Usage Guide
Learn how to effectively use AIVory Guard’s compliance and security scanning features with your AI coding assistant.
- 5 MCP tools available for scanning, configuration, and health checks
- Automatic scanning - AI scans code as it generates, ensuring compliance from the start
- Batch scanning - Efficiently scan entire projects with a single command
- Multiple severity levels - Violations classified as Critical, High, Medium, or Low
- Iterative fixing - AI can detect, fix, and re-verify violations automatically
Overview
AIVory Guard integrates seamlessly into your coding workflow by providing your AI assistant with powerful scanning tools. The AI automatically uses these tools when generating code, ensuring compliance from the start.
Available Tools
AIVory Guard provides 5 MCP tools to your AI assistant.
fa-terminal commands in your AI assistant to invoke these tools directly, or let the AI call them automatically during code generation.
Tool Details & Examples
scan_code
Purpose: Scan a single file for compliance violations
Usage: Your AI assistant automatically calls this when generating code
You: "Write a user authentication function in Python"
AI: [Generates code and automatically scans it with scan_code]
AI: "I've created an authentication function with bcrypt password
hashing and rate limiting. The compliance scan found 0 violations
- the code meets OWASP and GDPR standards!"
batch_scan
Purpose: Scan multiple files efficiently
Usage: For scanning entire directories or projects
You: "Scan all files in the /api directory for compliance issues"
AI: [Uses batch_scan to check all files at once]
AI: "I've scanned 12 files in /api. Found 3 violations:
- auth.py line 45: Weak password hashing
- users.py line 23: SQL injection risk
- config.py line 10: Hardcoded credentials"
get_config
Purpose: View current compliance configuration
Usage: Check which standards are being enforced
You: "What compliance standards are you checking against?"
AI: [Calls get_config]
AI: "Currently enforcing:
OWASP Top 10
GDPR
HIPAA
PCI-DSS
SOC 2
ISO 27001
And 9 more standards..."
get_rules
Purpose: List available compliance rules
Usage: Understand what’s being checked
You: "What OWASP rules do you check?"
AI: [Calls get_rules with filter for OWASP]
AI: "Checking 127 OWASP rules including:
- A01:2021 - Broken Access Control
- A02:2021 - Cryptographic Failures
- A03:2021 - Injection
[full list...]"
health_check
Purpose: Verify backend connectivity
Usage: Test connection to app.aivory.net
You: "Is AIVory Guard working?"
AI: [Calls health_check]
AI: " AIVory Guard is healthy
- Backend: app.aivory.net
- Latency: 45ms
- Status: All systems operational"
Common Usage Patterns
Explore the four primary patterns for integrating AIVory Guard into your workflow.
Pattern 1: Generate and Scan
The most common pattern - AI generates code and automatically scans it:
You: "Create a REST API endpoint for password reset"
AI: [Generates code with security best practices]
[Automatically scans with scan_code]
[Reports results]
Best for: Single file/function generation
Pattern 2: Scan Existing Code
Ask the AI to scan code you’ve already written:
You: "Scan this authentication module for HIPAA violations:
[paste code]"
AI: [Uses scan_code to check the provided code]
[Lists violations and suggests fixes]
Best for: Reviewing existing code
Pattern 3: Iterative Fixing
AI generates code, finds violations, and fixes them automatically:
You: "Create a secure login endpoint"
AI: [Generates initial code]
[Scans and finds 2 violations]
[Fixes the violations]
[Re-scans to verify]
AI: "Created login endpoint. Fixed 2 security issues:
1. Added rate limiting
2. Upgraded to bcrypt password hashing
Final scan: 0 violations "
Best for: Production-ready code generation
Pattern 4: Batch Project Scan
Scan an entire project at once:
You: "Scan my entire /src directory for PCI-DSS compliance"
AI: [Uses batch_scan on all project files]
[Generates compliance report]
AI: "Scanned 47 files. Summary:
42 files compliant
5 files with violations (18 total violations)
Critical issues:
- payment.js: Unencrypted card data storage
- api.js: Missing input validation
[detailed breakdown...]"
