Get This Tool
PreFlight
Summary
AI coding tools write fast and skip the boring parts — like checking whether your new auth endpoint leaks session tokens or your SQL query bypasses row-level security. PreFlight is the local scanner that catches those gaps before they reach a commit.
PreFlight installs via npm and runs as a pre-commit gate, scanning AI-generated code for security vulnerabilities in auth flows, database logic, and SQL patterns — then offering deterministic or AI-assisted patches inline. It integrates with VS Code, Cursor, and MCP clients, so the scan happens in the environment where the AI code was written. The free tier caps patches at ten, which is sufficient for evaluation but stops short of daily use on an active codebase. Teams that exceed that ceiling without a pro key lose the fix-application step and are left with scan output only. The repo is open-source and self-hosted, so the scan never phones home.
Bottom line: Pick PreFlight if you want a local, no-cloud security gate between Copilot and your main branch — but plan for the patch cap to force a licensing decision the moment a junior dev using AI tooling ships more than ten fixable issues in a sprint.
Pricing Plans
SubscriptionLast verified 2 weeks ago- Price
- $19/mo
- Free Tier
- Unlimited scans, 10 free patches (local + deep-reasoning AI)
Free Tier: PreFlight Guardian
Unlimited local scanning plus 10 free patch applications across local deterministic fixes and proxy-backed AI fixes. Zero config for scanning. A Pro key is only required after the 10 free patches are used.
- Unlimited local scanning
- 10 free patch applications
- Local deterministic fixes
- Proxy-backed AI fixes
- Zero config setup
Solo Pro
Unlimited scans and fixes, including deep reasoning remediation for complex multi-file architectural flaws, tenant isolation logic, and parametric SQL injections.
- Unlimited scans
- Unlimited fixes
- Deep reasoning remediation
- Complex multi-file architectural flaws
- Tenant isolation logic
- Parametric SQL injection handling
Teams
Per-seat pricing for team rollout with shared onboarding and unlimited scans and fixes.
- Team rollout
- Shared onboarding
- Unlimited scans
- Unlimited fixes
- Per-seat pricing
View full pricing on github.com →
Pricing may have changed since last verified. Check the official site for current plans.
Community Performance Report Card
No community ratings yet. Be the first to rate this tool!
Community Benchmarks Community
Sign in to submit a benchmarkNo community benchmarks yet. Be the first to share a real-world data point.
Pros
Sign in to edit- Runs entirely locally with no cloud dependency for scanning, so code never leaves the machine during the security check — which matters for teams under data-residency or compliance constraints.
- Pre-commit integration means vulnerabilities surface before they enter the repository rather than at PR review, so the team avoids the back-and-forth of post-commit security findings.
- RLS and SQL safety checks are explicitly scoped, so the specific class of vulnerability that AI tools most often miss in database logic gets dedicated coverage rather than a generic lint pass.
- MCP client support lets other tools and editor workflows invoke the scanner directly, so the security gate can be embedded in automated flows without requiring a separate manual step.
- Open-source codebase allows teams to audit the scan rules themselves, so trust in the tool does not depend solely on vendor claims about what it detects.
Cons
Sign in to edit- The free tier caps patch application at ten — once that limit is hit, the tool continues to surface findings but stops applying fixes. A team using AI coding tools daily will exhaust this on a single feature branch, forcing a licensing decision before they have enough production signal to evaluate the tool's accuracy.
- The scanner is scoped to auth, database, and SQL vulnerability classes. Teams that need coverage across a broader attack surface — dependency vulnerabilities, secret detection, SSRF, or injection beyond SQL — will need a separate tool running in parallel, which means maintaining two scan configurations and reconciling their output.
- The project shows a single star and no forks on GitHub at the time of curation, with an open issue logged. Teams evaluating this against established SAST tools with large community rule sets and documented false-positive rates will find precious little external evidence of production use — which is the condition under which a security-conscious team switches to a competitor with a longer track record.
Community Reviews
Sign in to write a reviewNo reviews yet. Be the first to share your experience.
About
- Platforms
- CLI, npm, VS Code, Cursor
- API Available
- No
- Self-Hosted
- Yes
- Last Updated
- 2026-06-23T16:18:22.539Z
Best For
Who it's for
- Developers using AI coding tools
- Teams enforcing local security gates
- Projects requiring RLS and SQL safety checks
- Local-first workflows without cloud dependency for scanning
What it does well
- Pre-commit scanning of AI-generated code
- Detecting security vulnerabilities in auth and database logic
- Applying deterministic or AI-assisted patches
- Integrating with VS Code, Cursor, and MCP clients
Integrations
Discussion Community
Sign in to commentNo discussion yet. Sign in to start the conversation.
Compare PreFlight
Spotted incorrect or missing data? Join our community of contributors.
Sign Up to ContributeCommunity Notes & Tips Community
Sign in to contributeBe the first to contribute. General notes, observations, gotchas, and tips from people who use this tool day-to-day.
Frequently Asked Questions
- Is PreFlight free?
- PreFlight has a permanent free tier alongside paid upgrades (paid plans from $19/mo). You can keep using a baseline version indefinitely without paying.
- Is PreFlight open source?
- Yes. PreFlight is open source.
- Can I self-host PreFlight?
- Yes. PreFlight supports self-hosting on your own infrastructure.
- What platforms does PreFlight support?
- PreFlight is available on: CLI, npm, VS Code, Cursor.
Hours Saved & ROI Stories Community
Sign in to contributeBe the first to contribute. Concrete time/cost savings, with context. e.g. "Cut my code review backlog from 4h to 45m per week."
Curated lists that include this category
PreFlight sits between your AI coding assistant and your version control system. The core workflow is a pre-commit scan: the tool inspects staged code for vulnerabilities in authentication logic, database queries, and SQL safety patterns — including row-level security (RLS) checks — then surfaces findings with an option to apply a deterministic or AI-assisted patch before the commit lands. Installation is via npm; the GitHub repo confirms local execution with no cloud dependency for the scanning step itself.
The differentiating feature is the MCP client integration. Beyond VS Code and Cursor extensions, PreFlight exposes an MCP interface, which means it can be invoked as an external tool from any MCP-compatible client. That positions it as a security checkpoint that other agents or editor workflows can call directly, rather than something a developer has to remember to run manually.
PreFlight fits tightest in teams that have adopted AI coding tools broadly and need a local enforcement layer before code reaches CI. It does not replace a full SAST pipeline or a cloud-based security scanner — it is scoped to the classes of vulnerability that AI code generators frequently introduce. The free tier enforces a hard patch limit, documented in the repo as ten patches before a PREFLIGHT_PRO_KEY is required for unlimited use. Teams running high-volume AI-assisted development will hit this ceiling inside a single sprint.
