Metadata-Version: 2.4
Name: tanav
Version: 0.1.1
Summary: AI Supply Chain Security scanner — scan MCP servers, skill files, and agent configs for security risks
Project-URL: Homepage, https://aiss.dev
Project-URL: Repository, https://github.com/jagatce/AISS
Project-URL: Issues, https://github.com/jagatce/AISS/issues
License: MIT
Keywords: ai,claude,cursor,kiro,mcp,scanner,security,supply-chain
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.11
Requires-Dist: gitpython>=3.1
Requires-Dist: httpx>=0.27
Requires-Dist: packaging>=24.0
Requires-Dist: tomli>=2.0; python_version < '3.11'
Provides-Extra: dev
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Description-Content-Type: text/markdown

# tanav

**AI Supply Chain Security scanner.** Scan MCP servers, skill files, Kiro specs,
cursor rules, and agent configs for security risks — no account required, fully local.

29% of 2,500+ public MCP repos carry CRITICAL findings.
## Install

```bash
# Run immediately with uvx (no install needed):
uvx tanav scan

# Or install permanently:
pip install tanav
```

## Usage

```bash
# Scan all local AI client configs (Claude, Cursor, Windsurf)
uvx tanav scan

# Scan a specific GitHub repo
uvx tanav scan --repo https://github.com/Significant-Gravitas/AutoGPT

# Scan an npm package
uvx tanav scan --repo @upstash/context7-mcp

# JSON output for piping
uvx tanav scan --repo https://github.com/org/repo --json | jq .

# SARIF output for GitHub Security tab
uvx tanav scan --repo https://github.com/org/repo --sarif > results.sarif

# CI gate — exit 1 if CRITICAL found
uvx tanav scan --repo https://github.com/org/repo --fail-on-critical
```

## What it scans

- MCP server source code and dependencies
- SKILL.md files and Claude skill configurations
- Kiro steering files (`.kiro/steering/`)
- Cursor rules (`.cursorrules`, `.cursor/rules/`)
- Copilot instructions (`.github/copilot-instructions.md`)
- Claude hooks, agent configs, plugin manifests
- Local configs: `~/.claude/`, `~/.cursor/`, `~/.config/windsurf/`

## Risk levels

| Verdict | Score | Meaning |
|---|---|---|
| ✗ BLOCK | ≥ 80 | Critical findings — do not connect |
| ⚠ REVIEW | 55–79 | High findings — investigate before use |
| ✓ SAFE | < 55 | No significant findings |

## Registry

2,500+ public MCP repos pre-scored at **aiss.dev/registry**

## Links

- Registry: https://aiss.dev/registry
- Docs: https://aiss.dev
- GitHub: https://github.com/jagatce/AISS
