Getting Started
Get up and running with Project CodeGuard in just a few steps.
Project CodeGuard Introduction Video
This video introduces Project CodeGuard and includes several demos on how to use it during code generation and code review with Claude Code, Codex, and other coding agents.
Prerequisites
Before you begin, familiarize yourself with how rules work in your AI coding tool:
Cursor uses .cursor/rules for rule configuration.
Windsurf uses .windsurf/rules for rule configuration.
GitHub Copilot uses .github/instructions for rule configuration.
Antigravity uses .agent/rules for rule configuration.
OpenCode uses .opencode/skills for skill configuration.
Installation
Option 1: Install Pre-built Rules (Recommended)
Select your AI coding tool and follow the instructions:
- Download
ide-rules-cursor.zipfrom the Releases page - Extract the ZIP file
-
Copy the
.cursor/directory to your project root:cp -r .cursor/ /path/to/your/project/ -
Restart Cursor to load the rules
- Download
ide-rules-windsurf.zipfrom the Releases page - Extract the ZIP file
-
Copy the
.windsurf/directory to your project root:cp -r .windsurf/ /path/to/your/project/ -
Restart Windsurf to load the rules
- Download
ide-rules-copilot.zipfrom the Releases page - Extract the ZIP file
-
Copy the
.github/directory to your project root:cp -r .github/ /path/to/your/project/ -
Restart your IDE to load the instructions
- Download
ide-rules-antigravity.zipfrom the Releases page - Extract the ZIP file
-
Copy the
.agent/directory to your project root:cp -r .agent/ /path/to/your/project/ -
Restart Antigravity to load the rules
Option A: Skills (recommended)
Using skills is more context-efficient as only relevant rules are loaded per session based on the files you're working with.
- Download
ide-rules-opencode.zipfrom the Releases page - Extract the ZIP file
-
Copy the
.opencode/directory to your project root:cp -r .opencode/ /path/to/your/project/ -
Restart OpenCode to load the skill
Option B: Remote Instructions (zero-maintenance)
All rules loaded every session, but always up to date: no local files to maintain.
Create an opencode.json in your project root:
opencode.json with remote URLs
{
"$schema": "https://opencode.ai/config.json",
"instructions": [
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-additional-cryptography.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-api-web-services.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-authentication-mfa.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-authorization-access-control.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-client-side-web-security.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-cloud-orchestration-kubernetes.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-data-storage.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-devops-ci-cd-containers.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-file-handling-and-uploads.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-framework-and-languages.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-iac-security.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-input-validation-injection.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-logging.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-mcp-security.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-mobile-apps.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-privacy-data-protection.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-safe-c-functions.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-session-management-and-cookies.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-supply-chain-security.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-0-xml-and-serialization.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-1-crypto-algorithms.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-1-digital-certificates.md",
"https://raw.githubusercontent.com/cosai-oasis/project-codeguard/main/sources/core/codeguard-1-hardcoded-credentials.md"
]
}
Tradeoff
The skills approach (Option A) uses glob-scoped rules so only relevant rules are loaded based on the files you're editing. Remote instructions load all 23 rules into every session regardless of language. Remote URLs point to the main branch -- pin to a release tag (e.g. refs/tags/v1.3.0) if you need a stable, auditable snapshot.
Claude Code uses a plugin system instead of manual file installation:
-
Add the Project CodeGuard marketplace:
/plugin marketplace add cosai-oasis/project-codeguard -
Install the security plugin:
/plugin install codeguard-security@project-codeguard
The plugin automatically loads and applies security rules. See the Claude Code Plugin documentation for details.
OpenAI Codex uses agent skills for task-specific instructions.
Prerequisites
Make sure you're running the latest version of Codex before installing skills.
Option A: Skill installer
$skill-installer install from https://github.com/cosai-oasis/project-codeguard/tree/main/skills/software-security
Option B: Manual clone
mkdir -p .codex/skills
cd .codex/skills
git clone https://github.com/cosai-oasis/project-codeguard.git temp
mv temp/skills/software-security ./
rm -rf temp
Once installed, invoke the skill with $software-security or let Codex use it automatically when writing or reviewing code.
Codex Skills Documentation
For more information, see the OpenAI Codex Skills documentation.
Using multiple tools? Download ide-rules-all.zip for all formats in one archive.
Repository Level Installation
Installing at the repository level ensures all team members benefit from the security rules automatically when they clone the repository.
