supership-scan
Predeploy security scanner for AI code. 80+ patterns. Runs locally. x402 attestation.
supership-scan
Predeploy security scanner for the agent economy. Built by Crest Deployment Systems.
Scans your code for 80+ vulnerability patterns across secrets, auth, injection, config, Supabase, and logging. Runs locally. Your code never leaves the machine.
Install
npm install -g supership-scan
Requires Node.js 18+.
Usage
CLI
supership-scan .
Scans the current directory and prints findings.
supership-scan ./my-project --attest
Scans and requests a witnessed attestation ($0.01 USDC on Base). Only the report envelope (hashes and findings) is transmitted. Never source code.
MCP Server
supership-mcp
Starts an MCP server for AI editors (Claude Code, Cursor, Windsurf). Exposes the scanner as tools that agents can call directly.
Example Output
supership v1.0.0
Scanning 42 files...
Score: 87/100
Grade: B
Findings:
HIGH AUTH-003 Missing auth middleware on /api/admin src/routes/admin.js:14
MEDIUM CFG-002 CORS wildcard in production src/server.js:8
LOW LOG-001 Error stack in response body src/middleware/error.js:22
Scan complete. Code never left this machine.
Rule Categories
| Category | Patterns | Examples |
|---|---|---|
| Secrets | 30+ | API keys, credentials, .env exposure, private keys |
| Auth | 12+ | Missing middleware, inverted logic, RLS gaps |
| Injection | 15+ | SQL interpolation, XSS, eval(), command injection |
| Config | 10+ | CORS wildcards, source maps, insecure cookies |
| Supabase | 8+ | RLS disabled, permissive policies, service_role misuse |
| Logging | 6+ | Sensitive data in logs, error stack exposure |
Scoring
Score starts at 100. Penalties: critical (-25), high (-10), medium (-5), low (-1).
Severity gates override the score:
- Any critical finding = grade F
- Any high finding = grade C max
| Grade | Score |
|---|---|
| A | 90+ |
| B | 75-89 |
| C | 60-74 |
| D | 40-59 |
| F | <40 or any critical |
Attestations
The scan is free. The attestation costs $0.01.
When you run --attest, supership sends a report envelope to the attestation server. The envelope contains hashes and findings only. The server signs it, anchors the hash to the chain, and returns a witnessed attestation.
The attestation proves a specific scan occurred at a specific time with specific results. It does not certify that code is secure.
What's transmitted: input hash, rule pack hash, engine version, findings, score, grade.
What's never transmitted: source code, file contents, environment variables.
Benchmark
npm test
Runs 20 deliberately vulnerable fixtures against the scanner. Expected: 90% true positive rate, 0 harmful false positives.
Privacy
- Scanning is entirely local. No network calls during a scan.
- Attestation transmits hashes and findings only. Never source code.
- No telemetry. No analytics. No tracking.
API
supership also runs as an x402-native API. Pay per scan with USDC on Base. No API keys, no subscriptions.
| Endpoint | Method | Price | Description |
|---|---|---|---|
/check | GET | Free | Trust check for any x402 service URL |
/scan/free | POST | Free | Score + grade, all 6 categories |
/scan/quick | POST | $1 | Secrets + config findings |
/scan/full | POST | $5 | All categories + fixes |
/scan/deep | POST | $15 | Full + LLM contextual review |
/attest | POST | $0.01 | Sign and witness a scan result |
API base: https://supership.crestsystems.ai
Discovery endpoints: agent.json | llms.txt | OpenAPI
Crest x402 Services
supership is part of the Crest Deployment Systems x402 service fleet. All services accept USDC payments on Base mainnet via the x402 protocol.
| Service | What it does | URL |
|---|---|---|
| supership | Predeploy security scanner + attestation | supership.crestsystems.ai |
| data | Crypto market data, token lookups, gas prices | data.crestsystems.ai |
| audit | Smart contract audit, code security, wallet risk | audit.crestsystems.ai |
Links
- supership API
- Documentation
- npm: supership-scan
- npm: @crestdeploymentsystems/supership-mcp
- Crest Deployment Systems -- deploying scalable intelligence
License
Apache 2.0. See LICENSE for details.
Rule engines (src/rules/) are Apache 2.0 with a relicense notice. See LICENSE for the full NOTICE.
Serveurs connexes
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Pica MCP Server
Integrates with the Pica API platform to interact with various third-party services through a standardized interface.
Claude MCP Tools
An MCP server ecosystem for integrating with Anthropic's Claude Desktop and Claude Code CLI.
Homebrew MCP
Interact with Homebrew (the package manager for macOS and Linux) using natural language commands.
MCP Emulator Controller
Control emulators by opening/closing apps, capturing screenshots, and interacting with the screen.
Minecraft MCP Server
A Python MCP server to control a Minecraft server via RCON using FastMCP.
AnythingMCP
Self-hosted MCP gateway: convert REST/SOAP/GraphQL/SQL APIs into MCP tools with 29 pre-built adapters, OAuth2, RBAC and audit log.
Code Index MCP
A server for code indexing, searching, and analysis, enabling LLMs to interact with code repositories.
Pharo NeoConsole
Evaluate Pharo Smalltalk expressions and get system information via a local NeoConsole server.
rxjs-mcp-server
Execute, debug, and visualize RxJS streams directly from AI assistants like Claude.
paytoll-mcp
Access 20+ DeFi, crypto, and AI endpoints through micro-payments. Get Aave rates, build DeFi transactions, fetch crypto prices, resolve ENS names, search Twitter, and query LLMs - all paid per-call with USDC on Base. No API keys needed, payment is the auth