trust-security

trust-security

Detect live website vulnerabilities and security flaws in GitHub repositories using automated DAST and SAST scanning. Safeguard applications by identifying exposed secrets, insecure dependencies, and common code patterns prone to exploitation. Receive structured fix plans with precise code remediation steps to resolve identified risks and improve security posture.

Category
访问服务器

README

Trust - AI-Native Security Scanner

Smithery

Scan websites and GitHub repositories for security vulnerabilities. AI analyzes root causes, generates fix code with before/after diffs, and creates one-click Fix PRs.

Live: https://www.trust-scan.me

Korean / 한국어 문서

Features

URL Security Scan

  • DAST vulnerability detection with 5,000+ Nuclei templates
  • Runtime checks for HTTP headers, SSL, CORS, cookie settings, and more
  • Scan completes in under 30 seconds

GitHub Repo Scan

  • SAST: Code-level vulnerability detection with Semgrep (XSS, SQL Injection, hardcoded secrets, etc.)
  • Secrets: API key, token, and password exposure detection with Gitleaks
  • SCA: Dependency CVE detection with npm audit
  • Weighted scoring system (A+ to F grade)

AI Analysis (Pro)

  • Root cause analysis for each vulnerability using Claude Sonnet
  • Before/After code: Actual fix code diff generation
  • Step-by-step remediation guide

Auto-Fix PR (Pro)

  • One-click GitHub PR creation from AI-analyzed vulnerabilities
  • Automatic branch creation + file modification + PR opening
  • package.json version update support

Fix with AI (Pro)

  • Fix prompt generation for all vulnerabilities
  • Directly applicable in Cursor, Claude Code, and other IDEs

Additional Features

  • Trust Badge: Security score-based README badge
  • Benchmark: Compare security scores with other sites
  • Shared Reports: Share scan result URLs (viewable without login)
  • MCP Server: In-IDE security scanning for Claude Code and Cursor (8 tools + 3 resources)
  • GitHub Action: Automated security scanning in CI/CD pipelines + PR comments
  • Scheduled Scans: Hourly / Daily / Weekly automatic security scans + email/Slack alerts
  • Weekly Digest: Weekly security report email (score trends, vulnerability summary)
  • Push Notifications: Web Push notifications on scan completion

Plans

Free Pro ($9.9/mo)
URL Scans 5/month Unlimited
Repo Scans 3/month Unlimited
AI Analysis 2 per scan Unlimited
Auto-Fix PR - Yes
Scheduled Scans - Yes
PDF/CSV Export - Yes

MCP Server (Model Context Protocol)

Install with a single command in Claude Code, Cursor IDE, and other MCP clients to get real-time security feedback while coding.

Install (Claude Code)

claude mcp add --transport http trust-security "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"

Install (Claude Desktop / Cursor)

Add to your config file:

{
  "mcpServers": {
    "trust-security": {
      "type": "http",
      "url": "https://trust-mcp-144011703035.asia-northeast3.run.app/mcp"
    }
  }
}

Available Tools (8 tools)

Tool Description Example
scan_and_wait Scan website + wait for results (recommended) "Scan https://my-app.com"
scan_url Start website scan (async) "Start a scan"
get_scan_result Get URL scan results "Show scan results"
scan_repo_and_wait Scan GitHub repo + wait for results (recommended) "Security scan this repo"
scan_repo Start repo scan (async) "Start repo scan"
get_repo_scan_result Get repo scan results "Show repo scan results"
analyze_code_security Analyze code vulnerabilities + secrets (37+ patterns) "Check this code for security issues"
check_secrets Detect API keys/passwords (20+ patterns) "Any exposed keys in this code?"

MCP Resources (3 resources)

Context resources automatically read by AI agents.

Resource URI Description
trust://scans/latest Most recent scan result (score, grade, vulnerability count)
trust://scans/history Last 10 scan history
trust://security/posture Security posture summary (average score, trends, grade distribution)

Tech Stack

Area Technology
Frontend Next.js 16, React 19, TailwindCSS 4, Framer Motion
Backend FastAPI, Python 3.11+, Nuclei, Semgrep, Gitleaks
Database Supabase (PostgreSQL + Auth + RLS)
AI Claude API (Anthropic) — Sonnet for analysis
Payment Paddle (Pro subscription)
Deployment Vercel (Frontend), Cloud Run (Backend + MCP)

