Summary
Connects Claude to Korext's policy enforcement engine with 72 compliance packs and 532 rules across 13 languages. Exposes operations to scan code against policy sets like PCI DSS, OWASP, GDPR, and HIPAA, then retrieve violations as structured results with proof bundles. Built for AI coding workflows where you need to validate generated code against security and compliance standards before it ships. The MCP interface wraps their enforcement API that normally runs in GitHub Actions, so you can check policies interactively during development instead of waiting for CI. Supports regional data processing and cryptographic signing of audit trails.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Tools
Public tool metadata for what this MCP can expose to an agent.
3 tools
qualitygate_validateAfter your agent generates output, validate it against your rules before shipping. Runs deterministic checks (regex, JSON schema, syntax) plus optional LLM-powered tone and factual analysis. Returns a structured verdict (pass, warn, or fail) with a 0-100 score and per-check is...7 params
After your agent generates output, validate it against your rules before shipping. Runs deterministic checks (regex, JSON schema, syntax) plus optional LLM-powered tone and factual analysis. Returns a structured verdict (pass, warn, or fail) with a 0-100 score and per-check is...
Parameters* required
outputstringThe agent output text to validate.
schemaobjectJSON Schema to validate output against.
languagestringCode language for syntax check: json, python, javascript, typescript.
overridebooleanForce pass. Requires override_reason.
directivesarrayDirective objects. Types: must_include, must_not_include, must_match, must_not_match, must_contain, must_not_contain, min_length, max_length.
check_typesarrayChecks to run. Auto-inferred if omitted.
override_reasonstringRequired when override is true.
guardrail_checkEvaluate a proposed agent action against your governance policies. Returns allow or deny with the matched policy reason. Requires at least one active policy created via guardrail_create_policy. Deterministic rule evaluation — no LLM. Costs 1 credit.2 params
Evaluate a proposed agent action against your governance policies. Returns allow or deny with the matched policy reason. Requires at least one active policy created via guardrail_create_policy. Deterministic rule evaluation — no LLM. Costs 1 credit.
Parameters* required
agent_idstringAgent identifier.
proposed_actionobjectAction to evaluate. Must contain a 'type' field. Example: {"type": "http_request", "url": "https://external.example.com"} or {"type": "file_write", "path": "/etc/config"}.
guardrail_create_policyCreate a persistent governance policy that guardrail_check evaluates on every subsequent call. Define rules using and/or/not operators over action types, resource patterns, and budget thresholds. Call this before using guardrail_check — checks require at least one active polic...5 params
Create a persistent governance policy that guardrail_check evaluates on every subsequent call. Define rules using and/or/not operators over action types, resource patterns, and budget thresholds. Call this before using guardrail_check — checks require at least one active polic...
Parameters* required
namestringUnique policy name per org. Examples: 'no-delete-in-prod', 'budget-cap-50', 'pii-block'.
rulesarrayArray of rule objects evaluated against the proposed_action in guardrail_check. Leaf operators: eq, starts_with, contains, gt, lt (compare field to value). Compound operators: and, or, not (nest sub-rules in a rules array). Example: [{operator:'eq', field:'type', value:'file_write'}] blocks all file writes. Nested example: [{operator:'and', rules:[{operator:'eq',field:'type',value:'api_call'},{operator:'contains',field:'url',value:'prod'}]}] blocks prod API calls.
prioritynumberOptional. Evaluation order. Default: 0.
descriptionstringOptional human-readable summary of what this policy enforces. Returned in guardrail_check responses and guardrail_list_policies output for auditability.
action_typesarrayOptional. Restrict this policy to only evaluate when proposed_action.type matches one of these values. Examples: ['file_write', 'api_call', 'db_delete']. Omit to apply the policy to all action types regardless of type field.
KOREXT Enforce Action
Enforce compliance policies on AI generated code in your GitHub workflows.
72 policy packs. 532 rules. 13 languages. Violations appear as GitHub Code Scanning annotations on pull requests.
Quick Start
Add this to .github/workflows/korext.yml:
name: Korext Enforcement
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
enforce:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Korext/enforce-action@v3
with:
api-token: ${{ secrets.KOREXT_API_TOKEN }}
Korext scans your code on every push and PR using the default web policy pack.
How It Works
- Install: The action installs the Korext CLI
- Scan: Runs
korext enforceagainst your codebase with the selected policy pack - Report: Generates a SARIF file and uploads it to GitHub Code Scanning
- Gate: Fails the workflow if critical or high severity violations are found
Violations appear as annotations directly on the PR diff, powered by GitHub Code Scanning.
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
directory | Directory to scan for policy violations | No | . |
pack | Policy Pack ID to enforce | No | web |
api-token | Korext API token for authenticated mode | No | (anonymous) |
fail-on-violations | Fail workflow on critical/high violations | No | true |
sarif-upload | Upload SARIF to GitHub Code Scanning | No | true |
region | Data processing region (us, eu, apac) | No | (default) |
sign-bundles | Request signed proof bundles | No | true |
Outputs
| Output | Description |
|---|---|
violations | Total number of policy violations found |
sarif-file | Path to the generated SARIF results file |
bundle-count | Number of proof bundles generated |
bundles-signed | Number of signed proof bundles |
bundle-ids | Comma separated list of proof bundle IDs |
Examples
Multiple Policy Packs
- uses: Korext/enforce-action@v3
with:
pack: web,pci-dss-v1,owasp-v1
api-token: ${{ secrets.KOREXT_API_TOKEN }}
EU Data Sovereignty
- uses: Korext/enforce-action@v3
with:
pack: gdpr-v1
region: eu
api-token: ${{ secrets.KOREXT_API_TOKEN }}
Scan Specific Directory
- uses: Korext/enforce-action@v3
with:
directory: src/
pack: hipaa-v1
api-token: ${{ secrets.KOREXT_API_TOKEN }}
Warn Only (do not fail)
- uses: Korext/enforce-action@v3
with:
pack: web
fail-on-violations: 'false'
Authentication
For full access to all policy packs and signed proof bundles, create an API token in your KOREXT dashboard and add it as a GitHub secret:
- Go to app.korext.com > Settings > API Tokens
- Create a new token
- Add it as
KOREXT_API_TOKENin your repo's Settings > Secrets and variables > Actions
Without a token, the action runs in anonymous mode (20 requests per hour, limited packs).
Links
License
Proprietary. See Terms of Service.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
Packagekorext
TransportSTDIO, HTTP
AuthRequired
UpdatedApr 15, 2026
