The problem
AI-generated code is everywhere. GitHub Copilot, Claude, ChatGPT — they all write code fast. But they also introduce subtle bugs, SQL injections, and insecure patterns that look totally fine at first glance.
I wanted a tool that sits inside my AI agent and reviews code before I ship it. Not a linter. Not a static analyzer. A strict senior engineer who actually explains why something is wrong and shows the fix.
What I built
mcp-code-sanitizer — an MCP server that plugs into Claude Desktop or Cursor and gives you a strict AI code review powered by Groq's free API (llama-3.3-70b).
Claude Desktop ──MCP──► code-sanitizer ──REST──► Groq API
Tools available
| Tool | What it does |
|---|---|
analyze_code |
Finds bugs, vulnerabilities, rates 0–100 |
compare_code |
Compares versions, detects regressions |
explain_code |
Step-by-step explanation for any level |
generate_tests |
Writes pytest/jest tests automatically |
analyze_file |
Analyzes whole files with parallel chunking |
generate_report |
Builds an HTML report |
Real example
I gave it this code:
def get_user(user_id):
query = f"SELECT * FROM users WHERE id = {user_id}"
return db.execute(query)
It returned in 2 seconds:
{
"summary": "Critical SQL injection vulnerability",
"score": 23,
"issues": [{
"severity": "critical",
"line": 2,
"title": "SQL Injection",
"description": "f-string directly interpolates user_id into SQL query",
"fix": "cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))"
}]
}
Score 23/100. Ouch. But accurate.
Why Groq?
- Free tier — generous limits, no credit card needed
- Fast — llama-3.3-70b responds in ~1-2 seconds
- JSON mode — structured output without parsing hacks
Architecture
The codebase is split into focused modules:
server.py # FastMCP entry (39 lines)
config.py # Constants
groq_client.py # API client with auto-retry on rate limits
cache.py # In-memory cache with TTL
prompts.py # System prompts
tools/ # One file per tool
The cache layer means identical code isn't sent to Groq twice — useful when reviewing the same function repeatedly during debugging.
GitHub Action included
The repo includes a GitHub Action that automatically reviews every PR and posts a structured comment:
- uses: actions/checkout@v4
# ... runs review_pr.py on changed files
# posts comment with issues, warnings, suggestions
# fails check if critical issues found
Get started in 3 commands
git clone https://github.com/notasandy/mcp-code-sanitizer
pip install -r requirements.txt
fastmcp dev inspector server.py
Get a free Groq key at console.groq.com and you're done.
Published everywhere
- GitHub: notasandy/mcp-code-sanitizer
- PyPI:
pip install mcp-code-sanitizer - Official MCP Registry:
io.github.notasandy/mcp-code-sanitizer - Glama catalog: glama.ai/mcp/servers
Would love to hear what you think — especially if you find bugs the sanitizer missed 😄
Top comments (0)