Metadata-Version: 2.4
Name: tanav
Version: 0.1.2
Summary: AI Supply Chain Security scanner — scan MCP servers, skill files, and agent configs for security risks
License: MIT
Project-URL: Homepage, https://aiss.dev
Project-URL: Repository, https://github.com/jagatce/AISS
Project-URL: Issues, https://github.com/jagatce/AISS/issues
Keywords: mcp,security,ai,supply-chain,scanner,claude,cursor,kiro
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.11
Description-Content-Type: text/markdown
Requires-Dist: httpx>=0.27
Requires-Dist: gitpython>=3.1
Requires-Dist: tomli>=2.0; python_version < "3.11"
Requires-Dist: packaging>=24.0

# tanav

**AI Supply Chain Security scanner.** Scan MCP servers, skill files, Kiro specs,
cursor rules, and agent configs for security risks — no account required, fully local.

29% of 2,500+ public MCP repos carry CRITICAL findings.
## Install

```bash
# Run immediately with uvx (no install needed):
uvx tanav scan

# Or install permanently:
pip install tanav
```

## Usage

```bash
# Scan all local AI client configs (Claude, Cursor, Windsurf)
uvx tanav scan

# Scan a specific GitHub repo
uvx tanav scan --repo https://github.com/Significant-Gravitas/AutoGPT

# Scan an npm package
uvx tanav scan --repo @upstash/context7-mcp

# JSON output for piping
uvx tanav scan --repo https://github.com/org/repo --json | jq .

# SARIF output for GitHub Security tab
uvx tanav scan --repo https://github.com/org/repo --sarif > results.sarif

# CI gate — exit 1 if CRITICAL found
uvx tanav scan --repo https://github.com/org/repo --fail-on-critical
```

## What it scans

- MCP server source code and dependencies
- SKILL.md files and Claude skill configurations
- Kiro steering files (`.kiro/steering/`)
- Cursor rules (`.cursorrules`, `.cursor/rules/`)
- Copilot instructions (`.github/copilot-instructions.md`)
- Claude hooks, agent configs, plugin manifests
- Local configs: `~/.claude/`, `~/.cursor/`, `~/.config/windsurf/`

## Risk levels

| Verdict | Score | Meaning |
|---|---|---|
| ✗ BLOCK | ≥ 80 | Critical findings — do not connect |
| ⚠ REVIEW | 55–79 | High findings — investigate before use |
| ✓ SAFE | < 55 | No significant findings |

## Registry

2,500+ public MCP repos pre-scored at **aiss.dev/registry**

## Links

- Registry: https://aiss.dev/registry
- Docs: https://aiss.dev
- GitHub: https://github.com/jagatce/AISS
