Ironward

AI-powered security scanner delivered as an MCP server and CLI. Scans your code for leaked secrets, vulnerable auth logic, injection flaws, and CVE-affected dependencies — and opens fix PRs — directly inside Cursor, Claude Code, and VS Code.

v0.8.0 — eight tools ship. fix_and_pr now does multi-file fixes + self-validation (re-runs the relevant scanner on its own output and retries until clean).

Tools

scan_for_secrets — offline, instant

• 212 pattern families — AWS, GCP, Azure, DigitalOcean, Alibaba, Stripe, GitHub (classic/oauth/fine-grained), GitLab, OpenAI, Anthropic, HuggingFace, Slack, Discord, SendGrid, Postgres/Mongo/Redis URLs, PEM / OpenSSH / PGP private keys, npm, DockerHub, Notion, Linear, Figma, Tailscale, and many more.
• Shannon-entropy fallback for unknown secrets, with a placeholder + UUID/SHA allowlist to keep false positives near zero.
• Three input modes — inline files, on-disk paths, or a raw content snippet.
• Context-aware gating — context: "pre-commit" returns isError: true on critical/high findings so MCP clients can block commits.
• Redaction by default — only truncated fingerprints are returned.
• Line-level suppression — // ironward-ignore on the same or prior line.

scan_auth_logic — Claude Opus

Deep analysis of authentication/authorization defects — the class of bugs pattern scanners cannot catch:

• Backwards auth checks (if (user) when the intent is if (!user))
• Missing ownership / tenancy checks (resource fetched by ID with no check that the caller owns it)
• Privilege-escalation paths and role comparison bugs
• Auth middleware that runs too late or is skipped on error paths
• JWT validation gaps — alg: none, unchecked exp/aud/iss, skipped signature verification
• Session fixation, unsafe session handling, plaintext password storage in reset flows

A cheap keyword pre-filter skips the model entirely when the file has no auth surface, so unrelated code is free. Requires ANTHROPIC_API_KEY.

scan_sqli — Claude Sonnet + pre-filter

Targets query-construction defects a pattern scanner alone cannot judge:

• String concatenation / template literals / f-strings / %-format / str.format building SQL
• ORM raw / $queryRawUnsafe / knex.raw / sequelize.query with interpolated arguments
• Second-order injection (untrusted data stored, then concatenated later)
• Dynamic identifiers (table/column names coming from user input)

A 24-rule cross-language regex pre-filter (JS/TS, Python, Go, Java, Ruby, PHP) surfaces suspect lines; Sonnet confirms or dismisses. Files with no query-construction patterns skip the model entirely.

scan_xss — Claude Sonnet + framework-aware pre-filter

Catches XSS across four flavors:

• Reflected — request input flows into the response body without encoding
• Stored — persisted input later rendered without escaping
• DOM — user-controlled data reaches dangerous sinks (innerHTML, outerHTML, document.write, insertAdjacentHTML, eval, new Function, string-setTimeout)
• Framework-specific bypasses — React dangerouslySetInnerHTML, Vue v-html, Angular [innerHTML] / bypassSecurityTrust*, Svelte {@html}, SolidJS innerHTML={}
• Template injection — EJS <%- %>, Handlebars/Mustache {{{ }}}, Jinja |safe / autoescape=False, Flask Markup(), Django |safe
• Unsafe PHP — echo $_GET/$_POST/$_REQUEST

A 25-rule pre-filter with sanitizer allowlist (DOMPurify, textContent, he.encode, etc.) keeps false positives near zero. Sonnet confirms real defects.

scan_idor — Claude Opus, broken-access-control focus

The #1 OWASP category. Catches:

• Missing ownership checks — a handler fetches a resource by ID with no verification that the requester owns it
• Horizontal privilege escalation — user A modifying user B's data by changing an ID
• Mass assignment / overposting — req.body spread into updates, letting attackers set role, tenantId, credits, isAdmin
• Predictable sequential IDs — parseInt(req.params.id) patterns enabling enumeration
• Unprotected admin routes — endpoints with authRequired but no role check
• Role-from-input — authorization decisions based on client-controlled flags

A 12-rule pre-filter surfaces data-access and admin sites; Opus reasons over the full request flow. Reports ownership-hint density to weight confidence.

scan_url — live URL audit (no model call)

Point it at a deployed URL and get a misconfiguration report. Network-only, rule-based, no API key needed.

