supership-scan
Predeploy security scanner for AI code. 80+ patterns. Runs locally. x402 attestation.
supership-scan
Predeploy security scanner for the agent economy. Built by Crest Deployment Systems.
Scans your code for 80+ vulnerability patterns across secrets, auth, injection, config, Supabase, and logging. Runs locally. Your code never leaves the machine.
Install
npm install -g supership-scan
Requires Node.js 18+.
Usage
CLI
supership-scan .
Scans the current directory and prints findings.
supership-scan ./my-project --attest
Scans and requests a witnessed attestation ($0.01 USDC on Base). Only the report envelope (hashes and findings) is transmitted. Never source code.
MCP Server
supership-mcp
Starts an MCP server for AI editors (Claude Code, Cursor, Windsurf). Exposes the scanner as tools that agents can call directly.
Example Output
supership v1.0.0
Scanning 42 files...
Score: 87/100
Grade: B
Findings:
HIGH AUTH-003 Missing auth middleware on /api/admin src/routes/admin.js:14
MEDIUM CFG-002 CORS wildcard in production src/server.js:8
LOW LOG-001 Error stack in response body src/middleware/error.js:22
Scan complete. Code never left this machine.
Rule Categories
| Category | Patterns | Examples |
|---|---|---|
| Secrets | 30+ | API keys, credentials, .env exposure, private keys |
| Auth | 12+ | Missing middleware, inverted logic, RLS gaps |
| Injection | 15+ | SQL interpolation, XSS, eval(), command injection |
| Config | 10+ | CORS wildcards, source maps, insecure cookies |
| Supabase | 8+ | RLS disabled, permissive policies, service_role misuse |
| Logging | 6+ | Sensitive data in logs, error stack exposure |
Scoring
Score starts at 100. Penalties: critical (-25), high (-10), medium (-5), low (-1).
Severity gates override the score:
- Any critical finding = grade F
- Any high finding = grade C max
| Grade | Score |
|---|---|
| A | 90+ |
| B | 75-89 |
| C | 60-74 |
| D | 40-59 |
| F | <40 or any critical |
Attestations
The scan is free. The attestation costs $0.01.
When you run --attest, supership sends a report envelope to the attestation server. The envelope contains hashes and findings only. The server signs it, anchors the hash to the chain, and returns a witnessed attestation.
The attestation proves a specific scan occurred at a specific time with specific results. It does not certify that code is secure.
What's transmitted: input hash, rule pack hash, engine version, findings, score, grade.
What's never transmitted: source code, file contents, environment variables.
Benchmark
npm test
Runs 20 deliberately vulnerable fixtures against the scanner. Expected: 90% true positive rate, 0 harmful false positives.
Privacy
- Scanning is entirely local. No network calls during a scan.
- Attestation transmits hashes and findings only. Never source code.
- No telemetry. No analytics. No tracking.
API
supership also runs as an x402-native API. Pay per scan with USDC on Base. No API keys, no subscriptions.
| Endpoint | Method | Price | Description |
|---|---|---|---|
/check | GET | Free | Trust check for any x402 service URL |
/scan/free | POST | Free | Score + grade, all 6 categories |
/scan/quick | POST | $1 | Secrets + config findings |
/scan/full | POST | $5 | All categories + fixes |
/scan/deep | POST | $15 | Full + LLM contextual review |
/attest | POST | $0.01 | Sign and witness a scan result |
API base: https://supership.crestsystems.ai
Discovery endpoints: agent.json | llms.txt | OpenAPI
Crest x402 Services
supership is part of the Crest Deployment Systems x402 service fleet. All services accept USDC payments on Base mainnet via the x402 protocol.
| Service | What it does | URL |
|---|---|---|
| supership | Predeploy security scanner + attestation | supership.crestsystems.ai |
| data | Crypto market data, token lookups, gas prices | data.crestsystems.ai |
| audit | Smart contract audit, code security, wallet risk | audit.crestsystems.ai |
Links
- supership API
- Documentation
- npm: supership-scan
- npm: @crestdeploymentsystems/supership-mcp
- Crest Deployment Systems -- deploying scalable intelligence
License
Apache 2.0. See LICENSE for details.
Rule engines (src/rules/) are Apache 2.0 with a relicense notice. See LICENSE for the full NOTICE.
Máy chủ liên quan
Alpha Vantage MCP Server
nhà tài trợAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Instant Meshes MCP
A 3D model processing server for automatic retopology, simplification, and quality analysis of OBJ/GLB models.
Symbolic Algebra MCP Server
Perform symbolic mathematics and computer algebra using the SymPy library.
GraphQL Schema
Exposes GraphQL schema information to LLMs, allowing them to explore and understand the schema using specialized tools.
Remote MCP Server (Authless)
An example of a remote MCP server deployable on Cloudflare Workers without authentication.
llm-prices
Compare LLM API pricing across 22 providers (OpenAI, Anthropic, Google, Mistral, and more) — calculate costs, find cheapest models, 128 models covered.
PHP MCP Server
A server-side implementation of the Model Context Protocol (MCP) for PHP applications, allowing exposure of application parts as standardized MCP Tools, Resources, and Prompts.
Yellhorn MCP
An MCP server that integrates Gemini 2.5 Pro and OpenAI models for software development tasks, allowing the use of your entire codebase as context.
D2 MCP Server
Generate, render, and manipulate D2 diagrams with incremental editing capabilities.
Tenets
Offline MCP server that ranks & summarizes code using BM25, TF-IDF, embeddings & git signals; integrates with Cursor, Claude Desktop and Windsurf; privacy preserving.
ForgeCraft
MCP server that generates production-grade engineering standards (SOLID, testing, architecture, CI/CD) for AI coding assistants