Hidden Files on macOS/Linux
On macOS/Linux, you may need to show hidden files:
- macOS Finder: Press Cmd+Shift+. to toggle visibility
- Linux: Use
ls -lain terminal or enable "Show Hidden Files" in your file manager
Option 2: Build from Source
If you want to customize or contribute to the rules:
# Clone the repository
git clone https://github.com/cosai-oasis/project-codeguard.git
cd rules
# Install dependencies (requires Python 3.11+)
uv sync
# Validate rules
uv run python src/validate_unified_rules.py sources/
# Convert rules (default: core rules only)
uv run python src/convert_to_ide_formats.py
# Or include all rules (core + owasp supplementary)
uv run python src/convert_to_ide_formats.py --source core owasp
# Copy the generated rules to your project
cp -r dist/.cursor/ /path/to/your/project/
cp -r dist/.windsurf/ /path/to/your/project/
cp -r dist/.github/ /path/to/your/project/
cp -r dist/.agent/ /path/to/your/project/
cp -r dist/.opencode/ /path/to/your/project/
Core vs OWASP Sources
Project CodeGuard has two source rule sets:
sources/core/: Official Project CodeGuard rules. These are the main rules packaged in releases and enabled by default.sources/owasp/: Supplementary rules originally derived from OWASP guidance. These are optional and are not enabled by default.
Use OWASP supplementary rules when you explicitly want broader coverage, such as deeper security reviews or reference-driven review workflows.
Rule Types: Always-On vs Glob-Scoped
Project CodeGuard supports two rule activation types:
- Always-on rules: Apply to all files in the project. These rules are for baseline safeguards that should always be in context.
- Glob-scoped rules: Apply only to matching file patterns (derived from
languagesin source frontmatter). These rules are for language- or framework-specific guidance.
Keeping Rules Updated (Automated)
For GitHub repositories, you can automate rule updates with a workflow that runs monthly and creates PRs when new versions are available.
Supported Formats
- Cursor (
.cursor/rules/) - Windsurf (
.windsurf/rules/) - GitHub Copilot (
.github/instructions/) - Antigravity (
.agent/rules/) - OpenCode (
.opencode/skills/software-security/rules/)
Setup
- Download
update-codeguard-rules.yml - Save to
.github/workflows/update-codeguard-rules.ymlin your repository - Commit and push
The workflow runs monthly (1st at 9:00 UTC) and can also be triggered manually from the Actions tab.
Verify Installation
After installation, your project structure should include:
your-project/
├── .agent/
│ └── rules/
├── .cursor/
│ └── rules/
├── .github/
│ └── instructions/
├── .opencode/
│ └── skills/
│ └── software-security/
├── .windsurf/
│ └── rules/
└── ... (your project files)
What's Included
The security rules cover essential areas:
Core Security Rules
- 🔐 Cryptography: Safe algorithms, secure key management, TLS configuration
- 🛡️ Input Validation: SQL injection, XSS prevention, command injection defense
- 🔑 Authentication: MFA, OAuth/OIDC, password security, session management
- ⚡ Authorization: RBAC/ABAC, access control, privilege escalation prevention
Platform-Specific Rules
- 📱 Mobile Apps: iOS/Android security, secure storage, transport security
- 🌐 API Security: REST/GraphQL/SOAP security, rate limiting, SSRF prevention
- ☁️ Cloud & Containers: Docker/Kubernetes hardening, IaC security
- 🗄️ Data Storage: Database security, encryption, backup protection
DevOps & Supply Chain
- 📦 Dependencies: Supply chain security, SBOM, vulnerability management
- 🔄 CI/CD: Pipeline security, artifact signing, secrets management
- 📝 Logging: Secure logging, monitoring, privacy-aware telemetry
Testing the Integration
To verify the rules are working:
- Open your IDE with the Project CodeGuard rules installed
- Start a new file in a supported language (Python, JavaScript, Java, C/C++, etc.)
- Ask your AI assistant to generate code that might have security implications:
- "Create a function to hash a password"
- "Write code to connect to a database"
-
"Generate an API endpoint with authentication"
-
Observe the output - The AI should automatically apply security best practices:
- Using strong cryptographic algorithms (bcrypt/Argon2 for passwords)
- Parameterized queries to prevent SQL injection
- Proper authentication/authorization checks
Next Steps
- Review Rules: Explore the security rules in your IDE's rules directory
- Test Integration: Generate some code and see the security guidance in action
- Share Feedback: Help us improve by opening an issue
- Contribute: See CONTRIBUTING.md to contribute new rules or improvements
You're Ready!
Project CodeGuard is now protecting your development workflow. The security rules will automatically guide AI assistants to generate more secure code.
Troubleshooting
Rules Not Working
If the AI assistant doesn't seem to follow the rules:
- Restart your IDE to ensure rules are loaded
- Check file location - Ensure rules are in the correct directory for your IDE
- Verify file format - Rules should be markdown files
- Test with explicit request - Ask the AI directly: "Follow the security rules when generating this code"
Performance Impact
The rules have minimal performance impact, but if you experience issues:
- Reduce rule count: Start with core rules (cryptography, input validation, authentication)
- Combine rules: Merge related rules into fewer files
- Report issues: Let us know via GitHub Issues
Getting Help
- Documentation: You're reading it! Check the FAQ for common questions
- GitHub Issues: Report bugs or ask questions
- Discussions: Join the community discussion