projscan
Integrates with GitHub for code scanning via SARIF output and GitHub Actions workflow initialization.
Provides initialization of a GitHub Actions workflow that runs projscan checks and posts evidence comments for PR validation.
Allows auditing project dependencies via npm audit and generating SARIF output for security scanning.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@projscanrun a full project analysis"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
projscan
Local proof for AI-assisted engineering. projscan gives agents and engineers the repo context, risk checks, proof commands, and review gates they need before editing, handing off, or preparing a release candidate.
Install · Daily workflows · MCP Setup · Commands · Trust · Full Guide
Use It For
Use projscan when an agent asks one of these questions:
Which files should I read before changing this feature?
Which proof commands should I run before handoff?
Which risks need fixes, reviewer attention, or release sign-off?
Which risk should I fix first?
Did the agent stay inside the approved change boundary?
projscan runs core scans on your machine. It respects .gitignore, keeps .env values out of scans unless you opt in, and exposes the same evidence through a CLI and a 51-tool MCP server. The language layer uses 11 AST adapters covering 12 named languages.
Your agent / engineer
(Codex, Claude Code, Cursor, CI, your scripts)
| intent, diff, repo files, feedback, proof requests
v
+----------------------------------------------------------------+
| projscan (runs locally, source stays on this machine) |
| ------------------------------------------------------------ |
| Mission Control -> assess Cards -> simulate risk -> prove |
| | | | |
| | | +- allowed files
| | | +- forbidden files
| | | +- proof receipt
| | | +- change passport
| | | +- review gate
| | | +- live guard
| | +- bounded extraction |
| | +- regression test first |
| | +- leave unchanged |
| +- evidence strength |
| +- trust memory |
| +- AgentLoopKit handoff |
| |
| CLI + MCP tools, no account, telemetry off by default |
+----------------------------------------------------------------+
| next safe action, exact proof commands, handoff packet
v
Reviewer / CI / LLM provider
(only the evidence you choose to pass along)Related MCP server: codeweave-mcp
Install
npm install -g projscan
projscan startRun without a global install:
npx projscan startCheck the trust boundary first:
projscan privacy-check
projscan start --intent "what can projscan read?"
projscan start --intent "does projscan read .env values?"Daily workflows
Use these four workflows before scanning the full command catalog.
Before editing a feature
projscan start --intent "what files do I need to change for auth?"
projscan start --intent "what should we build next?" # Routes to a before-edit implementation workplan
projscan start --intent "is my agent allowed to change billing retry logic?"
projscan understand --view change --intent "add auth token refresh" --format json
projscan prove --intent "is my agent allowed to change billing retry logic?"
projscan preflight --mode before_edit --format jsonYou get a cited change map, read-first files, likely touched files, blocked inputs, an executable Proof Contract, and a before-edit proof gate. Agent-permission intents route to projscan prove, so start can hand the next agent a contract path instead of a broad checklist.
Success criteria: the agent can name the files to read first, the likely files to touch, the forbidden files to avoid, and the proof commands to run before editing.
Verified change workflow
projscan start --intent "is my agent allowed to change billing retry logic?"
projscan prove --intent "is my agent allowed to change billing retry logic?" --save-contract .projscan/proof-contract.json
# Make the bounded edit, then run the proof command.
projscan prove --run -- npm test -- tests/billing/retry.test.ts
projscan prove --changed --contract .projscan/proof-contract.json --format markdown
projscan passport --contract .projscan/proof-contract.json --format markdown
projscan proof-broker --contract .projscan/proof-contract.json --pr-comment
projscan review-gate --contract .projscan/proof-contract.json --pr-commentThe command path is start -> prove -> run -> changed. Make the bounded edit after the contract exists and before prove --run. start chooses the contract workflow. prove --intent writes .projscan/proof-contract.json only when --save-contract is present. prove --run -- <command...> executes a local proof command, records the exit code, captures a redacted log, and fingerprints the current changed files. prove --record-command remains available for imported CI or external evidence when projscan did not run the command. prove --changed checks the current working tree against the contract and local ledger.