Project Structure

.
├── app/                        # Next.js App Router
│   ├── page.tsx                # Landing (URL / Repo scan)
│   ├── report/[scanId]/        # Scan report page
│   ├── history/                # Scan history
│   ├── pricing/                # Pricing
│   ├── why-trust/              # Why Trust marketing
│   ├── auth/                   # OAuth callbacks (Supabase, GitHub)
│   ├── mcp/                    # MCP setup guide
│   ├── error.tsx               # Error boundary
│   └── not-found.tsx           # 404 page
├── components/
│   ├── trust/                  # Main view components
│   │   ├── client-app.tsx      # Main app state management
│   │   ├── dashboard-view.tsx  # Scan result dashboard
│   │   ├── landing-view.tsx    # Landing view
│   │   ├── scanning-view.tsx   # Scan progress view
│   │   ├── UpgradeModal.tsx    # Go Pro modal
│   │   ├── NotificationToggle.tsx  # Push notification toggle
│   │   ├── OnboardingTour.tsx  # Onboarding tour
│   │   └── dashboard/
│   │       ├── CreateFixPRModal.tsx   # Fix PR modal
│   │       ├── FixPromptModal.tsx     # Fix Prompt modal
│   │       ├── ScheduleSection.tsx    # Scheduled scan management
│   │       ├── DigestSection.tsx      # Weekly digest settings
│   │       ├── BadgeSection.tsx       # Trust Badge
│   │       ├── VulnerabilityList.tsx  # Vulnerability list
│   │       └── ExportPanel.tsx        # PDF/CSV export
│   └── ui/                     # Shared UI (shadcn/ui)
├── lib/
│   ├── api.ts                  # Backend API client
│   ├── types.ts                # TypeScript type definitions
│   ├── supabase.ts             # Supabase client
│   └── subscription.ts         # Pro subscription state management
│
├── backend/                    # FastAPI Backend
│   ├── app/
│   │   ├── main.py             # FastAPI entrypoint
│   │   ├── config.py           # Configuration
│   │   ├── limiter.py          # Rate limiting
│   │   ├── api/routes/
│   │   │   ├── scan.py              # URL scan API
│   │   │   ├── repo_scan.py         # GitHub repo scan API
│   │   │   ├── analyze.py           # AI analysis API
│   │   │   ├── github.py            # GitHub integration + Fix PR API
│   │   │   ├── github_webhook.py    # GitHub webhook handler
│   │   │   ├── badge.py             # Trust Badge API
│   │   │   ├── billing_webhook.py   # Paddle billing webhook
│   │   │   ├── notifications.py     # Notification settings API
│   │   │   └── scheduled_scans.py   # Scheduled scan API
│   │   └── services/
│   │       ├── nuclei_scanner.py
│   │       ├── semgrep_scanner.py
│   │       ├── gitleaks_scanner.py
│   │       ├── repo_scanner.py       # Unified repo scanner
│   │       ├── claude_analyzer.py    # AI analysis (Claude)
│   │       ├── github_service.py     # GitHub API service
│   │       ├── supabase_client.py    # DB service
│   │       ├── scheduler.py          # Scheduled scan scheduler
│   │       └── notifier.py           # Email/Slack/digest notifications
│   ├── Dockerfile
│   └── requirements.txt
│
├── mcp-server/                 # MCP Server (standalone service)
│   ├── server.py
│   ├── Dockerfile
│   └── requirements.txt
│
├── public/
│   └── sw.js                   # Push Notification Service Worker
│
└── docs/                       # Documentation
    ├── README.ko.md            # Korean documentation
    ├── ROADMAP.md
    ├── HANDOVER_CONTEXT_AWARE_FIX.md
    └── REQUIREMENTS_UNIVERSAL_AUTO_FIX.md

API Endpoints

URL Scan

Method Endpoint Description
POST /api/scan Start URL scan
GET /api/scan/{scan_id} Get scan status/results
GET /api/scan/{scan_id}/export Export PDF/CSV

Repo Scan

Method Endpoint Description
POST /api/repo-scan Start GitHub repo scan
GET /api/repo-scan/{scan_id} Get repo scan status/results
POST /api/repo-scan/{scan_id}/analyze Run AI analysis
POST /api/repo-scan/{scan_id}/fix-prompt Generate fix prompt

GitHub Integration

Method Endpoint Description
GET /api/github/connection Check GitHub connection status
POST /api/github/connect Connect GitHub OAuth
POST /api/github/create-fix-pr Create fix PR
POST /api/github/fix-feedback Submit fix quality feedback
DELETE /api/github/connection Disconnect GitHub

AI Analysis

Method Endpoint Description
POST /api/analyze/{scan_id} Start AI analysis
GET /api/analyze/{vuln_id} Get analysis results

Badge

Method Endpoint Description
POST /api/badge/{scan_id} Issue badge
GET /api/badge/{badge_id} Get badge SVG

Scheduled Scans

Method Endpoint Description
POST /api/scheduled-scans Create scheduled scan
GET /api/scheduled-scans List scheduled scans
DELETE /api/scheduled-scans/{id} Delete scheduled scan
POST /api/cron/run-schedules Execute schedules (Cloud Scheduler)

History / Notifications

Method Endpoint Description
GET /api/scans/history Get scan history
GET /api/notifications/settings Get notification settings
PUT /api/notifications/settings Update notification settings

Webhooks

Method Endpoint Description
POST /api/billing/webhook Paddle billing webhook
POST /webhooks/github GitHub PR event webhook

Getting Started

Prerequisites

  • Node.js 20+
  • Python 3.11+
  • Nuclei, Semgrep, Gitleaks (security scanners)
  • Supabase account
  • Anthropic API key

1. Clone Repository

git clone --recurse-submodules https://github.com/Jaden-JJH/trust-security-scanner.git
cd trust-security-scanner

2. Frontend Setup

npm install
cp .env.example .env.local
npm run dev

Environment Variables (.env.local)

NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
NEXT_PUBLIC_API_URL=http://localhost:8000
NEXT_PUBLIC_GITHUB_APP_CLIENT_ID=your-github-app-client-id

3. Backend Setup

cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
cp .env.example .env
uvicorn app.main:app --reload --port 8000

Deployment

Frontend (Vercel)

Auto-deploys on push to main branch via GitHub integration.

Backend (Cloud Run)

cd backend
gcloud builds submit --tag gcr.io/[PROJECT_ID]/trust-backend
gcloud run deploy trust-backend \
  --image gcr.io/[PROJECT_ID]/trust-backend \
  --platform managed --region asia-northeast3 \
  --allow-unauthenticated

License

MIT License

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选