§ docs Install guide · ~30 seconds per channel.

Install anywhere
you ship code.

Pick your stack. Each install takes under 30 seconds. Same token works across every channel.

Get your token CLI MCP server VS Code extension JetBrains plugin Git pre-commit hook /secure command Probes

0. Get your token

Start here
  1. Sign in at literalsec.com/install (Google or GitHub).
  2. Copy your project token from the install page.
  3. Save it once — every channel reads ~/.literalsec/token.
$0 to start. Nothing to pay until we find your first real (medium or above) vulnerability.

1. CLI · the universal installer

Recommended

One command. Auto-detects git, VS Code, Claude Code, Cursor in your project — wires each.

curl -fsSL https://literalsec.com/install.sh | bash

Then, in any project:

literalsec init

Other commands:

2. MCP server · for AI agents

Core

Adds a secure tool the AI can call. Works in Claude Code, Cursor agent mode, Windsurf, Cline, Continue, Roo Code, Goose. Also enables /secure.

Claude Code

claude mcp add --transport http --scope user literalsec \
  https://literalsec.com/mcp \
  --header "Authorization: Bearer YOUR_TOKEN"

Cursor / Windsurf

Add to .cursor/mcp.json or .windsurf/mcp.json:

{
  "mcpServers": {
    "literalsec": {
      "url": "https://literalsec.com/mcp",
      "headers": { "Authorization": "Bearer YOUR_TOKEN" }
    }
  }
}

Cline · Continue · Roo · Goose

Same MCP shape. URL https://literalsec.com/mcp + Authorization header.

3. VS Code extension · universal save-time scan

Universal

The extension catches both editor saves (Cmd-S) and direct file writes (AI tools that bypass the editor). Scoped to the open workspace — never scans outside your project root. Findings appear in the Problems panel.

Manual install — download the .vsix

The extension isn't published to the Marketplace yet (coming soon). Install manually:

  1. Download literalsec-1.0.6.vsix (v1.0.6)
    SHA-256 in SHA256SUMS · verify with sha256sum literalsec-1.0.6.vsix
  2. One-liner from terminal (works for VS Code / Cursor / Windsurf / Codespaces / VSCodium): 
    code --install-extension literalsec-1.0.6.vsix
    Cursor: cursor --install-extension literalsec-1.0.6.vsix · Windsurf: windsurf --install-extension literalsec-1.0.6.vsix
  3. Reload the editor when prompted
  4. Open Settings → Extensions → Literal Security and paste your token (or save it once to ~/.literalsec/token)

Cursor (GUI)

  1. Cmd-Shift-P (or Ctrl-Shift-P) → "Extensions: Install from VSIX…"
  2. Pick literalsec-1.0.6.vsix
  3. Reload window when prompted
  4. Settings → Extensions → Literal Security → Token

Windsurf (GUI)

  1. Cmd-Shift-X → click the menu (top-right) → "Install from VSIX…"
  2. Pick literalsec-1.0.6.vsix
  3. Reload
  4. Settings → Extensions → Literal Security → Token

VS Code · GitHub Codespaces · VSCodium · Gitpod

  1. Cmd-Shift-X menu → "Install from VSIX…"
  2. Pick literalsec-1.0.6.vsix
  3. Reload
  4. Settings → Extensions → Literal Security → Token

Cline · Continue · Roo Code · GitHub Copilot · Codeium

These tools run as VS Code extensions themselves. Install our extension in the same VS Code (or Cursor / Windsurf) instance — both run side-by-side. When the agent writes a file via its internal write tool, our FileSystemWatcher catches it.

Zed · Claude Code (CLI) · Aider

Zed doesn't support VS Code extensions natively; Claude Code CLI and Aider are CLI tools. Use the MCP server for Claude Code, our CLI for Aider, and either MCP or the git hook for Zed.

4. JetBrains plugin · IDE family

Beta

IntelliJ IDEA, WebStorm, PyCharm, GoLand, RustRover, RubyMine, PhpStorm, CLion, Android Studio.

Manual install — download the .zip

  1. Download literalsec-jetbrains-1.0.2.zip (v1.0.2)
    SHA-256 in SHA256SUMS · verify with sha256sum literalsec-jetbrains-1.0.2.zip
  2. Open any JetBrains IDE → Settings → Plugins → click the at the top → Install Plugin from Disk…
  3. Pick literalsec-jetbrains-1.0.2.zip
  4. Restart the IDE when prompted
  5. Paste your token in Settings → Tools → Literal Security, or reuse ~/.literalsec/token

5. Git pre-commit hook · universal backstop

Universal

Works for any AI tool, any editor, any workflow — as long as you commit via git. Blocks commits with critical findings.

curl -fsSL https://literalsec.com/install-git-hook.sh | bash

Run from any git repo. Bypass per-commit: LITERALSEC_SKIP=1 git commit ...

6. The /secure command

Auto-included

After installing the MCP server, type /secure in any AI session. The AI scans every recently-edited source file and surfaces findings with title, file:line, evidence, and a concrete fix.

~100% invocation across every major AI coding assistant — frontier and open-source.

7. Add your site for probes

Paid tiers

Probes hit your deployed site for runtime issues. Findings route back to your IDE so the AI fixes the source.

  1. Dashboard → set your project's Site URL.
  2. (Optional, Startup+) Add authenticated session creds for behind-auth routes.
  3. Run probe or wait for the weekly / daily auto-scan.

Quotas: Solo 1/mo · Startup 2/mo · Business unlimited.

What we catch

FAQ

Do you train AI on my code?

No. Source code is stateless and never persisted. Only the audit log of findings is stored.

What if I'm offline?

Clients fail-open. Your save / commit proceeds. The next online scan picks up.

Can I bypass for a single commit?

LITERALSEC_SKIP=1 git commit ...

How do I rotate my token?

Dashboard → Rotate token. Update ~/.literalsec/token and any MCP configs that hardcoded it.