You get a Proof Contract before edits and a Proof Receipt after edits. The contract names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, safe change shape, rollback, confidence, reviewer guidance, and proofRequirements for each risk surface. The receipt checks the real working tree against that contract and classifies changed files as allowed production, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, or unexpected production. The receipt reports proof replay status, Proof Sufficiency, risk delta, commit readiness, and a reviewer checklist.
Sibling Baseframe harness directories (.agentloop/, .agentflight/) are classified as harness evidence, not scope drift: AgentLoopKit and AgentFlight write session state, task status transitions, and verification reports there as part of their sanctioned workflows, so those writes stay informational in the receipt and never trip forbiddenTouched, block commit readiness, or stop the review gate. Auto-generated contracts no longer list them in forbiddenFiles, and receipts ignore those entries in contracts saved by older versions. To forbid production paths, keep using forbiddenFiles or Team Proof Recipes for non-harness locations.
Proof Replay records command, exit code, duration, changed-file fingerprint, redacted summary, log path, and source in .projscan/proof-ledger.jsonl. Executed proof logs stay under .projscan/proof-logs/. Ledger matching normalizes package-runner prefixes, so npx projscan assess --mode fix-first --format json, pnpm exec projscan ..., and node_modules/.bin/projscan ... all satisfy a required projscan assess --mode fix-first --format json. prove --changed marks proof as passed, missing, failed, partial, or stale. The receipt JSON includes proofReplay with a replay timeline, changedAfterProof, replay command, and local receipt fingerprint. If the agent edits new files after proof ran, the receipt says the proof is stale before a reviewer reads the diff.
Proof Sufficiency estimates whether the local ledger covers each changed surface. proofSufficiency marks rows as strong, adequate, weak, missing, stale, or failed, then lists the exact gaps reviewers need to resolve.
Team Proof Recipes let a repo encode required proof for sensitive paths in proofRecipes; when a matching recipe is configured, prove --intent adds that recipe's commands, reviewers, and forbidden files to the Proof Contract. prove --changed and projscan evidence-pack --pr-comment then show missing recipe proof, required reviewers, and recipe drift in the Proof Receipt. The recipe does not run proof commands by itself; use prove --run -- <command...> or prove --record-command to add evidence to the local ledger.
Saved contracts are the source of truth for prove --changed; update the contract when a team recipe changes.
Every prove report includes verifiedWorkflow, a compact JSON summary for agents and MCP clients. It names the phase, next action, next command, scope status, proof status, proof sufficiency status, risk delta direction, reviewer decision, and stale/missing/failed proof flags.
projscan passport turns the contract and receipt into one handoff artifact. It names allowed files, forbidden files, changed files, proof replay status, Proof Sufficiency, reviewer action, and next commands. Save it when a reviewer or another agent needs the whole change story in one JSON file:
projscan passport \
--intent "is my agent allowed to change billing retry logic?" \
--save-contract .projscan/proof-contract.json \
--output .projscan/passport.jsonUse projscan proof-broker to build a PR Passport from the same passport evidence. It names required proof rows, missing or stale proof commands, required reviewers from Team Proof Recipes, risky changed files, and the next commands a reviewer should ask for:
projscan proof-broker --intent "<change>" --bootstrap-contract
projscan proof-broker --contract .projscan/proof-contract.json --pr-comment--bootstrap-contract writes a new Proof Contract only when explicitly requested. It does not execute proof commands and does not silently widen scope.
Use projscan review-gate to produce a review decision from the PR Passport. It reports ready, needs-proof, drifted, or blocked, says whether review can proceed, itemizes proof debt, names the recontract command when scope moved, and can fail CI until the proof debt is gone:
projscan review-gate --intent "<change>" --bootstrap-contract
projscan review-gate --contract .projscan/proof-contract.json --pr-comment
projscan review-gate --contract .projscan/proof-contract.json --ci --fail-on-needs-proofprojscan guard checks the current working tree against a saved Proof Contract. Use it after an agent edits files, or run --watch during a session:
projscan guard --contract .projscan/proof-contract.json
projscan guard --contract .projscan/proof-contract.json --watchSuccess criteria: the reviewer sees scope, proof execution, proof freshness, sufficiency, and the exact proof debt blocking review for the changed risk surface.
