SixthWall

AI code security scanner · MCP-native · Fix Packs · built for vibe coders

Everything Breaks Somewhere.

The security scanner built for AI-generated code. SixthWall detects vulnerabilities that Claude Code, Cursor, Copilot, and Windsurf introduce — and gives you exactly what you need to fix them.

Quick Start

npx @sixthwall/cli init

That's it. One command sets up everything:

• Configure your MCP server so Claude Code scans as you code
• Update your CLAUDE.md so AI auto-fixes security issues
• Install a pre-commit hook that blocks critical vulnerabilities
• Detect and configure Cursor / Windsurf if present
• Create a .sixthwall/ignore file for path and rule exclusions
• Run your first security scan immediately

After init, keep coding normally. SixthWall works in the background.

Or scan directly without setup:

npx @sixthwall/cli scan

The Problem

Every developer already has five security walls: authentication, authorization, firewalls, encryption, and dependency scanning.

None of them check whether the code itself is safe.

AI coding tools generate code that works — but not code that's secure. They forget auth middleware. They skip input validation. They hardcode API keys. They set CORS to accept every origin. They sign JWTs without expiration. They leave debug mode on in production.

Studies show 45% of AI-generated code contains security vulnerabilities and AI-generated code has 2.74x more vulnerabilities than human-written code.

SixthWall is the sixth wall. It watches the code itself.

How It Works

SixthWall operates through three automatic layers after setup:

SixthWall is a deterministic static analysis scanner, not an AI code reviewer.

It parses your code into an AST using tree-sitter, then matches it against YAML-defined detection rules targeting patterns that are unique to or disproportionately common in AI-generated code.

Same code, same result, every time. No LLM hallucinations. No inconsistent reviews. No API calls. Runs entirely on your machine.

Every finding includes a Fix Pack:

• What — plain English explanation, no jargon
• Why — what an attacker could actually do
• Fix — minimal code change to resolve it
• Claude Prompt — copy-paste into Claude Code to fix it automatically

Features

• 15 AI-specific detection rules targeting patterns other scanners miss
• Fix Packs with every finding — what, why, how to fix, and a Claude prompt
• Security score 0–100 — track your security posture with a single number
• Zero-friction init — one command sets up MCP, hooks, IDE rules, and runs a first scan
• Diff-only scanning — scans only what changed, finishes in milliseconds
• Watch mode — scan automatically on every file save
• Pre-commit hook — blocks vulnerabilities before they're committed
• JSON and SARIF output — drop into any CI/CD pipeline
• MCP integration — works inside Claude Code as a native tool
• Ignore file — exclude paths, files, or specific rules from scanning
• Status command — check setup health and last scan results at a glance
• Zero config — works out of the box, customize with .sixthwall.yaml
• Fully offline — no API keys, no cloud dependency, no data leaves your machine

CLI Commands

sixthwall init

One-time setup. Configures MCP server, CLAUDE.md, IDE rules, pre-commit hook, ignore file, and runs a first scan.

sixthwall init                 # full setup
sixthwall init --force         # re-initialize, overwrite existing config
sixthwall init --github-action # only add GitHub Actions workflow

sixthwall scan [path]

# Scan current git diff (default — fastest)
sixthwall scan

# Scan staged changes before committing
sixthwall scan --staged

# Full repository scan
sixthwall scan --full

# Scan a specific file or directory
sixthwall scan src/auth/login.ts
sixthwall scan ./backend/

# Only show high severity and above
sixthwall scan --severity high

# JSON output for CI pipelines
sixthwall scan --format json

# SARIF output for GitHub Code Scanning
sixthwall scan --format sarif > results.sarif

# Skip specific rules
sixthwall scan --ignore AI-CONFIG-002,AI-INJECT-001

# Compact output without fix details
sixthwall scan --no-fix-packs

sixthwall status

Check integration health, last scan results, and security score.

sixthwall status

sixthwall watch

Automatic scanning on every file save. Watches for JS, TS, and Python changes.

sixthwall watch

sixthwall remove

Clean uninstall. Removes all SixthWall configuration, hooks, and IDE integrations.

sixthwall remove        # prompts for confirmation
sixthwall remove --yes  # skip confirmation

Example Output

  SixthWall v0.2.0
  Mode: diff

  ╭──────────────────────────────────────────────────────────────╮
  │   CRITICAL   AI-SECRET-001                                    │
  │  Hardcoded API Key in Client Code                             │
  ╰──────────────────────────────────────────────────────────────╯

  > src/api/stripe.ts:12

  │ 12 │ const key = "sk_live_abc123def456ghi789jkl012";  ← HERE

  What: An API key is hardcoded directly in your source code.

