Trust - AI-Native Security Scanner

Scan websites and GitHub repositories for security vulnerabilities. AI analyzes root causes, generates fix code with before/after diffs, and creates one-click Fix PRs.

Live: https://www.trust-scan.me

Korean / 한국어 문서

Features

URL Security Scan

DAST vulnerability detection with 5,000+ Nuclei templates
Runtime checks for HTTP headers, SSL, CORS, cookie settings, and more
Scan completes in under 30 seconds

GitHub Repo Scan

SAST: Code-level vulnerability detection with Semgrep (XSS, SQL Injection, hardcoded secrets, etc.)
Secrets: API key, token, and password exposure detection with Gitleaks
SCA: Dependency CVE detection with npm audit
Weighted scoring system (A+ to F grade)

AI Analysis (Pro)

Root cause analysis for each vulnerability using Claude Sonnet
Before/After code: Actual fix code diff generation
Step-by-step remediation guide

Auto-Fix PR (Pro)

One-click GitHub PR creation from AI-analyzed vulnerabilities
Automatic branch creation + file modification + PR opening
package.json version update support

Fix with AI (Pro)

Fix prompt generation for all vulnerabilities
Directly applicable in Cursor, Claude Code, and other IDEs

Additional Features

Trust Badge: Security score-based README badge
Benchmark: Compare security scores with other sites
Shared Reports: Share scan result URLs (viewable without login)
MCP Server: In-IDE security scanning for Claude Code and Cursor (8 tools + 3 resources)
GitHub Action: Automated security scanning in CI/CD pipelines + PR comments
Scheduled Scans: Hourly / Daily / Weekly automatic security scans + email/Slack alerts
Weekly Digest: Weekly security report email (score trends, vulnerability summary)
Push Notifications: Web Push notifications on scan completion

Plans

	Free	Pro ($9.9/mo)
URL Scans	5/month	Unlimited
Repo Scans	3/month	Unlimited
AI Analysis	2 per scan	Unlimited
Auto-Fix PR	-	Yes
Scheduled Scans	-	Yes
PDF/CSV Export	-	Yes

MCP Server (Model Context Protocol)

Install with a single command in Claude Code, Cursor IDE, and other MCP clients to get real-time security feedback while coding.

Install (Claude Code)

claude mcp add --transport http trust-security "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"

Install (Claude Desktop / Cursor)

Add to your config file:

{
  "mcpServers": {
    "trust-security": {
      "type": "http",
      "url": "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"
    }
  }
}

Available Tools (8 tools)

Tool	Description	Example
`scan_and_wait`	Scan website + wait for results (recommended)	"Scan https://my-app.com"
`scan_url`	Start website scan (async)	"Start a scan"
`get_scan_result`	Get URL scan results	"Show scan results"
`scan_repo_and_wait`	Scan GitHub repo + wait for results (recommended)	"Security scan this repo"
`scan_repo`	Start repo scan (async)	"Start repo scan"
`get_repo_scan_result`	Get repo scan results	"Show repo scan results"
`analyze_code_security`	Analyze code vulnerabilities + secrets (37+ patterns)	"Check this code for security issues"
`check_secrets`	Detect API keys/passwords (20+ patterns)	"Any exposed keys in this code?"

MCP Resources (3 resources)

Context resources automatically read by AI agents.

Resource URI	Description
`trust://scans/latest`	Most recent scan result (score, grade, vulnerability count)
`trust://scans/history`	Last 10 scan history
`trust://security/posture`	Security posture summary (average score, trends, grade distribution)

Tech Stack

Area	Technology
Frontend	Next.js 16, React 19, TailwindCSS 4, Framer Motion
Backend	FastAPI, Python 3.11+, Nuclei, Semgrep, Gitleaks
Database	Supabase (PostgreSQL + Auth + RLS)
AI	Claude API (Anthropic) — Sonnet for analysis
Payment	Paddle (Pro subscription)
Deployment	Vercel (Frontend), Cloud Run (Backend + MCP)