Before handoff or commit
projscan start --intent "is this safe to commit?"
projscan assess --mode fix-first --format markdown
projscan preflight --mode before_commit --format json
projscan evidence-pack --pr-commentYou get changed-file risk, one or two ranked next actions, manual review gates, owner routing, baseline trend memory, and exact proof commands for the reviewer. Use projscan bug-hunt --format json when you want the raw fix queue behind the assessment.
Success criteria: the reviewer sees the top fix, the remaining proof, and any manual sign-off gate without reading the full scan output.
Before release-candidate review
projscan release-train --format json
projscan preflight --mode before_merge --format json
projscan evidence-pack --pr-commentYou get read-only readiness evidence. projscan reports fixes and sign-off gates; it does not tag, publish, deploy, or bump versions from these commands.
Success criteria: release review separates concrete defects from human approval gates before anyone tags or publishes.
Weekly proof-first assessment
projscan assess --goal "make this repo safer to ship this week"
projscan assess --mode fix-first --format markdown
projscan simulate --plan "split bugHunt.ts into ranking, evidence, and output modules"You get Proof Cards: each recommendation carries local evidence, impact, a safe change shape, verification commands, feedback or suppression guidance, and a risk delta. Add --baseline previous-assess.json to compare the current risk delta against a prior run. assess composes existing quality, bug-hunt, and preflight evidence; it does not release, tag, publish, or deploy.
Proof Cards also show evidence strength, confidence reason, ranking reasons, trust memory, evidence gaps, and an AgentLoopKit handoff packet. Add --feedback .projscan-feedback.json when accepted recommendations, noisy findings, false positives, or suppressions should affect future ranking.
Use the risk delta simulator before a refactor or extraction. It predicts likely touched files, affected tests, contract surfaces, rollout steps, proof commands, and before/after risk from local evidence. It compares bounded extraction, test-first, and leave-unchanged alternatives, then names the recommended option. It is read-only: it does not edit files, run the plan, release, tag, publish, or deploy.
Success criteria: the team sees the one or two highest-value fixes, why they matter, how to prove them, and whether ship-readiness still needs caution or review.
Baseframe Suite assessment artifact
ProjScan finds the risk. AgentLoopKit controls the work. AgentFlight proves the result.
When a Baseframe Suite task needs a stable local artifact, run:
projscan assess \
--intent "Implement password reset" \
--task-id auth-password-reset-20260626-01 \
--emit-baseframeProjScan writes .baseframe/evidence/<task-id>/projscan-assessment.json and
updates .baseframe/agent-workflow.json without writing AgentLoopKit or
AgentFlight artifacts. See Baseframe Suite Integration v1.
Mission Control
projscan start --intent "<goal>" turns a plain-language goal into an execution plan:
current command
blocked inputs
follow-up commands
proof queue
done criteria
review gate
Save a mission when work may pass between agents:
projscan start --save-mission .projscan/mission --intent "is it safe to commit this change?"
projscan mission-proof --mission .projscan/mission --format markdown
projscan start --mission .projscan/missionMission bundles include a runbook, task card, handoff prompt, proof scripts, review gate JSON, reviewer replies, and proof logs. mission-proof summarizes passed proof, failed gates, reruns, reviewer decisions, and optional manual baseline data.
Regenerate README media:
npm run docs:screenshots
npm run docs:demos5.0.0 Notes
5.0.0 turns Proof Broker and Review Gate into explicit, restartable proof-first review loops:
projscan proof-broker --intent "<change>" --bootstrap-contractwrites the next scoped Proof Contract only when explicitly requested, then returns PR Passport output with bootstrap metadata and the post-bootstrap next commands.projscan review-gate --intent "<change>" --bootstrap-contractdoes the same on the reviewer gate surface and keeps the stop-and-recontract path explicit when the target worktree has drifted.projscan review-gate --contract .projscan/proof-contract.json --pr-commentprints PR-comment Markdown with status, allow-review decision, proof debt, recontract guidance, bootstrap status when present, required reviewers, next commands, and artifact paths.projscan review-gate --contract .projscan/proof-contract.json --ci --fail-on-needs-proofprints a compact CI summary and exits non-zero until the gate isready.Proof Broker and Review Gate JSON now keep console output and embedded Markdown aligned, including the Bootstrap section when a contract was minted from the review surface.
