FORGE is a CLI + MCP server for Claude Code. 16 Opengrep rules plus two targeted LLM agents audit your repo, triage the noise, apply fixes, and rescan until clean. Built for the solo builder shipping Supabase apps from Lovable, Bolt, and v0.
Then run /forge inside Claude Code. Or skip the CLI and use the web UI.
CodeQL and Snyk hand you a report. FORGE runs inside Claude Code, applies the fixes, and reruns the scan until it’s clean.
One command inside Claude Code.
Pip install vibe2prod, run the setup wizard, and four tools land in every Claude Code session: forge_scan, forge_status, forge_config, and forge_health. No web UI needed. Your repo never leaves your machine.
Opengrep + 2 targeted LLM agents.
16 deterministic Opengrep rules run first (secrets, SQL injection, XSS, path traversal, SSRF, auth bypass, CORS, insecure crypto, N+1, silent exceptions, more) at zero LLM cost. Then a Codebase Analyst (Minimax M2.5) maps your architecture and a Security Auditor (Claude Haiku 4.5) reasons over findings for context and severity.
The slash skill closes the loop.
Run `/forge` in Claude Code and the skill walks the full cycle: scan, triage findings, update .forgeignore for false positives with structured v2 entries, fix real issues with Claude, then rescan to verify. Autonomous, auditable, and you stay in control of the diff.
One pip install, one interactive wizard. Point FORGE at Claude Code and it registers the MCP server, installs the /forge and /forgeignore slash skills, and you’re scanning in a minute.
MCP server registers
Run the full discovery pipeline on a repo path. Returns findings + Production Readiness Score.
Live progress of an in-flight scan: phase, active agents, cost, and time.
Active vibe2prod URL, forgeignore sharing consent, installed version.
Health check. Reports whether OPENROUTER_API_KEY is set and the MCP server is reachable.
Then in Claude Code
forge_scan.profiles.role column from the browser:Ships the CLI, MCP server, and bundled skills.
Registers the MCP server + installs /forge & /forgeignore.
Audit, triage, fix, and rescan. All inside Claude Code.
Headless mode skips the TUI and takes your key on the command line. Useful for Docker images, dotfiles, and AI agents running the setup themselves.
Same FORGE engine, no install required. Sign in, paste a GitHub URL, and the scan runs in an ephemeral sandbox. $15 signup credit, pay-per-scan after.
pip install vibe2prod brings down the CLI, the MCP server, and the bundled /forge + /forgeignore skills.
`vibe2prod setup` detects Claude Code, registers the MCP tools, and copies the slash skills into ~/.claude/commands/.
The skill calls forge_scan (16 Opengrep rules plus two targeted LLM agents) and walks you through every finding.
False positives land in .forgeignore as structured entries. Real issues get patched, then the scan reruns to verify.
Every finding is classified by what you should actually do about it, calibrated to your project's stage and context.
CodeQL, Snyk, and Semgrep stop at detection and expect you to upload a repo. FORGE lives in your editor, explains what to do, then fixes the code for you.
| Capability | Other scanners | FORGE |
|---|---|---|
| Deterministic vulnerability scan | ||
| Runs inside Claude Code (no upload) | — | |
| LLM-reasoned severity + context | — | |
| Auto-applies the fix via /forge | — | |
| Structured false-positive suppression | — | |
| Rescans until the repo is clean | — | |
| Tuned for Supabase / Lovable / Bolt / v0 | — |
These prices are for the managed web UI, and honestly, paying here is basically buying me a coffee. The markup keeps the sandbox running. For the cheapest scans, grab an OpenRouter key and switch to BYOK. You pay OpenRouter directly at cost.
No key at all? FORGE still runs the 16 Opengrep rules + deterministic scoring for free, forever. You lose the two LLM passes but the static scan is yours.
$15 free balance on signup. No credit card required.
Add funds anytime. $5 minimum deposit.