Best for: Project-wide compliance audits
Understanding Scan Results
Violation Severity Levels
AIVory Guard classifies violations by severity:
Scan Result Format (JSON)
{
"status": "completed",
"violations": [
{
"severity": "high",
"standard": "OWASP",
"rule": "A02:2021 - Cryptographic Failures",
"message": "Weak password hashing algorithm detected",
"line": 23,
"column": 12,
"suggestion": "Use bcrypt, Argon2, or PBKDF2 for password hashing"
}
],
"summary": {
"total_violations": 1,
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
}
}
Best Practices
Follow these recommendations to maximize your compliance scanning effectiveness.
Best Practice Examples
Scan Early and Often
Good:
You: "Create a user registration function"
AI: [Generates and immediately scans]
Not Ideal:
You: "Create a user registration function"
[Later...] "Now scan the entire codebase"
Be Specific About Standards
Good:
You: "Create a patient records API that meets HIPAA requirements"
AI: [Focuses on HIPAA-specific violations]
Less Effective:
You: "Create a patient records API"
AI: [Checks all standards, may miss HIPAA-specific issues]
Let AI Fix Violations Automatically
Good:
You: "Generate a login function and fix any violations found"
AI: [Generates, scans, fixes, re-scans automatically]
More Work:
You: "Generate a login function"
"What violations did you find?"
"Now fix them"
"Scan again"
Use Batch Scanning for Projects
Efficient:
You: "Scan all files in /api for compliance"
AI: [Uses batch_scan for all files at once]
Slow:
You: "Scan auth.py"
"Scan users.py"
"Scan config.py"
[etc...]
Example Conversations
See AIVory Guard in action with these real-world conversation examples.
Example 1: Secure API Endpoint
You: Create a REST API endpoint for credit card processing that
meets PCI-DSS requirements
AI: I'll create a secure credit card processing endpoint.
[Generates code with:
- TLS/SSL enforcement
- Card data encryption at rest
- Tokenization
- Audit logging
- Input validation]
Let me scan this for PCI-DSS compliance...
Scan complete: 0 violations found
The endpoint meets all PCI-DSS requirements:
- Card data is encrypted (AES-256)
- Uses tokenization to avoid storing raw card numbers
- TLS 1.2+ enforced for all connections
- Comprehensive audit logging
- Strong input validation
Example 2: HIPAA-Compliant Database
You: Design a patient database schema that's HIPAA compliant
AI: I'll create a HIPAA-compliant patient database schema.
[Generates schema with:
- Field-level encryption for PHI
- Access control tables
- Audit trail tables
- Data retention policies]
Scanning for HIPAA compliance...
Found 1 medium severity issue:
- Missing automatic encryption for email field
Let me fix that...
Fixed: Added encryption to email field
Re-scan: 0 violations
The schema now fully meets HIPAA requirements for
Protected Health Information (PHI) storage.
Example 3: Security Audit
You: Audit my authentication module for security issues
AI: I'll scan your authentication module for security vulnerabilities.
Scanning auth.py...
Found 3 violations:
HIGH - Line 45: Weak password hashing
Using MD5 for passwords
Recommendation: Migrate to bcrypt or Argon2
MEDIUM - Line 67: No rate limiting
Login endpoint vulnerable to brute force
Recommendation: Add rate limiting (5 attempts per minute)
LOW - Line 89: Verbose error messages
Error messages reveal user existence
Recommendation: Use generic error messages
Would you like me to fix these issues?
Tips for Effective Use
Quick tips to get the most out of AIVory Guard in your development workflow.
Limitations
Understanding what AIVory Guard can and cannot do helps set appropriate expectations.
What AIVory Guard Can't Do
</div>
<div class="docs-card-desc">Only scans static code, not runtime behavior.</div>
</div>
<div class="docs-card-desc">Cannot validate business-specific security requirements.</div>
</div>
<div class="docs-card-desc">Does not check server or network configuration.</div>
</div>
<div class="docs-card-desc">Does not scan third-party libraries (coming soon).</div>
Recommended Complementary Tools
For comprehensive security coverage, complement AIVory Guard with these tools:
| Tool Type | Examples | Purpose |
|---|---|---|
| SAST Tools | SonarQube, Checkmarx | Deeper static analysis |
| DAST Tools | OWASP ZAP, Burp Suite | Runtime testing |
| Dependency Scanners | Dependabot, Snyk | Library vulnerabilities |
| Manual Review | Security team | Critical system oversight |
Next Steps
Continue your AIVory Guard journey with these resources.