• Security headers — missing or weak CSP (incl. 'unsafe-inline' / 'unsafe-eval'), HSTS, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy
• Cookie flags — missing Secure, HttpOnly on session-like cookies, SameSite absent
• CORS — wildcard + credentials (critical), null origin acceptance
• TLS enforcement — plaintext HTTP responses
• Exposed dev/build files — /.env, /.git/config, /.DS_Store, firebase.json, .vscode/settings.json, .npmrc
• Error leakage — one 404 probe to detect stack traces / absolute filesystem paths in responses
• Version disclosure — Server, X-Powered-By headers exposing versions

Only scan sites you own or are authorized to test.

scan_deps — offline parsing + OSV.dev

Parses package.json, requirements.txt, and Pipfile.lock. Queries OSV.dev for each unique (ecosystem, package, version) tuple and returns findings with CVE aliases, affected ranges, fixed versions, and reference URLs — sorted by CVSS severity.

fix_and_pr — Opus + GitHub (multi-file + self-validation)

Given any finding from any scanner, Opus produces a minimal, surgical fix — across one or more files — then Ironward re-runs the relevant scanner on the fixed output. If residual issues remain, it retries (max 2 attempts) with the residual passed back as context. Only when validation passes does it create a branch, commit every changed file, and open a single PR.

The PR body carries the OWASP reference, exploit scenario, severity, and validation status. Set dryRun: true to preview, skipValidation: true to bypass the loop. Requires ANTHROPIC_API_KEY and GITHUB_TOKEN with repo scope.

Install

Cursor (~/.cursor/mcp.json)

{
  "mcpServers": {
    "ironward": {
      "command": "npx",
      "args": ["-y", "ironward@latest"],
      "env": { "ANTHROPIC_API_KEY": "sk-ant-..." }
    }
  }
}

ANTHROPIC_API_KEY is only required for Claude-backed tools (scan_auth_logic, scan_sqli, fix_and_pr). scan_for_secrets and scan_deps work without it.

Claude Code

claude mcp add ironward -- npx -y ironward@latest

VS Code (.vscode/mcp.json)

{
  "servers": {
    "ironward": {
      "command": "npx",
      "args": ["-y", "ironward@latest"]
    }
  }
}

CLI (no MCP client required)

npx ironward scan-secrets src/
npx ironward scan-deps package.json requirements.txt
npx ironward scan-url https://your-deployed-app.com
npx ironward --help

Exit codes: 0 clean · 1 findings (no critical/high) · 2 critical or high findings present.

Local development

npm install
npm run build
npm test

Or point your IDE config at the local checkout:

{
  "mcpServers": {
    "ironward-dev": {
      "command": "node",
      "args": ["/absolute/path/to/ironward/dist/bin.js"]
    }
  }
}

Tool reference

scan_for_secrets

scan_auth_logic · scan_sqli

scan_deps

fix_and_pr

Architecture

IDE (Cursor / Claude Code / VS Code)
        │  JSON-RPC 2.0 over stdio
        ▼
Ironward server  (Node 20+, TypeScript)
        │
        ├─ scan_for_secrets   ← 212 patterns + entropy (offline)
        ├─ scan_auth_logic    ← Claude Opus + keyword pre-filter
        ├─ scan_sqli          ← Claude Sonnet + 24-rule pre-filter
        ├─ scan_xss           ← Claude Sonnet + 25-rule pre-filter
        ├─ scan_idor          ← Claude Opus + 12-rule access-control pre-filter
        ├─ scan_url           ← HTTP header + cookie + exposed-file audit (offline of Claude)
        ├─ scan_deps          ← manifest parsers + OSV.dev
        └─ fix_and_pr         ← Opus + GitHub REST (branch + commit + PR)

License

MIT