trust-security
Detect live website vulnerabilities and security flaws in GitHub repositories using automated DAST and SAST scanning. Safeguard applications by identifying exposed secrets, insecure dependencies, and common code patterns prone to exploitation. Receive structured fix plans with precise code remediation steps to resolve identified risks and improve security posture.
README
Trust - AI-Native Security Scanner
Scan websites and GitHub repositories for security vulnerabilities. AI analyzes root causes, generates fix code with before/after diffs, and creates one-click Fix PRs.
Live: https://www.trust-scan.me
Features
URL Security Scan
- DAST vulnerability detection with 5,000+ Nuclei templates
- Runtime checks for HTTP headers, SSL, CORS, cookie settings, and more
- Scan completes in under 30 seconds
GitHub Repo Scan
- SAST: Code-level vulnerability detection with Semgrep (XSS, SQL Injection, hardcoded secrets, etc.)
- Secrets: API key, token, and password exposure detection with Gitleaks
- SCA: Dependency CVE detection with npm audit
- Weighted scoring system (A+ to F grade)
AI Analysis (Pro)
- Root cause analysis for each vulnerability using Claude Sonnet
- Before/After code: Actual fix code diff generation
- Step-by-step remediation guide
Auto-Fix PR (Pro)
- One-click GitHub PR creation from AI-analyzed vulnerabilities
- Automatic branch creation + file modification + PR opening
- package.json version update support
Fix with AI (Pro)
- Fix prompt generation for all vulnerabilities
- Directly applicable in Cursor, Claude Code, and other IDEs
Additional Features
- Trust Badge: Security score-based README badge
- Benchmark: Compare security scores with other sites
- Shared Reports: Share scan result URLs (viewable without login)
- MCP Server: In-IDE security scanning for Claude Code and Cursor (8 tools + 3 resources)
- GitHub Action: Automated security scanning in CI/CD pipelines + PR comments
- Scheduled Scans: Hourly / Daily / Weekly automatic security scans + email/Slack alerts
- Weekly Digest: Weekly security report email (score trends, vulnerability summary)
- Push Notifications: Web Push notifications on scan completion
Plans
| Free | Pro ($9.9/mo) | |
|---|---|---|
| URL Scans | 5/month | Unlimited |
| Repo Scans | 3/month | Unlimited |
| AI Analysis | 2 per scan | Unlimited |
| Auto-Fix PR | - | Yes |
| Scheduled Scans | - | Yes |
| PDF/CSV Export | - | Yes |
MCP Server (Model Context Protocol)
Install with a single command in Claude Code, Cursor IDE, and other MCP clients to get real-time security feedback while coding.
Install (Claude Code)
claude mcp add --transport http trust-security "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"
Install (Claude Desktop / Cursor)
Add to your config file:
{
"mcpServers": {
"trust-security": {
"type": "http",
"url": "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"
}
}
}
Available Tools (8 tools)
| Tool | Description | Example |
|---|---|---|
scan_and_wait |
Scan website + wait for results (recommended) | "Scan https://my-app.com" |
scan_url |
Start website scan (async) | "Start a scan" |
get_scan_result |
Get URL scan results | "Show scan results" |
scan_repo_and_wait |
Scan GitHub repo + wait for results (recommended) | "Security scan this repo" |
scan_repo |
Start repo scan (async) | "Start repo scan" |
get_repo_scan_result |
Get repo scan results | "Show repo scan results" |
analyze_code_security |
Analyze code vulnerabilities + secrets (37+ patterns) | "Check this code for security issues" |
check_secrets |
Detect API keys/passwords (20+ patterns) | "Any exposed keys in this code?" |
MCP Resources (3 resources)
Context resources automatically read by AI agents.
| Resource URI | Description |
|---|---|
trust://scans/latest |
Most recent scan result (score, grade, vulnerability count) |
trust://scans/history |
Last 10 scan history |
trust://security/posture |
Security posture summary (average score, trends, grade distribution) |
Tech Stack
| Area | Technology |
|---|---|
| Frontend | Next.js 16, React 19, TailwindCSS 4, Framer Motion |
| Backend | FastAPI, Python 3.11+, Nuclei, Semgrep, Gitleaks |
| Database | Supabase (PostgreSQL + Auth + RLS) |
| AI | Claude API (Anthropic) — Sonnet for analysis |
| Payment | Paddle (Pro subscription) |
| Deployment | Vercel (Frontend), Cloud Run (Backend + MCP) |
Project Structure
.
