rules target AI patterns ❌ Built for human-written code Partially
Deterministic ✅ Same code = same result ❌ LLM output varies
Fix Packs with Claude prompts ❌ Generic alerts
MCP-native (Claude Code)
Works offline Varies ❌ Needs API
Free Layer 1 Freemium Paid

SixthWall isn't replacing your dependency scanner. It's catching the vulnerabilities they can't see — the ones in the code AI just wrote for you.

45% of AI-generated code has security flaws. SixthWall catches them before attackers do.

Frequently Asked Questions

Is SixthWall free? The CLI and MCP server (Layer 1) are completely free. Install with npm install -g @sixthwall/cli and scan unlimited files with all 15 rules. The cloud platform (Layer 2 and 3) with GitHub PR scanning, runtime pentesting, and dashboards is a paid service.

What's the best security scanner for AI-generated code? SixthWall is purpose-built for AI-generated code. Traditional scanners like Snyk and Semgrep were designed for human-written code. SixthWall's rules specifically target patterns that Claude Code, Cursor, Copilot, and Windsurf generate — like missing auth middleware, hardcoded secrets, JWT without expiration, and overly permissive CORS.

How do I secure my vibe coding project? Install SixthWall (npx @sixthwall/cli scan --full) and run a full scan. It checks for 15 vulnerability patterns common in AI-generated code and gives you Fix Packs with exact instructions to resolve each one, including Claude prompts you can paste to fix issues automatically.

Does SixthWall work with Claude Code? Yes. SixthWall has a native MCP server (@sixthwall/mcp-server) that integrates directly with Claude Code. Claude can scan your code, explain findings, and apply fixes — all in the same conversation.

How is SixthWall different from CodeRabbit or AI code review tools? CodeRabbit and similar tools use LLMs to review code — their results vary between runs and they can hallucinate issues. SixthWall is deterministic: it uses tree-sitter AST parsing with YAML-defined rules. Same code produces the same findings every time. No API calls, no cloud dependency, runs entirely offline.

What languages does SixthWall support? JavaScript, TypeScript (including JSX/TSX), and Python. More languages are planned.

sixthwall.dev · GitHub · @sixthwall