Project Structure

.
├── app/                        # Next.js App Router
│   ├── page.tsx                # Landing (URL / Repo scan)
│   ├── report/[scanId]/        # Scan report page
│   ├── history/                # Scan history
│   ├── pricing/                # Pricing
│   ├── why-trust/              # Why Trust marketing
│   ├── auth/                   # OAuth callbacks (Supabase, GitHub)
│   ├── mcp/                    # MCP setup guide
│   ├── error.tsx               # Error boundary
│   └── not-found.tsx           # 404 page
├── components/
│   ├── trust/                  # Main view components
│   │   ├── client-app.tsx      # Main app state management
│   │   ├── dashboard-view.tsx  # Scan result dashboard
│   │   ├── landing-view.tsx    # Landing view
│   │   ├── scanning-view.tsx   # Scan progress view
│   │   ├── UpgradeModal.tsx    # Go Pro modal
│   │   ├── NotificationToggle.tsx  # Push notification toggle
│   │   ├── OnboardingTour.tsx  # Onboarding tour
│   │   └── dashboard/
│   │       ├── CreateFixPRModal.tsx   # Fix PR modal
│   │       ├── FixPromptModal.tsx     # Fix Prompt modal
│   │       ├── ScheduleSection.tsx    # Scheduled scan management
│   │       ├── DigestSection.tsx      # Weekly digest settings
│   │       ├── BadgeSection.tsx       # Trust Badge
│   │       ├── VulnerabilityList.tsx  # Vulnerability list
│   │       └── ExportPanel.tsx        # PDF/CSV export
│   └── ui/                     # Shared UI (shadcn/ui)
├── lib/
│   ├── api.ts                  # Backend API client
│   ├── types.ts                # TypeScript type definitions
│   ├── supabase.ts             # Supabase client
│   └── subscription.ts         # Pro subscription state management
│
├── backend/                    # FastAPI Backend
│   ├── app/
│   │   ├── main.py             # FastAPI entrypoint
│   │   ├── config.py           # Configuration
│   │   ├── limiter.py          # Rate limiting
│   │   ├── api/routes/
│   │   │   ├── scan.py              # URL scan API
│   │   │   ├── repo_scan.py         # GitHub repo scan API
│   │   │   ├── analyze.py           # AI analysis API
│   │   │   ├── github.py            # GitHub integration + Fix PR API
│   │   │   ├── github_webhook.py    # GitHub webhook handler
│   │   │   ├── badge.py             # Trust Badge API
│   │   │   ├── billing_webhook.py   # Paddle billing webhook
│   │   │   ├── notifications.py     # Notification settings API
│   │   │   └── scheduled_scans.py   # Scheduled scan API
│   │   └── services/
│   │       ├── nuclei_scanner.py
│   │       ├── semgrep_scanner.py
│   │       ├── gitleaks_scanner.py
│   │       ├── repo_scanner.py       # Unified repo scanner
│   │       ├── claude_analyzer.py    # AI analysis (Claude)
│   │       ├── github_service.py     # GitHub API service
│   │       ├── supabase_client.py    # DB service
│   │       ├── scheduler.py          # Scheduled scan scheduler
│   │       └── notifier.py           # Email/Slack/digest notifications
│   ├── Dockerfile
│   └── requirements.txt
│
├── mcp-server/                 # MCP Server (standalone service)
│   ├── server.py
│   ├── Dockerfile
│   └── requirements.txt
│
├── public/
│   └── sw.js                   # Push Notification Service Worker
│
└── docs/                       # Documentation
    ├── README.ko.md            # Korean documentation
    ├── ROADMAP.md
    ├── HANDOVER_CONTEXT_AWARE_FIX.md
    └── REQUIREMENTS_UNIVERSAL_AUTO_FIX.md

API Endpoints

URL Scan

Method	Endpoint	Description
`POST`	`/api/scan`	Start URL scan
`GET`	`/api/scan/{scan_id}`	Get scan status/results
`GET`	`/api/scan/{scan_id}/export`	Export PDF/CSV

Repo Scan

Method	Endpoint	Description
`POST`	`/api/repo-scan`	Start GitHub repo scan
`GET`	`/api/repo-scan/{scan_id}`	Get repo scan status/results
`POST`	`/api/repo-scan/{scan_id}/analyze`	Run AI analysis
`POST`	`/api/repo-scan/{scan_id}/fix-prompt`	Generate fix prompt

GitHub Integration

Method	Endpoint	Description
`GET`	`/api/github/connection`	Check GitHub connection status
`POST`	`/api/github/connect`	Connect GitHub OAuth
`POST`	`/api/github/create-fix-pr`	Create fix PR
`POST`	`/api/github/fix-feedback`	Submit fix quality feedback
`DELETE`	`/api/github/connection`	Disconnect GitHub

AI Analysis

Method	Endpoint	Description
`POST`	`/api/analyze/{scan_id}`	Start AI analysis
`GET`	`/api/analyze/{vuln_id}`	Get analysis results

Badge

Method	Endpoint	Description
`POST`	`/api/badge/{scan_id}`	Issue badge
`GET`	`/api/badge/{badge_id}`	Get badge SVG

Scheduled Scans

Method	Endpoint	Description
`POST`	`/api/scheduled-scans`	Create scheduled scan
`GET`	`/api/scheduled-scans`	List scheduled scans
`DELETE`	`/api/scheduled-scans/{id}`	Delete scheduled scan
`POST`	`/api/cron/run-schedules`	Execute schedules (Cloud Scheduler)

History / Notifications

Method	Endpoint	Description
`GET`	`/api/scans/history`	Get scan history
`GET`	`/api/notifications/settings`	Get notification settings
`PUT`	`/api/notifications/settings`	Update notification settings

Webhooks

Method	Endpoint	Description
`POST`	`/api/billing/webhook`	Paddle billing webhook
`POST`	`/webhooks/github`	GitHub PR event webhook

Getting Started

Prerequisites

Node.js 20+
Python 3.11+
Nuclei, Semgrep, Gitleaks (security scanners)
Supabase account
Anthropic API key

1. Clone Repository

git clone --recurse-submodules https://github.com/Jaden-JJH/trust-security-scanner.git
cd trust-security-scanner

2. Frontend Setup

npm install
cp .env.example .env.local
npm run dev

Environment Variables (.env.local)

NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
NEXT_PUBLIC_API_URL=http://localhost:8000
NEXT_PUBLIC_GITHUB_APP_CLIENT_ID=your-github-app-client-id

3. Backend Setup

cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
cp .env.example .env
uvicorn app.main:app --reload --port 8000

Deployment

Frontend (Vercel)

Auto-deploys on push to main branch via GitHub integration.

Backend (Cloud Run)

cd backend
gcloud builds submit --tag gcr.io/[PROJECT_ID]/trust-backend
gcloud run deploy trust-backend \
  --image gcr.io/[PROJECT_ID]/trust-backend \
  --platform managed --region asia-northeast3 \
  --allow-unauthenticated

License

MIT License

trust-security