ProjScan writes Review Gate artifacts to
.projscan/review-gate.jsonor.projscan/review-gates/<name>.json; it rejects traversal, symlink targets, and unrelated overwrite targets.MCP still includes
projscan_review_gateandprojscan_proof_broker, keeping the MCP surface at 51 tools and returning evidence without running proof commands.The package exports
computeReviewGate()andcomputeProofBroker()with the refreshed report types, including the additive bootstrap metadata.Repo-local agent workflow guidance now runs on
agentloopkit@0.47.1, with the newer task, verification, handoff, ship, and maintainer-check idioms used as the operating release loop.
4.17.0 Notes
4.17.0 ships the Agent Change Passport and Live Guard:
projscan passport --intent "<task>" --save-contract .projscan/proof-contract.jsoncreates a Proof Contract, checks the current working tree, and returns one local passport with boundary, receipt, proof replay, Proof Sufficiency, reviewer action, and next commands.projscan passport --contract .projscan/proof-contract.json --output .projscan/passport.jsonwrites a JSON handoff artifact. ProjScan writes to.projscan/passport.jsonor.projscan/passports/<name>.json, rejects traversal, checks symlink paths, and refuses to overwrite unrelated files.projscan guard --contract .projscan/proof-contract.jsonreports whether the current diff stayed inside the approved boundary.--watchpolls during an agent session, and--fail-on-driftexits non-zero when the guard sees drift.MCP now includes
projscan_passport, bringing the MCP surface to 49 tools. The tool returns passport evidence for agents without adding proof-command execution to MCP.Passport can attach Baseframe assessment evidence with
--task-id <id> --emit-baseframe, while ProjScan limits ownership to its assessment artifact and shared manifest update.
4.16.0 Notes
4.16.0 ships Baseframe Suite assessment export:
projscan assess --intent "<task>" --task-id <id> --emit-baseframewrites.baseframe/evidence/<task-id>/projscan-assessment.json.ProjScan updates
.baseframe/agent-workflow.jsonwith its own status while preserving AgentLoopKit, AgentFlight, and unknown manifest fields.The package exports
createBaseframeAssessment()plus Baseframe v1 assessment and workflow manifest types.Artifact writes are local, atomic, task-ID validated, and protected against traversal and symlink output paths.
4.15.0 Notes
4.15.0 strengthens the proof-first change loop:
projscan prove --intent "<change>"creates a local Proof Contract before editing. It names allowed files, forbidden files, risky contracts, likely tests, missing regression-test evidence, proof commands, rollback, confidence, Trust Memory signals, evidence gaps, reviewer guidance, andproofRequirementsfor each risk surface.projscan start --intent "is my agent allowed to change billing retry logic?"routes directly toprojscan prove, so agent-permission prompts start with a bounded contract instead of a broad checklist.projscan prove --run -- <command...>executes an explicit local proof command with shell execution disabled, writes a redacted log under.projscan/proof-logs/, appends aprove-runledger row, and letsprove --changedreplay executed proof instead of self-reported evidence.projscan prove --changedvalidates the current working tree against a saved contract and emits a Proof Receipt for PRs, agents, and CI. Its changed-file classes separate allowed production edits, expected tests, documentation, generated proof artifacts, config/security drift, forbidden touches, and unexpected production changes before giving a copyable reviewer decision. The receipt also includesproofReplaywith replay status, timeline events,changedAfterProof, replay command, and receipt fingerprint. Proof Sufficiency shows whether eachproofRequirementsrow has strong, adequate, weak, missing, stale, or failed proof.Team Proof Recipes let a repo add path-matched
proofRecipesto.projscanrc.json. Matching recipes add required commands, reviewers, and forbidden drift to the Proof Contract and Proof Receipt.projscan prove --record-command "<command>" --exit-code <code>appends a local Proof Ledger row with command, duration, changed-file fingerprint, redacted output summary, and optional log path when importing proof from CI or another runner.Every
proveJSON report includesverifiedWorkflow, so agents can read the next action, next command, scope status, proof status,proofSufficiencystatus, reviewer decision, and stale/missing/failed proof flags without parsing Markdown.Saved Mission Control bundles append Proof Ledger rows while
mission.shruns the existing proof queue. The script still writes proof logs and status JSONL for humans.projscan evidence-pack --pr-commentincludes the latest Proof Receipt summary when a contract and ledger are available, so PR comments show proof status, proof replay, reviewer decision, scope, stale proof, failed proof, proof sufficiency, recipe gaps, required reviewers, changed-after-proof files, receipt fingerprint, and the replay command.Proof artifacts are harder to spoof: Proof Contract and Proof Ledger reads reject symlink escapes, proof logs redact more standalone token/key shapes, and generated mission scripts reject shell control syntax before running.