├── app/ # Next.js App Router
│ ├── page.tsx # Landing (URL / Repo scan)
│ ├── report/[scanId]/ # Scan report page
│ ├── history/ # Scan history
│ ├── pricing/ # Pricing
│ ├── why-trust/ # Why Trust marketing
│ ├── auth/ # OAuth callbacks (Supabase, GitHub)
│ ├── mcp/ # MCP setup guide
│ ├── error.tsx # Error boundary
│ └── not-found.tsx # 404 page
├── components/
│ ├── trust/ # Main view components
│ │ ├── client-app.tsx # Main app state management
│ │ ├── dashboard-view.tsx # Scan result dashboard
│ │ ├── landing-view.tsx # Landing view
│ │ ├── scanning-view.tsx # Scan progress view
│ │ ├── UpgradeModal.tsx # Go Pro modal
│ │ ├── NotificationToggle.tsx # Push notification toggle
│ │ ├── OnboardingTour.tsx # Onboarding tour
│ │ └── dashboard/
│ │ ├── CreateFixPRModal.tsx # Fix PR modal
│ │ ├── FixPromptModal.tsx # Fix Prompt modal
│ │ ├── ScheduleSection.tsx # Scheduled scan management
│ │ ├── DigestSection.tsx # Weekly digest settings
│ │ ├── BadgeSection.tsx # Trust Badge
│ │ ├── VulnerabilityList.tsx # Vulnerability list
│ │ └── ExportPanel.tsx # PDF/CSV export
│ └── ui/ # Shared UI (shadcn/ui)
├── lib/
│ ├── api.ts # Backend API client
│ ├── types.ts # TypeScript type definitions
│ ├── supabase.ts # Supabase client
│ └── subscription.ts # Pro subscription state management
│
├── backend/ # FastAPI Backend
│ ├── app/
│ │ ├── main.py # FastAPI entrypoint
│ │ ├── config.py # Configuration
│ │ ├── limiter.py # Rate limiting
│ │ ├── api/routes/
│ │ │ ├── scan.py # URL scan API
│ │ │ ├── repo_scan.py # GitHub repo scan API
│ │ │ ├── analyze.py # AI analysis API
│ │ │ ├── github.py # GitHub integration + Fix PR API
│ │ │ ├── github_webhook.py # GitHub webhook handler
│ │ │ ├── badge.py # Trust Badge API
│ │ │ ├── billing_webhook.py # Paddle billing webhook
│ │ │ ├── notifications.py # Notification settings API
│ │ │ └── scheduled_scans.py # Scheduled scan API
│ │ └── services/
│ │ ├── nuclei_scanner.py
│ │ ├── semgrep_scanner.py
│ │ ├── gitleaks_scanner.py
│ │ ├── repo_scanner.py # Unified repo scanner
│ │ ├── claude_analyzer.py # AI analysis (Claude)
│ │ ├── github_service.py # GitHub API service
│ │ ├── supabase_client.py # DB service
│ │ ├── scheduler.py # Scheduled scan scheduler
│ │ └── notifier.py # Email/Slack/digest notifications
│ ├── Dockerfile
│ └── requirements.txt
│
├── mcp-server/ # MCP Server (standalone service)
│ ├── server.py
│ ├── Dockerfile
│ └── requirements.txt
│
├── public/
│ └── sw.js # Push Notification Service Worker
│
└── docs/ # Documentation
├── README.ko.md # Korean documentation
├── ROADMAP.md
├── HANDOVER_CONTEXT_AWARE_FIX.md
└── REQUIREMENTS_UNIVERSAL_AUTO_FIX.md
API Endpoints
URL Scan
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/scan |
Start URL scan |
GET |
/api/scan/{scan_id} |
Get scan status/results |
GET |
/api/scan/{scan_id}/export |
Export PDF/CSV |
Repo Scan
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/repo-scan |
Start GitHub repo scan |
GET |
/api/repo-scan/{scan_id} |
Get repo scan status/results |
POST |
/api/repo-scan/{scan_id}/analyze |
Run AI analysis |
POST |
/api/repo-scan/{scan_id}/fix-prompt |
Generate fix prompt |
GitHub Integration
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/github/connection |
Check GitHub connection status |
POST |
/api/github/connect |
Connect GitHub OAuth |
POST |
/api/github/create-fix-pr |
Create fix PR |
POST |
/api/github/fix-feedback |
Submit fix quality feedback |
DELETE |
/api/github/connection |
Disconnect GitHub |
AI Analysis
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/analyze/{scan_id} |
Start AI analysis |
GET |
/api/analyze/{vuln_id} |
Get analysis results |
Badge
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/badge/{scan_id} |
Issue badge |
GET |
/api/badge/{badge_id} |
Get badge SVG |
Scheduled Scans
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/scheduled-scans |
Create scheduled scan |
GET |
/api/scheduled-scans |
List scheduled scans |
DELETE |
/api/scheduled-scans/{id} |
Delete scheduled scan |
POST |
/api/cron/run-schedules |
Execute schedules (Cloud Scheduler) |
History / Notifications
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/scans/history |
Get scan history |
GET |
/api/notifications/settings |
Get notification settings |
PUT |
/api/notifications/settings |
Update notification settings |
Webhooks
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/billing/webhook |
Paddle billing webhook |
POST |
/webhooks/github |
GitHub PR event webhook |
Getting Started
Prerequisites
- Node.js 20+
- Python 3.11+
- Nuclei, Semgrep, Gitleaks (security scanners)
- Supabase account
- Anthropic API key
1. Clone Repository
git clone --recurse-submodules https://github.com/Jaden-JJH/trust-security-scanner.git
cd trust-security-scanner
2. Frontend Setup
npm install
cp .env.example .env.local
npm run dev
Environment Variables (.env.local)
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
NEXT_PUBLIC_API_URL=http://localhost:8000
NEXT_PUBLIC_GITHUB_APP_CLIENT_ID=your-github-app-client-id
3. Backend Setup
cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
cp .env.example .env
uvicorn app.main:app --reload --port 8000
Deployment
Frontend (Vercel)
Auto-deploys on push to main branch via GitHub integration.
Backend (Cloud Run)
cd backend
gcloud builds submit --tag gcr.io/[PROJECT_ID]/trust-backend
gcloud run deploy trust-backend \
--image gcr.io/[PROJECT_ID]/trust-backend \
--platform managed --region asia-northeast3 \
--allow-unauthenticated
License
MIT License
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.