Getting Started

Get up and running with Project CodeGuard in just a few steps.

Project CodeGuard Introduction Video

This video introduces Project CodeGuard and includes several demos on how to use it during code generation and code review with Claude Code, Codex, and other coding agents.

Prerequisites

Before you begin, familiarize yourself with how rules work in your IDE:

CursorWindsurfGitHub Copilot

Cursor uses .cursor/rules for rule configuration.

Cursor Rules Documentation

Windsurf uses .windsurf/rules for rule configuration.

Windsurf Rules Documentation

GitHub Copilot uses .github/instructions for rule configuration.

GitHub Copilot Instructions

Installation

Option 1: Download Pre-built Rules (Recommended)

1. Download: Visit the Releases page and download the IDE-specific ZIP file:
   • ide-rules-all.zip - All IDE formats (recommended for teams using multiple tools)
   • ide-rules-cursor.zip - Cursor only
   • ide-rules-windsurf.zip - Windsurf only
   • ide-rules-copilot.zip - GitHub Copilot only
2. Extract: Unzip the downloaded file
3. Install: Copy the relevant IDE-specific rules to your project root:
   • For Cursor: Copy .cursor/ directory to your project
   • For Windsurf: Copy .windsurf/ directory to your project
   • For GitHub Copilot: Copy .github/ directory to your project

Repository Level Installation

Installing at the repository level ensures all team members benefit from the security rules automatically when they clone the repository.

Hidden Files on macOS/Linux

On macOS/Linux, you may need to show hidden files:

• macOS Finder: Press Cmd+Shift+. to toggle visibility
• Linux: Use ls -la in terminal or enable "Show Hidden Files" in your file manager

Claude Code Plugin

Claude Code uses a plugin system instead of manual file installation:

# Add the Project CodeGuard marketplace
/plugin marketplace add project-codeguard/rules

# Install the security plugin
/plugin install codeguard-security@project-codeguard

The plugin will be automatically loaded and apply security rules to your code. See the Claude Code Plugin documentation for more details.

Option 2: Build from Source

If you want to customize or contribute to the rules:

# Clone the repository
git clone https://github.com/project-codeguard/rules.git
cd rules

# Install dependencies (requires Python 3.11+)
uv sync

# Validate rules
uv run python src/validate_unified_rules.py sources/

# Convert rules (default: core rules only)
uv run python src/convert_to_ide_formats.py

# Or include all rules (core + owasp supplementary)
uv run python src/convert_to_ide_formats.py --source core owasp

# Copy the generated rules to your project
cp -r dist/.cursor/ /path/to/your/project/
cp -r dist/.windsurf/ /path/to/your/project/
cp -r dist/.github/ /path/to/your/project/

Verify Installation

After installation, your project structure should include:

your-project/
├── .cursor/
│   └── rules/
├── .windsurf/
│   └── rules/
├── .github/
│   └── instructions/
└── ... (your project files)

What's Included

The security rules cover essential areas:

Core Security Rules

• 🔐 Cryptography: Safe algorithms, secure key management, TLS configuration
• 🛡️ Input Validation: SQL injection, XSS prevention, command injection defense
• 🔑 Authentication: MFA, OAuth/OIDC, password security, session management
• ⚡ Authorization: RBAC/ABAC, access control, privilege escalation prevention

Platform-Specific Rules

• 📱 Mobile Apps: iOS/Android security, secure storage, transport security
• 🌐 API Security: REST/GraphQL/SOAP security, rate limiting, SSRF prevention
• ☁️ Cloud & Containers: Docker/Kubernetes hardening, IaC security
• 🗄️ Data Storage: Database security, encryption, backup protection

DevOps & Supply Chain

• 📦 Dependencies: Supply chain security, SBOM, vulnerability management
• 🔄 CI/CD: Pipeline security, artifact signing, secrets management
• 📝 Logging: Secure logging, monitoring, privacy-aware telemetry

Testing the Integration

To verify the rules are working:

1. Open your IDE with the Project CodeGuard rules installed
2. Start a new file in a supported language (Python, JavaScript, Java, C/C++, etc.)
3. Ask your AI assistant to generate code that might have security implications:
4. "Create a function to hash a password"
5. "Write code to connect to a database"

6. "Generate an API endpoint with authentication"

7. Observe the output - The AI should automatically apply security best practices:

8. Using strong cryptographic algorithms (bcrypt/Argon2 for passwords)
9. Parameterized queries to prevent SQL injection
10. Proper authentication/authorization checks

Next Steps

• Review Rules: Explore the security rules in your IDE's rules directory
• Test Integration: Generate some code and see the security guidance in action
• Share Feedback: Help us improve by opening an issue
• Contribute: See CONTRIBUTING.md to contribute new rules or improvements

You're Ready!

Project CodeGuard is now protecting your development workflow. The security rules will automatically guide AI assistants to generate more secure code.

Troubleshooting

Rules Not Working

If the AI assistant doesn't seem to follow the rules:

1. Restart your IDE to ensure rules are loaded
2. Check file location - Ensure rules are in the correct directory for your IDE
3. Verify file format - Rules should be markdown files
4. Test with explicit request - Ask the AI directly: "Follow the security rules when generating this code"

Performance Impact

The rules have minimal performance impact, but if you experience issues:

• Reduce rule count: Start with core rules (cryptography, input validation, authentication)
• Combine rules: Merge related rules into fewer files
• Report issues: Let us know via GitHub Issues

Getting Help

• Documentation: You're reading it! Check the FAQ for common questions
• GitHub Issues: Report bugs or ask questions
• Discussions: Join the community discussion