The codebase behind the proof workflow is smaller and easier to review: source hotspots in Mission Control, bug-hunt, quality-scorecard, workplan, adoption, start-mode routing, and intent routing were split into focused helpers with architecture tests.
MCP now includes
projscan_prove, bringing the MCP surface to 48 tools.
4.14.0 Notes
4.14.0 ships the Verified Change Workflow and Executed Proof Runner:
projscan prove --intent "<change>"creates a local Proof Contract before editing.projscan prove --run -- <command...>executes an explicit local proof command with shell execution disabled and writes a redacted Proof Ledger row.projscan prove --changedemits a Proof Receipt for PRs, agents, and CI.projscan evidence-pack --pr-commentincludes the latest Proof Receipt summary when a contract and ledger are available.MCP includes
projscan_prove, bringing the MCP surface to 48 tools.
4.12.1 Notes
4.12.1 is the simulator precision patch for the Proof Cards V2 release:
projscan simulate --planno longer treats one-letter filenames such ass.tsas matches for broad plan text.Simulator term-overlap evidence now filters generated agent/cache paths and weak planning terms, so logs or proof artifacts do not become likely files when the plan names no concrete repo target.
4.12.0 Notes
4.12.0 is the Proof Cards V2 daily trust loop release:
Proof Cards now show evidence strength, confidence reason, evidence gaps, ranking reasons, Trust Memory context, and AgentLoopKit handoff packets.
projscan assess --feedback <path>applies local reviewer feedback to ranking and confidence.projscan start --intent "is this safe to commit?"now starts withprojscan assess --mode fix-firstand keeps preflight as proof.projscan simulate --plan "<change plan>"compares bounded extraction, regression test first, and leave unchanged alternatives before recommending the safest option.
4.11.1 Notes
4.11.1 is a public README media refresh for the proof-first release:
Added a dedicated Proof Cards screenshot for
projscan assessandprojscan simulate.Regenerated README screenshots so public media showed the 47-tool MCP surface.
Updated website handoff guidance to use immutable
v4.11.1media URLs.
4.11.0 Notes
4.11.0 is the proof-first engineering command center release:
projscan assessturns quality, bug-hunt, and preflight evidence into Proof Cards with fix-first guidance and risk delta.projscan simulate --plan "<change plan>"predicts likely files, tests, contracts, rollout, proof commands, and before/after risk before editing.MCP now exposes 47 tools, including
projscan_assessandprojscan_simulate.
MCP Setup
Use MCP when an agent should call projscan during a coding session.
