Security scanning for teams
shipping classic or AI-generated code
scd is an open-source SAST scanner — it finds vulnerabilities in your codebase before they reach production. Self-hosted, privacy-first, and built for development teams shipping classic and AI-generated code.
AI writes code
faster than you can review it
Claude Code, GitHub Copilot, and Cursor help your team ship faster than ever. But the same tools that accelerate delivery also accelerate the introduction of security vulnerabilities.
Most SMB development teams have no dedicated security engineer. Security reviews happen — if at all — as an afterthought. By the time a vulnerability reaches production, the cost of finding it has multiplied.
scd puts security in the workflow, not in a separate audit cycle.
Three layers, one workflow
scd works where development happens — in the terminal, in git, and in your team's daily rhythm. No SaaS subscription, no upload portal.
scd CLI
Open-source command-line scanner. Run scd scan in any repository. Git hooks scan automatically on commit and push. Reports in HTML, Markdown, and JSON — stored locally.
scd-server
Self-hosted team dashboard. Aggregates findings across all repositories and developers. Trend analysis, knowledge gap identification, exception approval workflow, and compliance reporting (CRA, NIS2). Runs inside your own infrastructure.
Team Learn more →Deep Analysis
AI-powered analysis of each finding: real issue or false positive? Attack scenario? Exact fix? Available today via Claude API — only the triggering code line is sent, never whole files.
Coming soon — Local AI analysis via a local AI provider: your code never leaves your environment.
Included in Team tierYour infrastructure,
your control
Developer
Runs scd scan locally. Findings stay in ~/.scd/
scd scan
189+ rules applied. Pre-commit hooks intercept secrets. Results stored locally.
scd-server
Your server, your network. Aggregates team data. Runs on a VM inside your infrastructure.
AI Analysis
Deep analysis via Claude API — available today, controlled per-repo by trust level.
Coming soon — Fully offline AI analysis via a local AI provider.
What scd finds
-
Injection vulnerabilitiesSQL injection, command injection, LDAP injection — OWASP A03
-
Authentication & session flawsWeak JWT algorithms, missing expiry, insecure session handling
-
Cross-site scripting (XSS)Reflected, stored, and DOM-based XSS in templates and output
-
Secrets & sensitive data exposureAPI keys, passwords, tokens in code and logs — caught at pre-commit
-
Insecure dependenciesKnown CVEs matched against OSV and CISA KEV — locally, privately
-
Infrastructure misconfigurationsHardcoded hosts, unsafe defaults, missing security headers
Built on OWASP
and EU regulations
All rules map to OWASP Top 10, EU Cyber Resilience Act (CRA), and NIS2 directive requirements. Premium tiers generate ready-to-use compliance reports for documentation and conformity assessments.
Rules cover JavaScript, TypeScript, Python, PHP, and ASP.NET — the languages AI coding tools use most. Scanning is context-aware: test files are classified separately so they never inflate production findings.
scd also scans configuration and data files for leaked secrets and sensitive data.
"We are so serious about privacy that we do not even want your data."
— Core principle, Activemind Solutions AB
Self-hosted by design
scd-server runs in your own infrastructure. Scan results, findings, audit logs, and developer activity never leave your network. Activemind has no access to any of it.
No tracking, ever
No analytics SDKs. No behavioural telemetry. No usage data collection. The only external communication is license heartbeat and binary integrity verification — both documented and auditable.
Full transparency
Every external network call is documented in an integrity manifest. You can verify what leaves your network, when, and why. AI analysis records code_left_environment per finding.
Start free, scale with your team
scd CLI is free and open source — forever. For professional support and team features, contact us for tailored pricing.
- ✓ scd CLI with 189+ rules
- ✓ Local HTML, Markdown & JSON reports
- ✓ Git hooks (pre-commit + pre-push)
- ✓ Unlimited repositories
- ✓ scd insights (local)
- ✕ AI analysis per finding
- ✕ scd-server
- ✕ Team dashboard
- ✕ Trend analysis
- ✕ Compliance reports
- ✓ Everything in Starter
- ✓ Professional email support
- ✓ Guaranteed response time
- ✓ Direct Activemind contact
- ✓ Security guidance & consulting
- ✓ Onboarding session
- ✕ Team dashboard
- ✕ scd-server
- ✕ AI analysis per finding
- ✓ Everything in Starter
- ✓ scd-server (self-hosted)
- ✓ Team dashboard
- ✓ AI analysis per finding
- ✓ Knowledge gap analysis
- ✓ 12-week trend analysis
- ✓ Exception approval workflow
- ✓ CRA Compliance report
- ✓ Onboarding workshop (month 1)
More from Activemind
Beyond the product tiers, we work directly with teams that need something extra. Reach out if any of the below sounds relevant — nothing is off the shelf yet, but we are happy to talk.
scd CLI is free
and open source
The core scanner, all 189+ OWASP rules, git hooks, and local reporting are free — forever. No account required, no data sent anywhere.
Open source is not a loss-leader or a demo mode. It is a genuine, complete security tool that any developer can run today. The commercial tier adds team infrastructure and professional support.
scd is licensed under AGPL-3.0. Using scd to scan your code does not affect your code's license in any way — the AGPL applies only if you incorporate scd's source code into your own product or distribute it as part of a service. Running scd scan imposes no obligations on your software whatsoever.
Ready to secure
your codebase?
scd is developed and supported by Activemind Solutions AB — a Swedish security consultancy specialising in penetration testing, security audits, and developer training.
Pilot pricing available for the first five customers. Ask about founder pricing.