Skip to content

Quick Start

Get SecureVibe into a project in minutes. The easiest path is npm; building from source is for contributors.

Prerequisites

  • Node.js 18+ for the npm path (recommended), or Go 1.22+ to build from source
  • An AI coding assistant: Claude Code, Cursor, Copilot, Codex, Windsurf, Cline, or Devin
  • No network needed at runtime. The npm package bundles the rule data and runs fully offline. Updates are optional.

1. Install

Everything ships on npm — the package bundles the platform binary and the rule data, so there's no checkout and no Go toolchain.

npm i -g @shieldnet360/secure-code-mcp

That puts two commands on your PATH: secure-code-mcp (the MCP server) and secure-code-check (the CLI — the scanners plus the gate). Both read the bundled data, so they run fully offline.

Sanity check

secure-code-check check-dependency --package event-stream --version 3.3.6 --ecosystem npm flags the famous 2018 npm supply-chain attack.

Other channels

Run without installing: npx -p @shieldnet360/secure-code-mcp secure-code-check <cmd>. From source / contributors: go install github.com/shieldnet-360/securevibe/cmd/skills-check@latest (bare binary — point it at a data tree via $SKILLS_LIBRARY_PATH).

2. Drop the skills into a project (fastest path)

# in any project you want to make security-aware:
npx @shieldnet360/secure-code-skill init --tool claude

That installs the native security skills (e.g. .claude/skills/) — context-scoped, so only the rule relevant to the files in play loads. The next time you open the project in Claude Code, those rules are available to the assistant.

Other targets: --tool cursor | copilot | codex | windsurf | cline | universal.

3. Wire the MCP server (most powerful path)

This gives the assistant on-demand access to the JSON-RPC tools — vulnerability lookups, dependency scans, Dockerfile hardening, GitHub Actions audits, and the gate — without spending tokens until the tools are actually called.

# For Claude Code (no install — npx fetches the package on first run):
claude mcp add secure-code -- npx -y @shieldnet360/secure-code-mcp

Or hand-edit your client's MCP config:

{
  "mcpServers": {
    "secure-code": {
      "command": "npx",
      "args": ["-y", "@shieldnet360/secure-code-mcp"]
    }
  }
}

After restarting your client, ask the assistant something like "scan this Dockerfile for hardening issues" or "is event-stream@3.3.6 known malicious?" — it'll route through the SecureVibe tools.

4. Try a single tool call directly

You don't need an AI client to use the MCP server. It speaks JSON-RPC 2.0 over stdio, so any script can drive it.

echo '{"jsonrpc":"2.0","id":1,"method":"tools/call",
  "params":{"name":"lookup_vulnerability",
    "arguments":{"package":"event-stream","ecosystem":"npm","version":"3.3.6"}}}' \
  | npx -y @shieldnet360/secure-code-mcp

That returns the known compromise entry for the infamous 2018 supply-chain attack. Substitute any of the server's tools.

List all available tools

echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | npx -y @shieldnet360/secure-code-mcp

5. Keep it current

Vulnerability data and detection patterns change weekly. Two refresh paths, decoupled:

# Refresh the committed library via signed manifest deltas (touches files in repo):
./skills-check update

# Populate the user-local OSV cache (~250 MB, ~80k npm advisories — no repo write):
./skills-check fetch-vulns --from-release

Check how stale the local data is at any time — an AI assistant is only as current as the knowledge it is fed:

./skills-check status                 # version, advisory count, data age, verdict
./skills-check status --fail-if-stale # exit non-zero in CI when data is >30 days old

For unattended refresh, install the scheduler:

./skills-check scheduler install --interval 6h

That registers a launchd LaunchAgent (macOS), a systemd user timer (Linux), or a Task Scheduler task (Windows). No daemons, no privileged helpers.

5b. Block a bad package you discovered (LEARN loop)

Found a malicious or typosquatting package the curated database doesn't know yet? Block it immediately — locally, no central round trip:

./skills-check contribute add -p evil-pkg -e npm --reason "exfiltrates env in postinstall"
./skills-check gate package.json --severity-floor high   # now fails on evil-pkg

The rule is written to .skills-check/overlay.json and never leaves your machine. Commit that file to protect your whole team; run contribute submit (optionally --key to sign) to share a candidate upstream. See Contribute a Finding.

6. Generate a compliance coverage report

./skills-check evidence --framework SOC2    --format markdown --out evidence-soc2.md
./skills-check evidence --framework HIPAA   --format json
./skills-check evidence --framework PCI-DSS --format markdown

Each report maps installed skills to framework controls with timestamps and source citations. The output is a developer-facing coverage map, not a substitute for a real audit.

Next steps