Claude Code:
claude mcp add projscan -- npx -y projscan mcpCodex CLI:
[mcp_servers.projscan]
command = "npx"
args = ["-y", "projscan", "mcp"]Cursor, Windsurf, Cline, Continue, Zed, and other MCP clients can launch the same command:
npx -y projscan mcpAdd --watch if the client supports notifications/file_changed:
npx -y projscan mcp --watchAgent Questions
Agent question | CLI or MCP route |
Which files implement auth? |
|
Who imports this file? |
|
What breaks if I rename this symbol? |
|
What should I fix first? |
|
What is risky and worth fixing this week? |
|
Is this refactor worth doing? |
|
Is my agent allowed to make this change? |
|
Did the change stay inside scope? |
|
Can a reviewer trust this agent handoff? |
|
Which proof belongs in the PR? |
|
Is this PR ready for review? |
|
Is the agent drifting from the contract? |
|
Which files have high risk and low coverage? |
|
What should my agent do next? |
|
Which proof belongs in this PR? |
|
Is this branch ready to merge? |
|
Command Map
Command | Use it when you need |
| first-60-seconds orientation, routing, and Mission Control |
| cited repo map, runtime flows, public contracts, and change readiness |
| proceed, caution, or block gate for edit, commit, or merge |
| proof-first assessment with Proof Cards, risk delta, and fix-first guidance |
| risk delta simulator for a proposed change plan before editing |
| executable Proof Contracts, Verified Workflow JSON, and Proof Receipts |
| local change passport with boundary, receipt, proof, and reviewer action |
| PR Passport with required proof, proof gaps, reviewers, and next commands |
| reviewer-readiness gate with proof debt, recontract guidance, and CI exits |
| current working tree check against a saved Proof Contract |
| review evidence with risks, owners, proof receipts, and next commands |
| ranked fix queue from health, hotspots, session, and preflight evidence |
| ordered agent tasks with proof and handoff text |
| project health, tooling gaps, dead code, and supply-chain signals |
| one-call PR review from structural diff, risk, cycles, functions, and deps |
| blast radius for a file or symbol before rename, delete, or upgrade |
| imports, exports, importers, symbol definitions, and package importers |
| framework-aware source-to-sink risks |
| churn, complexity, ownership, and coverage risk ranking |
| high-risk files with weak test coverage |
| dependency inventory, license summary, and risk notes |
| offline upgrade impact from changelog and importer evidence |
| normalized |
| collisions, claims, and merge-risk across worktrees |
| local analyzer and reporter plugin workflow |
| local scan boundary, telemetry, ignore rules, and network-capable paths |
| MCP server over stdio |
Run the generated command help when you need flags:
projscan help
projscan <command> --helpOutput Formats
Commands support console, json, markdown, sarif, and html where those formats fit the command.
projscan analyze --format json
projscan doctor --format markdown
projscan ci --format sarif > projscan.sarif
projscan evidence-pack --pr-comment
projscan mission-proof --write reports/mission-proof.mdUse scoped and redacted reports when evidence leaves the repo:
projscan analyze --report-scope src/api --redact-paths --format json
projscan analyze --report-scope "src/api,packages/backend" --redact-paths --format json
projscan doctor --report-policy apiEvidence --format markdownConfiguration
Create a .projscanrc.json when repo defaults should live in source control:
{
"minScore": 80,
"failOn": "warning",
"baseRef": "origin/main",
"ignore": ["**/fixtures/**", "**/generated/**"],
"scan": {
"includeIgnored": false,
"scanEnvValues": false,
"offline": false
},
"disableRules": ["large-*"],
"suppress": {
"hardcoded-secret": ["src/firebase.ts"]
},
"severityOverrides": {
"missing-prettier": "info"
},
"proofRecipes": [
{
"id": "billing-critical",
"matches": ["src/billing/**"],
"requiredCommands": ["npm test -- tests/billing/retry.test.ts"],
"requiredReviewers": ["@platform"],
"forbiddenFiles": ["src/auth/**"]
}
],
"reportPolicies": {
"apiEvidence": {
"reportScope": ["src/api", "packages/backend"],
"redactPaths": true
}
}
}Use suppress for a known false positive in a specific path without disabling
the rule everywhere. For one line, add an inline directive next to the value:
const firebaseKey = 'AIza...'; // projscan-ignore-line hardcoded-secret -- Firebase web keys are public identifiersUse proofRecipes when a path needs team-specific proof; when a matching recipe
is configured, projscan prove adds its proof commands, reviewers, and forbidden
files to the contract and receipt. It does not run proof commands by itself.
