CodeMarine is a desktop IDE tool

CodeMarine CodeMarine
ARCHITECTURE DEEP DIVE

Under the Hood

CodeMarine isn't an API wrapper. It's a high-performance local analysis engine. Here's how we achieve <50ms detection latency without your code ever leaving localhost.

Sources
File Save
Staged
CLI Pipe

Guardian Daemon

PID 8923
1. Watcher FSEvents/inotify
2. Parser Tree-sitter AST
3. Engine Signatures DB
Responses
LSP Diag
Exit Code 1
SARIF Log

1. The Guardian Daemon

A high-performance native binary (universal macOS, Linux, Windows) that runs as a background service. It hooks directly into OS-level file system events:

  • macOS: FSEvents API
  • Linux: inotify kernel subsystem
  • Windows: ReadDirectoryChangesW

This zero-polling architecture allows CodeMarine to wake up, scan a file, and go back to sleep in milliseconds, consuming negligible CPU (< 0.1% idle).

2. AST & Semantic Analysis

Regex isn't enough for modern security. CodeMarine parses your code into an Abstract Syntax Tree (AST) using Tree-sitter grammars.

// Regex misses this:
const query = "SELECT * FROM " + table;
// AST sees the flow:
VariableDeclarator
BinaryExpression (+)
-> Tainted Input (table)
-> SQL Context

This allows us to catch logic flaws, like using jwt.decode where jwt.verify is required, regardless of how the code is formatted.

3. LSP & Editor Integration

We expose findings via the Language Server Protocol (LSP). This makes CodeMarine compatible with any modern editor out of the box.

In VS Code, Cursor, and Windsurf, we act as a language server. When the Daemon detects a vulnerability, it pushes a standardized textDocument/publishDiagnostics notification. The editor immediately renders this as a red squiggle with hover details and Quick Fix actions.

4. Local & Air-Gapped

The detection engine is self-contained. The pattern database is a signed SQLite file synced to ~/.codemarine/db.sqlite.

Network Request Status
POST /api/v1/telemetry Anonymized Metadata Only
POST /api/v1/source-code BLOCKED (Never happens)

Because no code leaves your machine, CodeMarine works perfectly on airplanes, in secure enclaves, or completely offline.

Developer Experience

zsh — 80x24
~/project codemarine scan .
Scanning 42 files...
FAIL Found 2 critical issues
src/auth/login.ts:24:12 CRITICAL
SQL Injection (String Concatenation)
Unsanitized input 'username' concatenated directly into SQL query.
Suggestion: Use parameterized query `db.query('SELECT * FROM users WHERE user = ?', [username])`
~/project _

Technical FAQ

Does it slow down my IDE?

No. The analysis runs in a separate daemon process (The Guardian), decoupled from the editor's UI thread. We use Rust-based parsers (Tree-sitter) which are orders of magnitude faster than JS-based AST tools. Typical overhead is < 5MB RAM and 0.1% CPU when idle.

How do you handle "Slopsquatting" (Hallucinated Packages)?

We maintain a localized bloom filter of the top 1M packages from npm, PyPI, and Maven. When an AI suggests an import, we check it against this index offline. If it looks plausible but doesn't exist (and has a high "squatting score"), we flag it before you run `npm install`.

What about false positives?

We prioritize precision over recall for Tier 1 alerts. We use data-flow analysis to track "tainted" variables. If a variable is hardcoded or safely sanitized before use, we won't flag it. You can also suppress rules via `.codemarineignore` or inline comments.

Ready to secure the edge?

Install the daemon and VS Code extension in under 2 minutes.

Download CodeMarine Read API Docs