No Bad Code,
Only Safe Moves

We scan your AI-generated code for security vulnerabilities, performance issues, and anti-patterns — then auto-fix them.

Quick Start

$ npx @guardrail-ai/cli scan .
30 rules|7 commands|inline code frames|ast auto-fix|zero config

SECURITY SCANNING

15 rules detecting hardcoded secrets, SQL injection, XSS, JWT misuse, path traversal, prototype pollution, and more.

AI-CODE DETECTION

11 rules purpose-built for AI-generated patterns: hallucinated imports, placeholder code, missing error handling, async without await.

AST AUTO-FIX

Real Abstract Syntax Tree transformations. Precise fixes with clean unified diffs. Not regex replacements.

AUDIT REPORTS

Generate AI-guided remediation reports in Markdown with fix instructions, code examples, and copy-paste prompts for your AI assistant.

/ About Guardrail

We provide the default
safety layer for
AI-generated code.

/ Mission

To become the default guardian that prevents developers from shipping insecure or unscalable AI-generated applications. 30 rules. 4 categories. Zero configuration.

/ Vision

A world where every AI-generated line of code passes through a safety layer before it reaches production. Open source. Community driven. Built for the era of Copilot, ChatGPT, and Claude.

terminal
$ npx @guardrail-ai/cli scan ./src

   ____                     _           _ _
  / ___|_   _  __ _ _ __ __| |_ __ __ _(_) |
 | |  _| | | |/ _` | '__/ _` | '__/ _` | | |
 | |_| | |_| | (_| | | | (_| | | | (_| | | |
  \____|\__,_|\__,_|_|  \__,_|_|  \__,_|_|_|

  Target: ./src

src/api/auth.ts
  CRIT  12:6   Hardcoded secret in "API_KEY"              [security/hardcoded-api-key]
  CRIT  18:18  Potential SQL injection                     [security/sql-injection]
  HIGH  28:2   cors() with no arguments                    [security/insecure-cors]
  HIGH  35:0   Hallucinated import "auth-utils"            [ai-codegen/hallucinated-import]
  WARN  45:4   Sequential await inside loop                [performance/inefficient-loop]
  WARN  52:0   console.log() call                         [ai-codegen/console-log-spam]  (fixable)

Found 6 issues in 1 file (0.03s)
  2 critical, 2 high, 2 warnings
  1 issue is auto-fixable (run guardrail fix)

/ Detection Engine

30 Rules, 4 Categories

RuleCategorySeverity
security/hardcoded-api-keySECURITYCRIT
security/sql-injectionSECURITYCRIT
security/no-evalSECURITYCRIT
security/xss-vulnerabilitySECURITYCRIT
security/path-traversalSECURITYCRIT
security/jwt-misuseSECURITYCRIT
security/insecure-corsSECURITYHIGH
security/env-var-leakSECURITYHIGH
security/unsafe-regexSECURITYHIGH
security/no-secrets-in-logsSECURITYHIGH
security/prototype-pollutionSECURITYHIGH
security/open-redirectSECURITYHIGH
security/insecure-cookieSECURITYHIGH
security/insecure-randomnessSECURITYHIGH
security/no-rate-limitingSECURITYINFO
ai-codegen/hallucinated-importAI-CODEGENHIGH
ai-codegen/placeholder-codeAI-CODEGENWARN
ai-codegen/hardcoded-localhostAI-CODEGENWARN
ai-codegen/overly-broad-catchAI-CODEGENWARN
ai-codegen/unused-importsAI-CODEGENWARN
ai-codegen/any-type-abuseAI-CODEGENWARN
ai-codegen/fetch-without-error-handlingAI-CODEGENWARN
ai-codegen/promise-without-catchAI-CODEGENWARN
ai-codegen/no-async-without-awaitAI-CODEGENWARN
ai-codegen/console-log-spamAI-CODEGENINFO
ai-codegen/magic-numbersAI-CODEGENINFO
quality/dead-codeQUALITYWARN
quality/duplicate-logicQUALITYWARN
performance/inefficient-loopPERFORMANCEWARN
performance/n-plus-one-queryPERFORMANCEHIGH

/ Integrate

Works Everywhere

/ 7 Commands

guardrail scan .
guardrail fix .
guardrail diff main
guardrail watch .
guardrail hook install
guardrail baseline create
guardrail init

/ GitHub Action

- uses: Manavarya09/Guardrail@v0.1.0
  with:
    target: './src'
    severity: 'warning'
    fail-on: 'high'

/ Claude Code (MCP)

{
  "mcpServers": {
    "guardrail": {
      "command": "npx",
      "args": ["@guardrail-ai/mcp"]
    }
  }
}

/ Reports

guardrail scan . --report md
guardrail scan . --report html
guardrail scan . --report sarif
guardrail scan . --report html,md

/ Inline Suppression

// guardrail-ignore-next-line
eval(trustedCode);

// guardrail-ignore security/xss
el.innerHTML = safe;

/ Gradual Adoption

guardrail baseline create
# snapshot current issues

guardrail scan .
# only flags NEW issues

/ Open Source

Built in public.
Backed by you.

Guardrail is free, open source, and community driven. If it saves you from shipping one bad line of AI-generated code, give us a star. It keeps the project alive.

Star on GitHub
npm|Contribute|Report Issue|Discussions
SECURITYPERFORMANCEQUALITYAI-SAFETYOPEN-SOURCEAST-POWEREDZERO-CONFIGPRE-COMMITBASELINEDIFF-SCANCODE-FRAMESSARIF