Scout is a free, open-source, local security scanner CLI for AI-generated code. Install with "uvx scout-security scan ." or "pip install scout-security". Scout finds vulnerabilities (leaked secrets, injection, missing security headers, dependency CVEs), hands fix prompts to the AI assistant you already use, and re-checks. The core scan is deterministic, offline, and zero-token. Links: GitHub github.com/Varpost/Scout, PyPI scout-security, MIT license.

v0.1.7 FREE · OPEN SOURCE · 100% LOCAL

Catch vulnerabilities before hackers do.

A free, local security scanner for the age of AI-generated code. Scout finds the problems, hands the fix to the AI you already use, and re-checks. No signup, no API key, zero tokens.

zero-install with uv or install permanently
02SEE IT IN ACTION

Watch Scout work.

Scan, hand the fix to the AI you already use, re-check. The whole loop, end to end.

03THE PROBLEM

AI writes code fast. Including the vulnerabilities.

AI assistants write code that works but isn't always safe: passwords and API keys left in the source (hardcoded secrets), database queries an attacker can rewrite (SQL injection), web apps missing basic protections (security headers). It all runs fine, so it ships.

At a company, a security review would catch this before release. On your own, there is no review. Scout is that check: it scans your project on your machine, flags the mistakes AI assistants are known to make, and explains every finding in plain English: what it is, why it matters, how to fix it. No security expertise needed.

04WHAT SCOUT FINDS

Four scanners, one pass.

secretsCRITICAL

The key you pasted in for a quick test and forgot about.

AWS & Google keys, GitHub/GitLab tokens, Anthropic & OpenAI keys, Slack, npm, PyPI & Stripe tokens, DB URLs, private keys, passwords.

injectionCRITICAL

Queries and shell commands built from user input.

SQL injection, command injection, eval(), XSS, including f-string and concat-built queries.

headersLOW–MEDIUM

The framework defaults you never hardened.

Missing security headers in Flask, Django, FastAPI & Express, plus wildcard CORS and missing CSRF.

depsHIGH

The vulnerability someone else shipped to you.

Known CVEs in your pip and npm dependencies, checked against OSV.dev.

Secrets are caught in every common source & config file · injection & header checks speak Python and JS/TS · dependency scans cover requirements.txt + package-lock.json

05OUTPUTS

One scan, three outputs.

A plain-English report for you, ready-to-paste fix prompts for your AI, machine-readable files for CI. Scout finds the problem & the AI you already use fixes it.

$ scout scan .
FOR HUMANS

Markdown report

security-report.md explains every finding in plain English, severity with context, exact fix instructions & a phased remediation plan.

$ scout scan ./my-app
FOR YOUR AI

AI-prompt handoff

Self-contained fix prompts to paste into Cursor, Claude or Copilot. Each one carries the finding, the fix & a sweep for the same class of issue.

$ scout scan . --format ai-prompt
FOR CI

JSON + SARIF

Machine-readable findings for pipelines and GitHub Code Scanning PR annotations. Pipe JSON into your own tooling or upload SARIF to code scanning.

$ scout scan . --format sarif -o scout.sarif
06HOW IT WORKS

Find → Fix → Verify.

Scout finds deterministically, your AI fixes, Scout re-checks. Same scan, same findings, zero tokens on every pass.

01FIND

Scout scans locally. Deterministic static analysis. No API key, no signup, zero tokens.

02FIX

Your AI applies the fix. Paste the prompt or let your agent call Scout over MCP. It already knows your codebase.

03VERIFY

The same scan runs again. Same findings, zero tokens. Repeat until it reports clean.

re-checking a fix never costs inference
07MCP

Connect your AI assistant.

Run Scout as an MCP tool your agent calls in a scan → fix → rescan loop. Scout finds it, your agent fixes it & Scout re-verifies. Deterministic and zero-token, so the loop never burns inference.

Claude Code

PLUGIN

Bundles the MCP server. Registers the scan_path tool & /scout-scan. Needs uv on your PATH.


ONE CLICK · CONFIG PRE-FILLED

Every other MCP host

SAME SERVER OBJECT

No uv? pip install "scout-security[mcp]" and use "command": "scout-mcp" with no args.


Cursor · Claude Desktop · Cline · Windsurf · VS Code (.vscode/mcp.json, under a "servers" key)

THEN TELL YOUR AGENT "Scan this project with Scout, fix every finding, then scan again. Repeat until it reports zero."
08WHY SCOUT

Quiet, honest defaults.

Free & local

No signup, no API keys, zero tokens. Your code never leaves your machine. Dependency checks query OSV.dev with package names only.

Built for AI-generated code

Catches the mistakes assistants actually make: leaked keys, string-built SQL, shell=True, missing headers. Then hands the fix straight back to your AI.

Deterministic

Same scan, same findings, every run. An optional AI confirmation pass can downgrade false positives. Off by default, it only ever sees the flagged snippet & it fails open.

09GET STARTED

Start scanning in one command.

v0.1.7 · PYPI scout-security · MIT · FREE FOREVER