tanav 0.1.2

AI Supply Chain Security scanner — scan MCP servers, skill files, and agent configs for security risks

tanav

AI Supply Chain Security scanner. Scan MCP servers, skill files, Kiro specs, cursor rules, and agent configs for security risks — no account required, fully local.

29% of 2,500+ public MCP repos carry CRITICAL findings.

Install

# Run immediately with uvx (no install needed):
uvx tanav scan

# Or install permanently:
pip install tanav

Usage

# Scan all local AI client configs (Claude, Cursor, Windsurf)
uvx tanav scan

# Scan a specific GitHub repo
uvx tanav scan --repo https://github.com/Significant-Gravitas/AutoGPT

# Scan an npm package
uvx tanav scan --repo @upstash/context7-mcp

# JSON output for piping
uvx tanav scan --repo https://github.com/org/repo --json | jq .

# SARIF output for GitHub Security tab
uvx tanav scan --repo https://github.com/org/repo --sarif > results.sarif

# CI gate — exit 1 if CRITICAL found
uvx tanav scan --repo https://github.com/org/repo --fail-on-critical

What it scans

• MCP server source code and dependencies
• SKILL.md files and Claude skill configurations
• Kiro steering files (.kiro/steering/)
• Cursor rules (.cursorrules, .cursor/rules/)
• Copilot instructions (.github/copilot-instructions.md)
• Claude hooks, agent configs, plugin manifests
• Local configs: ~/.claude/, ~/.cursor/, ~/.config/windsurf/

Risk levels

Verdict	Score	Meaning
✗ BLOCK	≥ 80	Critical findings — do not connect
⚠ REVIEW	55–79	High findings — investigate before use
✓ SAFE	< 55	No significant findings

Registry

2,500+ public MCP repos pre-scored at aiss.dev/registry

Links

• Registry: https://aiss.dev/registry
• Docs: https://aiss.dev
• GitHub: https://github.com/jagatce/AISS