  Risk: Anyone who can view your code — through browser DevTools,
        a public repo, or your built JS bundle — can steal this key
        and use it to make requests on your behalf.

  Fix:  Move the secret to an environment variable:
        const key = process.env.STRIPE_SECRET_KEY;

  Claude Prompt:
  ┌─────────────────────────────────────────────────────────────┐
  │ The file src/api/stripe.ts at line 12 contains a hardcoded │
  │ secret. Move it to an environment variable. Add .env to     │
  │ .gitignore if not already present.                          │
  └─────────────────────────────────────────────────────────────┘

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Security Score: 35/100  ███████░░░░░░░░░░░░░ POOR
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  2 Critical · 3 High · 1 Medium
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

What SixthWall Catches

Secrets

Authentication

Injection

Configuration

Headers

MCP Integration — Claude Code

SixthWall works as an MCP tool inside Claude Code. sixthwall init configures this automatically.

Or add to your MCP config manually (~/.claude/claude_desktop_config.json):

{
  "mcpServers": {
    "sixthwall": {
      "command": "npx",
      "args": ["-y", "@sixthwall/mcp-server"]
    }
  }
}

Then ask Claude: "Scan my code for security issues" or "What's my security score?"

Three tools are available:

See @sixthwall/mcp-server for full MCP documentation.

Ignoring Files or Rules

After init, edit .sixthwall/ignore:

# Ignore paths
tests/fixtures/**
*.test.ts

# Ignore a rule on a specific file
src/legacy-api.ts:AI-AUTH-003

# Ignore a rule globally
*:AI-CONFIG-002

Three formats: path/glob, file:RULE-ID, *:RULE-ID.

Configuration

Create .sixthwall.yaml in your project root (or run sixthwall init):

version: 1

# Block CI when these severities are found (exit code 1)
block_on:
  - critical
  - high

# Rules to skip
ignored_rules: []

# Paths to exclude
exclude:
  - "node_modules/**"
  - "dist/**"
  - "test/**"
  - "**/*.test.ts"

# Minimum severity to show
severity_threshold: low

CI/CD Integration

GitHub Actions

sixthwall init can generate this for you (--github-action). Or add manually:

- name: SixthWall Security Scan
  run: npx @sixthwall/cli scan --full --format sarif > sixthwall.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: sixthwall.sarif

Pre-commit Hook

Installed automatically by sixthwall init. Scans staged files and blocks commits with critical or high severity findings. To add manually:

#!/bin/sh
# .git/hooks/pre-commit
npx @sixthwall/cli scan --staged --severity high

Why Not Just Use Snyk / Semgrep / CodeRabbit?

SixthWall isn't replacing your dependency scanner. It's catching the vulnerabilities they can't see — the ones in the code AI just wrote for you.

45% of AI-generated code has security flaws. SixthWall catches them before attackers do.

Frequently Asked Questions

Is SixthWall free? The CLI and MCP server (Layer 1) are completely free. Install with npx @sixthwall/cli init and scan unlimited files with all 15 rules. The cloud platform (Layer 2 and 3) with GitHub PR scanning, runtime pentesting, and dashboards is a paid service.

What's the best security scanner for AI-generated code? SixthWall is purpose-built for AI-generated code. Traditional scanners like Snyk and Semgrep were designed for human-written code. SixthWall's rules specifically target patterns that Claude Code, Cursor, Copilot, and Windsurf generate — like missing auth middleware, hardcoded secrets, JWT without expiration, and overly permissive CORS.

How do I secure my vibe coding project? Run npx @sixthwall/cli init in your project. It sets up MCP integration, pre-commit hooks, IDE rules, and runs a first scan automatically. After that, SixthWall works in the background — scanning as you code, blocking vulnerabilities on commit, and catching issues in CI.

Does SixthWall work with Claude Code? Yes. sixthwall init automatically configures the MCP server and CLAUDE.md so Claude Code scans your code and fixes vulnerabilities in the same conversation. You can also install the MCP server manually with @sixthwall/mcp-server.

How is SixthWall different from CodeRabbit or AI code review tools? CodeRabbit and similar tools use LLMs to review code — their results vary between runs and they can hallucinate issues. SixthWall is deterministic: it uses tree-sitter AST parsing with YAML-defined rules. Same code produces the same findings every time. No API calls, no cloud dependency, runs entirely offline.

What languages does SixthWall support? JavaScript, TypeScript (including JSX/TSX), and Python. More languages are planned.

sixthwall.dev · GitHub · @sixthwall