supership-scan
Scans Supabase projects for security vulnerabilities including RLS gaps, permissive policies, and service_role misuse.
supership-scan
Predeploy security scanner for the agent economy. Built by Crest Deployment Systems.
Scans your code for 80+ vulnerability patterns across secrets, auth, injection, config, Supabase, and logging. Runs locally. Your code never leaves the machine.
Install
npm install -g supership-scanRequires Node.js 18+.
Usage
CLI
supership-scan .Scans the current directory and prints findings.
supership-scan ./my-project --attestScans and requests a witnessed attestation ($0.01 USDC on Base). Only the report envelope (hashes and findings) is transmitted. Never source code.
MCP Server
supership-mcpStarts an MCP server for AI editors (Claude Code, Cursor, Windsurf). Exposes the scanner as tools that agents can call directly.
Example Output
supership v1.0.0
Scanning 42 files...
Score: 87/100
Grade: B
Findings:
HIGH AUTH-003 Missing auth middleware on /api/admin src/routes/admin.js:14
MEDIUM CFG-002 CORS wildcard in production src/server.js:8
LOW LOG-001 Error stack in response body src/middleware/error.js:22
Scan complete. Code never left this machine.Rule Categories
Category | Patterns | Examples |
Secrets | 30+ | API keys, credentials, .env exposure, private keys |
Auth | 12+ | Missing middleware, inverted logic, RLS gaps |
Injection | 15+ | SQL interpolation, XSS, eval(), command injection |
Config | 10+ | CORS wildcards, source maps, insecure cookies |
Supabase | 8+ | RLS disabled, permissive policies, service_role misuse |
Logging | 6+ | Sensitive data in logs, error stack exposure |
Scoring
Score starts at 100. Penalties: critical (-25), high (-10), medium (-5), low (-1).
Severity gates override the score:
Any critical finding = grade F
Any high finding = grade C max
Grade | Score |
A | 90+ |
B | 75-89 |
C | 60-74 |
D | 40-59 |
F | <40 or any critical |
Attestations
The scan is free. The attestation costs $0.01.
When you run --attest, supership sends a report envelope to the attestation server. The envelope contains hashes and findings only. The server signs it, anchors the hash to the chain, and returns a witnessed attestation.
The attestation proves a specific scan occurred at a specific time with specific results. It does not certify that code is secure.
What's transmitted: input hash, rule pack hash, engine version, findings, score, grade.
What's never transmitted: source code, file contents, environment variables.
Benchmark
npm testRuns 20 deliberately vulnerable fixtures against the scanner. Expected: 90% true positive rate, 0 harmful false positives.
Privacy
Scanning is entirely local. No network calls during a scan.
Attestation transmits hashes and findings only. Never source code.
No telemetry. No analytics. No tracking.
API
supership also runs as an x402-native API. Pay per scan with USDC on Base. No API keys, no subscriptions.
Endpoint | Method | Price | Description |
| GET | Free | Trust check for any x402 service URL |
| POST | Free | Score + grade, all 6 categories |
| POST | $1 | Secrets + config findings |
| POST | $5 | All categories + fixes |
| POST | $15 | Full + LLM contextual review |
| POST | $0.01 | Sign and witness a scan result |
API base: https://supership.crestsystems.ai
Discovery endpoints: agent.json | llms.txt | OpenAPI
Crest x402 Services
supership is part of the Crest Deployment Systems x402 service fleet. All services accept USDC payments on Base mainnet via the x402 protocol.
Service | What it does | URL |
supership | Predeploy security scanner + attestation | |
data | Crypto market data, token lookups, gas prices | |
audit | Smart contract audit, code security, wallet risk |
Links
Crest Deployment Systems -- deploying scalable intelligence
License
Apache 2.0. See LICENSE for details.
Rule engines (src/rules/) are Apache 2.0 with a relicense notice. See LICENSE for the full NOTICE.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/andysalvo/supership-scan'
If you have feedback or need assistance with the MCP directory API, please join our Discord server