Recipes without requiredCommands are skipped, and duplicate recipe IDs keep the
first valid recipe.
Config docs live in docs/GUIDE.md.
CI
Use projscan ci to gate pull requests:
projscan ci --min-score 80
projscan ci --changed-only
projscan ci --format json
projscan ci --format sarif > projscan.sarifci --format json keeps ci.issues[] annotation-ready: each issue includes
ruleId, severity, message, location, locations, and remediation
when projscan has that data.
doctor --format json and ci --format json also include scoreBreakdown,
which shows the base score, severity weights, category penalties, total penalty,
final score, and grade.
By default, ci only fails a below-threshold score when there is a warning or
error. Set "failOn": "info" for legacy strictness or "failOn": "error" for
error-only blocking.
GitHub Actions example:
name: ProjScan
on:
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: actions/setup-node@v4
with: { node-version: 24 }
- uses: abhiyoheswaran1/projscan@v1
with:
min-score: '80'
changed-only: 'true'Plugins
Local plugins let teams add project-specific analyzer rules and custom human reports without changing projscan core.
Load local plugins
projscan plugin list
projscan plugin validate .projscan-plugins/team-radar.projscan-plugin.json
projscan plugin test .projscan-plugins/team-radar.projscan-plugin.json
PROJSCAN_PLUGINS_PREVIEW=1 projscan doctor --reporter team-radarRun projscan help for the generated command-by-command support matrix.
Plugin docs:
Supported Repos
projscan reads TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++ with AST-aware adapters where available. It also detects file-level signals for C, Shell, CSS, HTML, SQL, Dart, Lua, Scala, R, and related project files.
Framework signals cover React, Next.js, Vue, Nuxt, Svelte, Angular, Express, Fastify, NestJS, Vite, Tailwind CSS, Prisma, Remix, SvelteKit, Astro, Hono, Koa, and common monorepo layouts.
JavaScript and TypeScript use @babel/parser. Non-JS languages use packaged tree-sitter WASM grammars. The published package has 7 direct runtime dependencies; optional semantic search uses the peer dependency @xenova/transformers.
Trust Model
Area | projscan behavior |
Source code | Core scans read local files and keep results on your machine. |
| Ignored files stay out of scans unless you pass |
| projscan reports paths by default. It reads values after |
Network |
|
Telemetry | Off until you run |
Plugins | Local plugin code runs after |
Repo writes | Source writes require explicit fix commands. Caches, saved missions, Proof Contracts, Proof Ledger rows, and proof logs stay under |
Audit helpers:
projscan privacy-check
projscan telemetry status
projscan telemetry explain
projscan doctor --offlineSupply-chain scanners may flag package strings or APIs used by git, npm audit, web-tree-sitter, optional plugins, and optional semantic search. The runtime paths above describe when those capabilities run.
Install Notes
projscan@5.0.0 has seven direct runtime dependencies:
@babel/parser@babel/typeschalkcommanderfast-globoraweb-tree-sitter
If npm prints allow-scripts warnings during a global install, check which package names it lists. projscan core does not need node-gyp grammar builds at runtime in 5.0.0. Open an issue with the warning text if npm reports install scripts from projscan@latest, or run projscan feedback intake --text "<warning text>" --format json to turn it into a focused setup-trust task.
The grammar packages are build-time sources, not global-install dependencies. Published grammar assets include tree-sitter-python.wasm and tree-sitter-c_sharp.wasm.
Deeper Docs
Contributing
Read CONTRIBUTING.md before opening a PR. Contributions use the MIT License and the DCO 1.1 certification described there.
Legal
License: MIT
Disclaimer: DISCLAIMER.md
Security policy: SECURITY.md
Privacy notice: PRIVACY.md
Telemetry policy: TELEMETRY.md
Trademark and brand policy: TRADEMARKS.md
Third-party notices: THIRD-PARTY-NOTICES.md
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/abhiyoheswaran1/projscan'
If you have feedback or need assistance with the MCP directory API, please join our Discord server