Catch vulnerabilities before hackers do.
A free, local security scanner for the age of AI-generated code. Scout finds the problems, hands the fix to the AI you already use, and re-checks. No signup, no API key, zero tokens.
Watch Scout work.
Scan, hand the fix to the AI you already use, re-check. The whole loop, end to end.
AI writes code fast. Including the vulnerabilities.
AI assistants write code that works but isn't always safe: passwords and API keys left in the source (hardcoded secrets), database queries an attacker can rewrite (SQL injection), web apps missing basic protections (security headers). It all runs fine, so it ships.
At a company, a security review would catch this before release. On your own, there is no review. Scout is that check: it scans your project on your machine, flags the mistakes AI assistants are known to make, and explains every finding in plain English: what it is, why it matters, how to fix it. No security expertise needed.
Four scanners, one pass.
The key you pasted in for a quick test and forgot about.
AWS & Google keys, GitHub/GitLab tokens, Anthropic & OpenAI keys, Slack, npm, PyPI & Stripe tokens, DB URLs, private keys, passwords.
Queries and shell commands built from user input.
SQL injection, command injection, eval(), XSS, including f-string and concat-built queries.
The framework defaults you never hardened.
Missing security headers in Flask, Django, FastAPI & Express, plus wildcard CORS and missing CSRF.
The vulnerability someone else shipped to you.
Known CVEs in your pip and npm dependencies, checked against OSV.dev.
Secrets are caught in every common source & config file · injection & header checks speak Python and JS/TS · dependency scans cover requirements.txt + package-lock.json
One scan, three outputs.
A plain-English report for you, ready-to-paste fix prompts for your AI, machine-readable files for CI. Scout finds the problem & the AI you already use fixes it.
Markdown report
security-report.md explains every finding in plain English, severity with context, exact fix instructions & a phased remediation plan.
$ scout scan ./my-appAI-prompt handoff
Self-contained fix prompts to paste into Cursor, Claude or Copilot. Each one carries the finding, the fix & a sweep for the same class of issue.
$ scout scan . --format ai-promptJSON + SARIF
Machine-readable findings for pipelines and GitHub Code Scanning PR annotations. Pipe JSON into your own tooling or upload SARIF to code scanning.
$ scout scan . --format sarif -o scout.sarifFind → Fix → Verify.
Scout finds deterministically, your AI fixes, Scout re-checks. Same scan, same findings, zero tokens on every pass.
Scout scans locally. Deterministic static analysis. No API key, no signup, zero tokens.
Your AI applies the fix. Paste the prompt or let your agent call Scout over MCP. It already knows your codebase.
The same scan runs again. Same findings, zero tokens. Repeat until it reports clean.
Connect your AI assistant.
Run Scout as an MCP tool your agent calls in a scan → fix → rescan loop. Scout finds it, your agent fixes it & Scout re-verifies. Deterministic and zero-token, so the loop never burns inference.
Claude Code
PLUGINBundles the MCP server. Registers the scan_path tool & /scout-scan. Needs uv on your PATH.
ONE CLICK · CONFIG PRE-FILLED
Every other MCP host
SAME SERVER OBJECTNo uv? pip install "scout-security[mcp]" and use "command": "scout-mcp" with no args.
Cursor · Claude Desktop · Cline · Windsurf · VS Code (.vscode/mcp.json, under a "servers" key)
Quiet, honest defaults.
Free & local
No signup, no API keys, zero tokens. Your code never leaves your machine. Dependency checks query OSV.dev with package names only.
Built for AI-generated code
Catches the mistakes assistants actually make: leaked keys, string-built SQL, shell=True, missing headers. Then hands the fix straight back to your AI.
Deterministic
Same scan, same findings, every run. An optional AI confirmation pass can downgrade false positives. Off by default, it only ever sees the flagged snippet & it fails open.