WardnMesh Documentation
AI-first security scanner with two core capabilities: scan YOUR code for secrets (100% local), and audit THIRD-PARTY packages before installing (community-powered). Works with Claude Code, Cursor, Windsurf, and any MCP-compatible tool.
Secret Scanner (100% Local)
Scan your code for API keys, passwords, tokens. Your code never leaves your machine.
Package Auditor (Community)
Audit third-party packages for malware, typosquatting, suspicious code.
Quickstart
Using Claude Code, Cursor, or Windsurf?
Just tell your AI what you need — it handles installation and scanning automatically. No manual configuration required.
Just say:
"scan this project for secrets before I push"Install
Add WardnMesh MCP server to your AI tool
Scan
Ask your AI to scan for secrets
Fix
Auto-fix replaces hardcoded secrets with env vars
Installation
CursorRecommended
Click the button above to automatically add WardnMesh to your Cursor settings. One click, zero configuration.
▸ Manual setup (if needed)
Settings → Features → MCP Servers → Add
Name: wardnmesh Type: command Command: npx @pcircle/wardnmesh-mcp-server
Claude Desktop
Add to your claude_desktop_config.json:
// claude_desktop_config.json
"mcpServers": {
"wardnmesh": {
"command": "npx",
"args": ["@pcircle/wardnmesh-mcp-server"]
}
}Claude Code / Antigravity
# Terminal claude mcp add wardnmesh -- npx @pcircle/wardnmesh-mcp-server
Other MCP Tools
For any MCP-compatible tool, use this command:
npx @pcircle/wardnmesh-mcp-serverSecret Scanner
100% LocalScan your entire codebase for exposed secrets before pushing to GitHub. 100% local processing — your code never leaves your machine.
What We Detect
- OpenAI, Anthropic, Google API keys
- AWS credentials (access key, secret key)
- GitHub tokens (classic, fine-grained)
- Database connection strings
- Private keys (RSA, SSH, PGP)
Example
> "scan this project for secrets" [✓] Scanning... (100% local) ⚠ Found 3 secrets: • src/config.js:15 — OpenAI API Key • .env.local:8 — AWS_SECRET_KEY • deploy.sh:23 — GitHub Token Run 'fix secrets' to auto-replace with environment variables.
Package Auditor
Community-PoweredAudit third-party packages and repos before installing. Detect malware, typosquatting, and suspicious code. Community findings help everyone.
What We Check
- Malware signatures & patterns
- Typosquatting detection
- Project health (maintenance, contributors)
- Suspicious network calls
- Dangerous post-install scripts
Example
> "audit cool-utils before install" [✓] Auditing cool-utils@2.1.0... ⚠ HIGH RISK (Score: 35/100) 🔴 Security Issues: • Obfuscated code in utils.js • Suspicious network calls 🟡 Project Health: • Created 3 days ago • 1 contributor, no tests ❌ Recommendation: DO NOT INSTALL
Threat Feed
Access community-powered threat intelligence. See what malicious packages are trending. Get alerts when your dependencies are compromised.
Example
> "show latest security threats" 🚨 Latest community threats: 1. fake-lodash-utils (npm) — CRITICAL Typosquatting, steals env variables First seen: 2 hours ago | 847 scans 2. cool-react-hooks (npm) — HIGH Contains crypto miner in minified code First seen: 5 hours ago | 234 scans View more: wardnmesh.ai/threats
Privacy Model
Your Code (Secret Scanning)
- ✓ 100% local processing
- ✓ Zero data sent to any server
- ✓ No account required
- ✓ Works completely offline
Third-Party Code (Auditing)
- ✓ Repo URL logged (public info)
- ✓ Threat findings shared (improves detection)
- ✓ Contributes to community database
- ✗ Your code is NEVER sent
Available Tools
| Tool | Description | Data Collection |
|---|---|---|
| scan_project | Scan your project for secrets | None (100% local) |
| scan_file | Scan a specific file | None (100% local) |
| apply_fix | Auto-fix secrets with env vars | None (100% local) |
| audit_repo | Audit external repo/package | Anonymous stats only |
| check_threats | View latest community threats | None (read-only) |