supership-scan
Predeploy security scanner for AI code. 80+ patterns. Runs locally. x402 attestation.
supership-scan
Predeploy security scanner for the agent economy. Built by Crest Deployment Systems.
Scans your code for 80+ vulnerability patterns across secrets, auth, injection, config, Supabase, and logging. Runs locally. Your code never leaves the machine.
Install
npm install -g supership-scan
Requires Node.js 18+.
Usage
CLI
supership-scan .
Scans the current directory and prints findings.
supership-scan ./my-project --attest
Scans and requests a witnessed attestation ($0.01 USDC on Base). Only the report envelope (hashes and findings) is transmitted. Never source code.
MCP Server
supership-mcp
Starts an MCP server for AI editors (Claude Code, Cursor, Windsurf). Exposes the scanner as tools that agents can call directly.
Example Output
supership v1.0.0
Scanning 42 files...
Score: 87/100
Grade: B
Findings:
HIGH AUTH-003 Missing auth middleware on /api/admin src/routes/admin.js:14
MEDIUM CFG-002 CORS wildcard in production src/server.js:8
LOW LOG-001 Error stack in response body src/middleware/error.js:22
Scan complete. Code never left this machine.
Rule Categories
| Category | Patterns | Examples |
|---|---|---|
| Secrets | 30+ | API keys, credentials, .env exposure, private keys |
| Auth | 12+ | Missing middleware, inverted logic, RLS gaps |
| Injection | 15+ | SQL interpolation, XSS, eval(), command injection |
| Config | 10+ | CORS wildcards, source maps, insecure cookies |
| Supabase | 8+ | RLS disabled, permissive policies, service_role misuse |
| Logging | 6+ | Sensitive data in logs, error stack exposure |
Scoring
Score starts at 100. Penalties: critical (-25), high (-10), medium (-5), low (-1).
Severity gates override the score:
- Any critical finding = grade F
- Any high finding = grade C max
| Grade | Score |
|---|---|
| A | 90+ |
| B | 75-89 |
| C | 60-74 |
| D | 40-59 |
| F | <40 or any critical |
Attestations
The scan is free. The attestation costs $0.01.
When you run --attest, supership sends a report envelope to the attestation server. The envelope contains hashes and findings only. The server signs it, anchors the hash to the chain, and returns a witnessed attestation.
The attestation proves a specific scan occurred at a specific time with specific results. It does not certify that code is secure.
What's transmitted: input hash, rule pack hash, engine version, findings, score, grade.
What's never transmitted: source code, file contents, environment variables.
Benchmark
npm test
Runs 20 deliberately vulnerable fixtures against the scanner. Expected: 90% true positive rate, 0 harmful false positives.
Privacy
- Scanning is entirely local. No network calls during a scan.
- Attestation transmits hashes and findings only. Never source code.
- No telemetry. No analytics. No tracking.
API
supership also runs as an x402-native API. Pay per scan with USDC on Base. No API keys, no subscriptions.
| Endpoint | Method | Price | Description |
|---|---|---|---|
/check | GET | Free | Trust check for any x402 service URL |
/scan/free | POST | Free | Score + grade, all 6 categories |
/scan/quick | POST | $1 | Secrets + config findings |
/scan/full | POST | $5 | All categories + fixes |
/scan/deep | POST | $15 | Full + LLM contextual review |
/attest | POST | $0.01 | Sign and witness a scan result |
API base: https://supership.crestsystems.ai
Discovery endpoints: agent.json | llms.txt | OpenAPI
Crest x402 Services
supership is part of the Crest Deployment Systems x402 service fleet. All services accept USDC payments on Base mainnet via the x402 protocol.
| Service | What it does | URL |
|---|---|---|
| supership | Predeploy security scanner + attestation | supership.crestsystems.ai |
| data | Crypto market data, token lookups, gas prices | data.crestsystems.ai |
| audit | Smart contract audit, code security, wallet risk | audit.crestsystems.ai |
Links
- supership API
- Documentation
- npm: supership-scan
- npm: @crestdeploymentsystems/supership-mcp
- Crest Deployment Systems -- deploying scalable intelligence
License
Apache 2.0. See LICENSE for details.
Rule engines (src/rules/) are Apache 2.0 with a relicense notice. See LICENSE for the full NOTICE.
Servidores relacionados
Alpha Vantage MCP Server
patrocinadorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Langfuse Prompt Management
Open-source tool for collaborative editing, versioning, evaluating, and releasing prompts.
Node.js API Docs
An MCP server for accessing and searching Node.js API documentation.
Rails Active MCP
A Ruby gem providing secure Rails console access through MCP for AI agents and development tools.
Shell Command MCP Server
Execute pre-configured and secure shell commands via a Go-based MCP server.
Markdown Sidecar MCP Server
Serve and access markdown documentation for locally installed NPM, Go, or PyPi packages.
Vibe Coder
An advanced MCP server for semantic routing, code generation, workflows, and AI-assisted development.
Mastra/mcp
Client implementation for Mastra, providing seamless integration with MCP-compatible AI models and tools.
Supra Code Generator MCP
Generates Supra Move contracts and TypeScript SDK code.
Trading Simulator
An MCP server for interacting with the Trading Simulator API to simulate trading activities.
ContextForge
Persistent memory MCP server for Claude — store decisions, code, and knowledge across sessions.