Summary
Adds a security scanning layer to Claude with 27 tools covering code vulnerabilities, dependency CVEs, PII detection, prompt injection defense, and secret scanning. The code scanner catches SQL injection, XSS, and command injection with CWE mappings and auto-fix suggestions, while the DeepEngine performs cross-line taint tracking in Python. Dependencies get checked against OSV.dev for PyPI, npm, Go, and Packagist packages. You get SARIF export for GitHub Code Scanning, baseline comparison for delta scanning, quality gates with severity thresholds, and SQLite-backed audit logs. Comes with five safety profiles for different compliance contexts. Reach for this when you need to scan code or validate AI inputs and outputs for security issues directly in your Claude workflow.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
GuardianShield
Universal AI security layer — an open-source MCP server for code scanning, PII detection, prompt injection defense, secret detection, dependency auditing, and audit logging.
Zero dependencies · 27 MCP tools · 5 safety profiles · 108+ detection patterns
Features
- Code Vulnerability Scanning — SQL injection, XSS, command injection, path traversal with CWE IDs and auto-fix remediation
- Cross-line Data Flow Analysis — DeepEngine tracks tainted data from sources to sinks across multiple lines using AST-based taint propagation (Python) and regex (JS/TS)
- Dependency Security — Version-aware CVE matching against OSV.dev for PyPI, npm, Go, and Packagist ecosystems
- Manifest Parsing — Auto-detects 11 formats (requirements.txt, package.json, yarn.lock, go.mod, composer.json, and more)
- Prompt Injection Defense — 9+ detection patterns for instruction override, role hijacking, ChatML injection
- PII Detection — Email, SSN, credit card, phone, IP — with automatic redaction in findings
- Secret Detection — AWS keys, GitHub tokens, Stripe keys, JWTs, passwords, connection strings
- Safety Profiles — 5 built-in profiles (general, education, healthcare, finance, children)
- Audit Logging — SQLite-backed scan history with finding retrieval and filtering
Install
pip install guardianshield
Quick Start
# Register with Claude Code
claude mcp add guardianshield -- guardianshield-mcp
# Or run directly
guardianshield-mcp
Editor Integration
# Claude Code
claude mcp add guardianshield -- guardianshield-mcp
# VS Code (.vscode/mcp.json)
{"servers": {"guardianshield": {"type": "stdio", "command": "guardianshield-mcp"}}}
# Cursor (.cursor/mcp.json)
{"mcpServers": {"guardianshield": {"command": "guardianshield-mcp"}}}
# Claude Desktop (claude_desktop_config.json)
{"mcpServers": {"guardianshield": {"command": "guardianshield-mcp"}}}
MCP Tools
Scanning
| Tool | Description |
|---|---|
scan_code | Scan source code for vulnerabilities and hardcoded secrets |
scan_file | Scan a single file (auto-detects language from extension) |
scan_directory | Recursively scan a directory with filtering and progress streaming |
scan_input | Check user/agent input for prompt injection attempts |
scan_output | Check AI output for PII leaks and content violations |
check_secrets | Detect hardcoded secrets and credentials |
scan_files | Scan multiple files in one call |
scan_diff | Parse unified diff and scan only added lines |
Dependency Security
| Tool | Description |
|---|---|
check_dependencies | Check packages for known CVEs via OSV.dev (PyPI, npm, Go, Packagist) |
sync_vulnerabilities | Sync the local OSV vulnerability database |
parse_manifest | Parse any supported manifest file (11 formats) into dependency objects |
scan_dependencies | Scan a directory for manifest files and check all deps for vulnerabilities |
False Positive Management
| Tool | Description |
|---|---|
mark_false_positive | Mark a finding as false positive (flags future matches) |
list_false_positives | List active false positive records with optional filter |
unmark_false_positive | Remove a false positive record by fingerprint |
Engine Management
| Tool | Description |
|---|---|
list_engines | List available analysis engines with capabilities |
set_engine | Set active analysis engines for code scanning |
Three engines ship built-in: regex (line-by-line pattern matching, enabled by default), deep (cross-line taint tracking), and semantic (structure-aware confidence adjustment).
CI & Developer Workflow
| Tool | Description |
|---|---|
export_sarif | Export findings as SARIF 2.1.0 JSON for GitHub Code Scanning and CI |
save_baseline | Save current findings as a baseline for delta scanning |
scan_with_baseline | Scan code and report only new findings vs. baseline |
check_quality_gate | Evaluate findings against severity thresholds (pass/fail/warn) |
scan_files | Scan multiple files in one call |
scan_diff | Parse unified diff and scan only added lines |
Configuration & Utilities
| Tool | Description |
|---|---|
get_profile | Get current safety profile configuration |
set_profile | Switch safety profile (general, education, healthcare, finance, children) |
test_pattern | Test a regex pattern against sample code for custom pattern development |
audit_log | Query the security audit log |
get_findings | Retrieve past findings with filters |
shield_status | Get health, configuration, and OSV cache statistics |
Configuration
Set environment variables to customize behavior:
| Variable | Description | Default |
|---|---|---|
GUARDIANSHIELD_PROFILE | Default safety profile | general |
GUARDIANSHIELD_AUDIT_PATH | Path to SQLite audit database | ~/.guardianshield/audit.db |
GUARDIANSHIELD_DEBUG | Enable debug logging (1) | disabled |
Documentation
Full documentation: sparkvibe-io.github.io/GuardianShield
License
Apache 2.0
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
GUARDIANSHIELD_PROFILEDefault safety profile (general, education, healthcare, finance, children)
GUARDIANSHIELD_AUDIT_PATHPath to the SQLite audit database
GUARDIANSHIELD_DEBUGSet to 1 for debug logging
Categories
Registryactive
Packageguardianshield
TransportSTDIO
UpdatedMar 3, 2026
