Secure Code by Design
Automated security scanning for development teams using AI coding tools.
scd is a CLI tool that catches security vulnerabilities before they reach production — running quietly in the background via git hooks and on-demand scans. Built for teams using AI coding tools like Claude Code, GitHub Copilot, and Cursor, which generate code faster than security awareness can keep up with.
Not a replacement for penetration testing
scd helps you find and fix common vulnerability patterns before they reach production, so that professional security assessments can focus on harder, context-specific problems.
What scd covers
- 174 security rules across JavaScript, TypeScript, Python, PHP, ASP.NET, and more
- Taint analysis — tracks user-controlled variables from HTTP input to dangerous sinks
- Git hooks — secrets scanning on pre-commit, full OWASP scan on pre-push
- Zero repo footprint — no files written or modified to your repository
- Exception management — reviewed exceptions tracked in config, never as code comments
- Audit trail — append-only scan history per repository
Starter vs Team vs Professional
| Starter | Team | Professional | |
|---|---|---|---|
| Security rules | 174 | 174 | 174 + rule packs |
| Git hooks | ✓ | ✓ | ✓ |
| Reports (HTML/MD/JSON) | ✓ | ✓ | ✓ |
| Team dashboard | — | ✓ | ✓ |
| Exception approval flow | — | ✓ | ✓ |
| CRA Compliance Report | — | ✓ | ✓ |
| Deep Analysis (AI) | — | — | ✓ |
Team and Professional require scd-server running in your own infrastructure. No code, findings, or scan data ever leaves your network.
See securecodebydesign.com for plans and pricing.
Get started
- Installation — install scd and set up git hooks
- Quick start — run your first scan in five minutes
- CLI reference — complete command reference
- scd-server — team features and self-hosted server