Is Supership Scan free?

Yes, Supership Scan is free to use.

How do I install Supership Scan?

Supership Scan is a local plugin. Install it using npm package: supership-scan and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Supership Scan need?

Supership Scan requires the following credentials or environment variables: SUPERSHIP_URL. You can find setup instructions on the server detail page.

What AI apps work with Supership Scan?

Supership Scan uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Supership Scan MCP Server

by Andysalvo

Developer ToolsUse Caution4.8MCP RegistryLocal

Free

Server data from the Official MCP Registry

Predeploy security scanner. 80+ patterns. Runs locally. Optional x402 attestation.

About

Predeploy security scanner. 80+ patterns. Runs locally. Optional x402 attestation.

Security Report

4.8

Use Caution4.8High Risk

A well-designed security scanner MCP server with proper architecture and minimal security concerns. The server scans local code for vulnerabilities and sends analysis requests to a remote service, which is appropriate for its purpose. Code quality is good with proper input validation, safe file I/O, and clear separation of concerns. The remote service endpoint is configurable via environment variable, and no credentials are embedded in the code. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.

7 files analyzed · 9 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

file_list

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

URL of the supership attestation server (optional, defaults to supership.crestsystems.ai)Optional

Environment variable: SUPERSHIP_URL

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-andysalvo-supership-scan": {
      "env": {
        "SUPERSHIP_URL": "your-supership-url-here"
      },
      "args": [
        "-y",
        "supership-scan"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

supership-scan

Predeploy security scanner for the agent economy. Built by Crest Deployment Systems.

Scans your code for 80+ vulnerability patterns across secrets, auth, injection, config, Supabase, and logging. Runs locally. Your code never leaves the machine.

Install

npm install -g supership-scan

Requires Node.js 18+.

Usage

CLI

supership-scan .

Scans the current directory and prints findings.

supership-scan ./my-project --attest

Scans and requests a witnessed attestation ($0.01 USDC on Base). Only the report envelope (hashes and findings) is transmitted. Never source code.

MCP Server

supership-mcp

Starts an MCP server for AI editors (Claude Code, Cursor, Windsurf). Exposes the scanner as tools that agents can call directly.

Example Output

supership v1.0.0

Scanning 42 files...

Score: 87/100
Grade: B

Findings:
  HIGH   AUTH-003  Missing auth middleware on /api/admin   src/routes/admin.js:14
  MEDIUM CFG-002   CORS wildcard in production             src/server.js:8
  LOW    LOG-001   Error stack in response body            src/middleware/error.js:22

Scan complete. Code never left this machine.

Rule Categories

Category	Patterns	Examples
Secrets	30+	API keys, credentials, .env exposure, private keys
Auth	12+	Missing middleware, inverted logic, RLS gaps
Injection	15+	SQL interpolation, XSS, eval(), command injection
Config	10+	CORS wildcards, source maps, insecure cookies
Supabase	8+	RLS disabled, permissive policies, service_role misuse
Logging	6+	Sensitive data in logs, error stack exposure

Scoring

Score starts at 100. Penalties: critical (-25), high (-10), medium (-5), low (-1).

Severity gates override the score:

Any critical finding = grade F
Any high finding = grade C max

Grade	Score
A	90+
B	75-89
C	60-74
D	40-59
F	<40 or any critical

Attestations

The scan is free. The attestation costs $0.01.

When you run --attest, supership sends a report envelope to the attestation server. The envelope contains hashes and findings only. The server signs it, anchors the hash to the chain, and returns a witnessed attestation.

The attestation proves a specific scan occurred at a specific time with specific results. It does not certify that code is secure.

What's transmitted: input hash, rule pack hash, engine version, findings, score, grade.

What's never transmitted: source code, file contents, environment variables.

Benchmark

npm test

Runs 20 deliberately vulnerable fixtures against the scanner. Expected: 90% true positive rate, 0 harmful false positives.

Privacy

Scanning is entirely local. No network calls during a scan.
Attestation transmits hashes and findings only. Never source code.
No telemetry. No analytics. No tracking.

API

supership also runs as an x402-native API. Pay per scan with USDC on Base. No API keys, no subscriptions.

Endpoint	Method	Price	Description
`/check`	GET	Free	Trust check for any x402 service URL
`/scan/free`	POST	Free	Score + grade, all 6 categories
`/scan/quick`	POST	$1	Secrets + config findings
`/scan/full`	POST	$5	All categories + fixes
`/scan/deep`	POST	$15	Full + LLM contextual review
`/attest`	POST	$0.01	Sign and witness a scan result

API base: https://supership.crestsystems.ai

Discovery endpoints: agent.json | llms.txt | OpenAPI

Crest x402 Services

supership is part of the Crest Deployment Systems x402 service fleet. All services accept USDC payments on Base mainnet via the x402 protocol.

Service	What it does	URL
supership	Predeploy security scanner + attestation	supership.crestsystems.ai
data	Crypto market data, token lookups, gas prices	data.crestsystems.ai
audit	Smart contract audit, code security, wallet risk	audit.crestsystems.ai

License

Apache 2.0. See LICENSE for details.

Rule engines (src/rules/) are Apache 2.0 with a relicense notice. See LICENSE for the full NOTICE.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

Supership Scan MCP Server

About

Security Report

Findings (9)Action required

Permissions Required

What You'll Need

How to Install

Documentation

supership-scan

Install

Usage

CLI

MCP Server

Example Output

Rule Categories

Scoring

Attestations

Benchmark

Privacy

API

Crest x402 Services

Links

License

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript