Skip to main content

CodeSherlock MCP Server – Setup & Usage Guide

Configure the Model Context Protocol server once and keep every commit and working tree scan consistent across your team.

Integration with AI assistants like Claude Code, Cursor, Windsurf, Cline, VS Code and other MCP-compatible tools

Key Features

Analyze Uncommitted Changes

Scan staged and unstaged files before you commit so surprises never reach your repo.

Analyze Committed Changes

Review your latest commit to spot issues before pushing to remote or opening a PR.

Security Framework Coverage

Run checks aligned to OWASP Top 10 and the CWE catalog for focused security feedback.

Works With Your AI Assistant

Connects to Claude Desktop, Cline, Cursor, or any MCP-capable tool via a lightweight server.

Prerequisites

Quick checklist to confirm before you start:

  • Node.js (version 18.0.0 or higher) and npm installed on your system
  • A Git repository with code you want to analyze
  • An AI coding assistant that supports MCP (e.g., Claude Code, Cursor, VS Code, Cline, or similar)

The CodeSherlock MCP Server is available on the npm registry and can be used directly with npx.

Step 1: Get Your API Key

How to obtain it

  1. Visit the API key page: codesherlock.ai/codesherlock-mcp-server/mcp/api/key
  2. Sign in or create an account.
  3. Generate a new API key.
  4. Copy and store the key securely—you will be prompted for it by the MCP server.

Important security notes

  • Never share your API key or commit it to version control.
  • Store it in a password manager or environment variable.
  • If a key is compromised, regenerate it immediately from your dashboard.

Step 2: Configure Your AI Assistant

You need to add the CodeSherlock MCP Server configuration to your AI assistant's settings. Follow the instructions for your preferred IDE/assistant below.

Quick Navigation:

Cursor

Steps to Configure

  1. Click the Settings (gear icon) on the top right corner
  2. Settings panel opens as a new tab in the center of the screen
  3. In the settings sidebar, navigate to Tools & MCP section
  4. Click on New MCP Server/Add a custom MCP Server button
  5. This opens the mcp.json config file
  6. Add the configuration below and save
  7. If you experience any installation problems, run npx -y @codesherlock/codesherlock-mcp-server in your terminal first to confirm that the package installs properly.
  8. Restart Cursor

Configuration

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Windsurf

Steps to Configure

  1. Click on the Settings (gear icon) on the top right corner and select Windsurf Settings (or press Ctrl+,)
  2. In the settings search box, type mcp
  3. Find the MCP Servers section
  4. Click on Open MCP Marketplace
  5. In the MCP Marketplace, click the Settings (gear icon) to add a custom server
  6. This opens the mcp_config.json config file
  7. Add the configuration below and save
  8. Restart Windsurf

Configuration

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Claude Code

Steps to Configure

  1. Run the following command in your terminal:

For Windows users (run in CMD):

claude mcp add --transport stdio codesherlock --env MCP_API_KEY=cs_mcp_abcdef -- cmd /c npx -y @codesherlock/codesherlock-mcp-server

For Mac/Linux users:

claude mcp add --transport stdio codesherlock --env MCP_API_KEY=cs_mcp_abcdef -- npx -y @codesherlock/codesherlock-mcp-server
  1. Verify the configuration by running:
claude mcp list
  1. If the connection is successful, start Claude. If claude mcp list fails to connect, try reopening your terminal as an optional troubleshooting step.

Other useful commands:

claude mcp remove codesherlock   # Remove a server

Configuration

Manually add to config file (optional):

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

VS Code

Steps to Configure

Requires GitHub Copilot extension installed

  1. Press Ctrl+Shift+P (Windows) or Cmd+Shift+P (macOS) to open Command Palette
  2. Type MCP:Open User Configuration
  3. This opens the MCP configuration file
  4. Add the configuration below and save
  5. Restart VS Code

Configuration

{
  "servers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Cline

Cline is a VS Code extension. Install it from the VS Code marketplace or other supported IDEs.

Steps to Configure

  1. Open Cline panel in VS Code
  2. Click on Manage MCP Servers
  3. Click on the Settings (gear icon)
  4. Click on Configure MCP Servers button
  5. This opens the cline_mcp_settings.json config file
  6. Add the configuration below and save
  7. Restart VS Code

Configuration

{
  "mcpServers": {
    "codesherlock": {
      "name": "CodeSherlock MCP Server",
      "description": "CodeSherlock is an AI- based code analysis tool that validates unstaged changes and commits directly inside IDEs and AI Agents. It helps developers catch security, quality, and design issues early by combining deep analysis with compliance-aware checks OWASP, CWE, SOC-2 at the moment code is written. CodeSherlock also performs other security vulnerability reviews along with Maintainability, Reliability and Scalability checks. Use CodeSherlock to review and validate code especially generated via AI.",
      "command": "npx",
      "args": [
        "-y",
        "@codesherlock/codesherlock-mcp-server"
      ],
      "env": {
        "MCP_API_KEY": "your-api-key-here"
      }
    }
  }
}

Step 3: Using CodeSherlock with Your AI Assistant

Once configured, you can start using CodeSherlock by prompting your AI assistant. The assistant will automatically invoke the MCP server tools to perform code analysis.

Analysis Types

CodeSherlock supports four analysis factors:

FactorDescription
power_analysisA full-spectrum scan that covers the most essential and critical issues
owaspSecurity analysis based on OWASP Top 10 vulnerabilities
cwe_mitreAnalyzes code against Common Weakness Enumeration (CWE) MITRE framework
cwe_kevAnalyzes code against CWE Known Exploited Vulnerabilities (KEV) catalog

Example Prompts

Drop these into your AI assistant to kick off a scan:

"Review my uncommitted changes using CodeSherlock"
"Use CodeSherlock to check my uncommitted code for CWE MITRE vulnerabilities"
"Analyze my latest commit for OWASP vulnerabilities using CodeSherlock"
"Check the last commit in my current repo for CWE KEV issues with CodeSherlock"

Understanding the Results

When Analysis Completes

The AI assistant will present the analysis results in a readable format, typically including:

  • Number of issues found
  • Severity levels (Critical, High, Medium, Low)
  • Issue categories
  • Affected files and line numbers
  • Descriptions and recommendations for each issue

Troubleshooting

"Server not found" or "MCP server failed to start"

  • Verify the configuration file path is correct
  • Check that Node.js and npm are properly installed

"Authentication failed" or "Invalid API key"

  • Verify your API key is correctly added to the configuration
  • Check for any extra spaces or characters in the API key
  • Regenerate your API key from the CodeSherlock dashboard
  • Ensure you've restarted your AI assistant after adding the key

"Not a Git repository"

  • Ensure you're analyzing a directory that contains a .git folder
  • Initialize a Git repository if needed: git init

"No changes to analyze"

  • For uncommitted analysis: Make sure you have modified files
  • For commit analysis: Verify the commit exists using git log
  • Check that you're in the correct Git repository

Analysis takes too long or times out

  • Start with analyzing specific files or smaller changesets
  • Check your internet connection
  • Break large changes into smaller commits for analysis

Best Practices

1. Integrate into Your Workflow

  • Before committing: Analyze uncommitted changes to catch issues early
  • After committing: Review commits before pushing to remote
  • During code review: Use analysis results to supplement manual reviews

2. Choose the Right Analysis Factor

  • Use OWASP Best for web applications and APIs; focuses on the OWASP Top 10 and other common web security risks.
  • Use CWE MITRE Ideal when you need deeper, classification-based coverage of software weaknesses across all domains.
  • Use CWE KEV Best for identifying known exploited vulnerabilities that are actively being used in attacks.
  • Use Power Analysis A broad, high-coverage analysis designed to catch the most essential and critical issues across any type of project (web, mobile, backend, etc.)

3. Act on Results

  • Prioritize Critical and High severity issues immediately
  • Create tickets for Medium severity issues
  • Document Low severity issues for future refactoring

Getting Help

If you face any issues, please send us a mail at support@codesherlock.ai. We will help you resolve the issue as soon as possible.