Metadata-Version: 2.4
Name: tanav
Version: 0.1.0
Summary: AI Supply Chain Security scanner — scan MCP servers, skill files, and agent configs for security risks
Project-URL: Homepage, https://aiss.dev
Project-URL: Repository, https://github.com/jagatce/AISS
Project-URL: Issues, https://github.com/jagatce/AISS/issues
License: MIT
Keywords: ai,claude,cursor,kiro,mcp,scanner,security,supply-chain
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.11
Requires-Dist: gitpython>=3.1
Requires-Dist: httpx>=0.27
Requires-Dist: packaging>=24.0
Requires-Dist: tomli>=2.0; python_version < '3.11'
Provides-Extra: dev
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Description-Content-Type: text/markdown

# aiss-scan

**AI Supply Chain Security scanner.** Scan your local AI client configs and GitHub repos for security risks — no account required.

```
27% of 1,100+ public MCP repos carry CRITICAL findings.
```

## Install

```bash
# Run immediately with uvx (no install needed):
uvx aiss-scan

# Or install permanently:
pip install aiss-scan
```

## Usage

### Scan your local AI configs (default)

Automatically finds and scans every MCP server configured in Claude Desktop, Cursor, Windsurf, and other AI clients on your machine.

```bash
uvx aiss-scan
```

```
AISS Local Config Scan
Configs found: 2
  ~/.claude/settings.json
  ~/.cursor/mcp.json

Servers scanned: 4
  1 BLOCK  — do not use
  1 REVIEW — investigate before use
  2 SAFE   — no findings

=== AISS Scan: @upstash/context7-mcp ===
Risk Score:  82/100  ✗ BLOCK

CRITICAL (1)
  [CHK-115] docs/troubleshooting.md:34
    confirmed · Credential access pattern in skill content

=== AISS Scan: @modelcontextprotocol/server-github ===
Risk Score:  0/100  ✓ SAFE

No findings.
```

### Scan a specific config file

```bash
uvx aiss-scan --config ~/.cursor/mcp.json
uvx aiss-scan --config ~/Library/Application\ Support/Claude/claude_desktop_config.json
```

### Scan a GitHub repo or npm package

```bash
uvx aiss-scan --repo https://github.com/Significant-Gravitas/AutoGPT
uvx aiss-scan --repo @upstash/context7-mcp
uvx aiss-scan --repo @azure/mcp
```

## Output formats

```bash
# NDJSON — one JSON record per finding (Splunk / Elastic / SIEM)
uvx aiss-scan --json

# SARIF 2.1.0 — GitHub Security tab
uvx aiss-scan --sarif > results.sarif

# CI gate — exit code 1 on any CRITICAL finding
uvx aiss-scan --fail-on-critical

# Send results to aiss.dev for org dashboard
uvx aiss-scan --upload
```

## GitHub Actions

```yaml
- name: AISS MCP Security Scan
  run: uvx aiss-scan --sarif > aiss-results.sarif

- name: Upload to GitHub Security
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: aiss-results.sarif
```

For a pre-built Action: see [`.github/workflows/aiss-scan.yml`](https://github.com/jagatce/AISS/blob/main/.github/workflows/aiss-scan.yml)

## What gets checked

All checkers are deterministic, rule-based, and hand-written (no ML, no false-positive-prone heuristics).

| Checker | What it finds |
|---------|--------------|
| CHK-115 | Credential access patterns in skill files |
| CHK-116 | Prompt injection in cursor rules |
| CHK-117 | Credential access in cursor rules |
| CHK-118 | Data exfiltration instructions in cursor rules |
| CHK-119 | Kiro steering file injection |
| CHK-120 | Kiro spec dangerous permissions + auto-execute |
| CHK-121 | Copilot instructions injection |
| CHK-122 | Credential access in Copilot instructions |
| CHK-123 | Exfiltration in Copilot instructions |
| CHK-124 | Rug pull — tool description changed since last scan |
| CHK-125 | Excessive agency without scope constraint |
| + 110 more | CVEs, secrets, auth gaps, shadow tools, typosquats |

## Verdicts

| Verdict | Meaning |
|---------|---------|
| ✓ SAFE | No findings. Connect with confidence. |
| ⚠ REVIEW | Medium/High findings. Investigate before use. |
| ✗ BLOCK | CRITICAL findings or score ≥ 80. Do not connect. |

## Privacy

- No data leaves your machine unless you pass `--upload`
- No API keys required
- Config files are read locally; only server identifiers (npm package names, GitHub URLs) are used for scanning
- Environment variable *values* are never read or logged — only key names

## Public registry

Check any MCP server before installing:

```
https://aiss.dev/registry/Significant-Gravitas/AutoGPT
https://aiss.dev/registry/modelcontextprotocol/server-git
```

1,100+ repos pre-scored. Updated continuously.

## Real findings (from our corpus)

- **AutoGPT 184k★** — CHK-115: credential access in 3 SKILL.md files (AI confirmed)
- **garrytan/gstack 71k★** — `--dangerously-skip-permissions` + .env credential access
- **screenpipe/screenpipe 19k★** — Telegram data exfiltration in SKILL.md
- **modelcontextprotocol/server-git 85k★** — CVE-2025-68143 CVSS 8.8 path traversal
- **@upstash/context7-mcp 1M dl/wk** — credentials in troubleshooting docs

## Links

- [Public registry](https://aiss.dev/registry) — 1,100+ pre-scored repos
- [Dashboard](https://aiss.dev) — org-wide scanning + SBOM + SIEM
- [GitHub](https://github.com/jagatce/AISS)
- [Report a false positive](https://github.com/jagatce/AISS/issues)
