README.md
AI-Native Security Scanner for websites and GitHub repositories
Trust - AI-Native Security Scanner
Scan websites and GitHub repositories for security vulnerabilities. AI analyzes root causes, generates fix code with before/after diffs, and creates one-click Fix PRs.
Live: https://www.trust-scan.me
Features
URL Security Scan
- DAST vulnerability detection with 5,000+ Nuclei templates
- Runtime checks for HTTP headers, SSL, CORS, cookie settings, and more
- Scan completes in under 30 seconds
GitHub Repo Scan
- SAST: Code-level vulnerability detection with Semgrep (XSS, SQL Injection, hardcoded secrets, etc.)
- Secrets: API key, token, and password exposure detection with Gitleaks
- SCA: Dependency CVE detection with npm audit
- Weighted scoring system (A+ to F grade)
AI Analysis (Pro)
- Root cause analysis for each vulnerability using Claude Sonnet
- Before/After code: Actual fix code diff generation
- Step-by-step remediation guide
Auto-Fix PR (Pro)
- One-click GitHub PR creation from AI-analyzed vulnerabilities
- Automatic branch creation + file modification + PR opening
- package.json version update support
Fix with AI (Pro)
- Fix prompt generation for all vulnerabilities
- Directly applicable in Cursor, Claude Code, and other IDEs
Additional Features
- Trust Badge: Security score-based README badge
- Benchmark: Compare security scores with other sites
- Shared Reports: Share scan result URLs (viewable without login)
- MCP Server: In-IDE security scanning for Claude Code and Cursor (8 tools + 3 resources)
- GitHub Action: Automated security scanning in CI/CD pipelines + PR comments
- Scheduled Scans: Hourly / Daily / Weekly automatic security scans + email/Slack alerts
- Weekly Digest: Weekly security report email (score trends, vulnerability summary)
- Push Notifications: Web Push notifications on scan completion
Plans
| Free | Pro ($9.9/mo) | |
|---|---|---|
| URL Scans | 5/month | Unlimited |
| Repo Scans | 3/month | Unlimited |
| AI Analysis | 2 per scan | Unlimited |
| Auto-Fix PR | - | Yes |
| Scheduled Scans | - | Yes |
| PDF/CSV Export | - | Yes |
MCP Server (Model Context Protocol)
Install with a single command in Claude Code, Cursor IDE, and other MCP clients to get real-time security feedback while coding.
Install (Claude Code)
claude mcp add --transport http trust-security "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"
Install (Claude Desktop / Cursor)
Add to your config file:
{
"mcpServers": {
"trust-security": {
"type": "http",
"url": "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"
}
}
}
Available Tools (8 tools)
| Tool | Description | Example |
|---|---|---|
scan_and_wait |
Scan website + wait for results (recommended) | "Scan https://my-app.com" |
scan_url |
Start website scan (async) | "Start a scan" |
get_scan_result |
Get URL scan results | "Show scan results" |
scan_repo_and_wait |
Scan GitHub repo + wait for results (recommended) | "Security scan this repo" |
scan_repo |
Start repo scan (async) | "Start repo scan" |
get_repo_scan_result |
Get repo scan results | "Show repo scan results" |
analyze_code_security |
Analyze code vulnerabilities + secrets (37+ patterns) | "Check this code for security issues" |
check_secrets |
Detect API keys/passwords (20+ patterns) | "Any exposed keys in this code?" |
MCP Resources (3 resources)
Context resources automatically read by AI agents.
| Resource URI | Description |
|---|---|
trust://scans/latest |
Most recent scan result (score, grade, vulnerability count) |
trust://scans/history |
Last 10 scan history |
trust://security/posture |
Security posture summary (average score, trends, grade distribution) |
Tech Stack
| Area | Technology |
|---|---|
| Frontend | Next.js 16, React 19, TailwindCSS 4, Framer Motion |
| Backend | FastAPI, Python 3.11+, Nuclei, Semgrep, Gitleaks |
| Database | Supabase (PostgreSQL + Auth + RLS) |
| AI | Claude API (Anthropic) — Sonnet for analysis |
| Payment | Paddle (Pro subscription) |
| Deployment | Vercel (Frontend), Cloud Run (Backend + MCP) |
Project Structure
.
├── app/ # Next.js App Router
│ ├── page.tsx # Landing (URL / Repo scan)
│ ├── report/[scanId]/ # Scan report page
│ ├── history/ # Scan history
│ ├── pricing/ # Pricing
│ ├── why-trust/ # Why Trust marketing
│ ├── auth/ # OAuth callbacks (Supabase, GitHub)
│ ├── mcp/ # MCP setup guide
│ ├── error.tsx # Error boundary
│ └── not-found.tsx
Tools (8)
scan_and_waitScan a website and wait for the results.scan_urlStart an asynchronous website scan.get_scan_resultRetrieve the results of a URL scan.scan_repo_and_waitScan a GitHub repository and wait for the results.scan_repoStart an asynchronous GitHub repository scan.get_repo_scan_resultRetrieve the results of a repository scan.analyze_code_securityAnalyze code for vulnerabilities and secrets using 37+ patterns.check_secretsDetect exposed API keys and passwords using 20+ patterns.Configuration
claude_desktop_config.json
{"mcpServers": {"trust-security": {"type": "http", "url": "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"}}}Try it
→Scan https://example.com for security vulnerabilities.
→Perform a security scan on this GitHub repository.
→Check this code for security issues and potential vulnerabilities.
→Are there any exposed API keys or passwords in this codebase?
→Show me the latest security scan results for my project.