IDE
Guardrails arrive where you already type.
The MCP server registers with Cursor, Claude Code, Copilot, and Codex. When your prompt touches a sensitive path, the right rules load. You don't switch tools or context.
FOR DEVELOPERS
Get the secure version on the first prompt.
VibeReview reads your repo, pulls the guardrails that match the file you're touching, and feeds them to Cursor, Claude Code, Copilot, or Codex. Your agent ships clean. You stay in flow.
14-day free trial · No card required
You prompting Cursor · app/api/orders.py
"Add an endpoint to fetch user orders by ID."
VibeReview matched 3 guardrails · invisibly - ✓ Parameterize SQL queries
- ✓ Require an authenticated user
- ✓ Filter rows by tenant
@app.get("/orders/{order_id}")
def get_order(
order_id: int,
user = Depends(auth),
):
return db.execute(
"SELECT * FROM orders "
"WHERE id = ? AND user_id = ?",
(order_id, user.id),
)✓ Built secure on the first prompt — no review needed.
PROMPT
Right answer on the first try.
Your agent gets the threat-informed rules for the file you're editing. Auth code gets auth rules. SQL paths get injection rules. The output is shippable, not rewritten in review.
PR
Reviews focus on logic.
Reviewers see architecture comments instead of OWASP comments. The guardrails caught the security side before the diff. The PR queue moves.
1
Type your prompt.
Same Cursor or Claude Code session you already use. VibeReview's MCP server is connected once, then stays out of the way.
2
Guardrails load.
VibeReview matches the file path and the intent against your repo's threat model. It pulls the four or five rules that apply, not the forty in the catalogue.
3
Agent generates.
Your model produces code that fits the rules. Parameterized queries, tokenized inputs, scoped tokens, the lot.
4
Open the PR.
VibeReview's PR reviewer checks the diff against the same guardrails. If a rule slipped, it leaves a diff-aware comment. If not, the queue stays clean.
DEVELOPER QUESTIONS
What developers ask before they sign up.
How does VibeReview work with Claude Code / Cursor / Codex?
Via MCP. Add a small config entry and your IDE pulls the right guardrails on every prompt. The IDE never talks to us about your source — only about which rules apply.
How is VibeReview different from SAST tools like Snyk Code, Semgrep, or SonarQube?
SAST is reactive: scan after the fact, return a triage queue of findings. VibeReview is proactive: we threat-model the repo first, generate guardrails for those specific threats, then feed the rules to the IDE while the code is being written. The threats often never make it into the PR. When a PR does land, we comment only on the diff lines that crossed a rule — not the whole file. Run SAST for periodic audits; run VibeReview for the prompt-to-PR loop.
Doesn't my IDE already do security? Why not just Copilot's built-in checks?
Copilot, Cursor, and Codex catch what their model already knows — common bugs, popular patterns. They don't know your repo's threat model: which inputs are trusted, where the security boundary is, what data each endpoint touches. VibeReview builds the threat model first, generates rules from it, then serves them to the IDE via MCP on every prompt. Same IDE, no extra agent, rules tied to your specific threats — not a generic catalog.
Why MCP and not just another VS Code extension?
MCP is the only way to put a threat-informed rule in front of the model on every prompt. Extensions react after the suggestion lands; MCP shapes it before. Claude Code, Cursor, and Codex speak MCP natively. We still ship a VS Code extension for Copilot — since Copilot doesn't speak MCP yet — but everywhere else the threat-tied rules ride the protocol the IDE already supports.
Free for individual developers. Five-minute setup.
Connect a repo, install the MCP server, and your next prompt picks up the right guardrails.