vscan
v0.0.9
Published
Secure your large codebases with AI. One command from vulnerability to solutions.
Readme
VScan
Secure your large codebases with AI. One command from vulnerability to solutions.
npx vscanFind vulnerabilities in your code and dependencies, then stream AI-generated solutions directly to your codebase using Vaktex models.
Optionally, pass mcp init to scan incrementally as your agents write code.
Features
- AI security models that outperform Snyk and GPT-5.5
- Detects vulnerabilities in code and dependencies
- AI-generated solutions applied directly to your codebase
- Zero-install CLI (
npx vscan) - MCP support for Claude, Cursor, and Codex
- Interactive terminal and JSONL streaming
- Runs on macOS, Linux, and Windows
Install
Run without installing (recommended):
npx vscanOr install globally:
npm install -g vscan
vscanRequires Node.js 18+ and a Vaktex account. Prebuilt binaries are available for macOS, Linux, and Windows (x64 and arm64).
Quick start
# Authenticate
vscan auth
# Scan the current directory
vscan .
# Scan another project
vscan ./repo
# Stream JSONL output
vscan ./repo --format jsonl > report.jsonl
# Auto-apply suggested solutions
vscan ./repo --format jsonl --yes > report.jsonl
# Start the MCP server
vscan mcp
# Configure Claude, Cursor, or Codex
vscan mcp initTwo modes
- Interactive (default, no
--format): a guided wizard to browse findings and apply solutions one at a time. - Streaming (
--format jsonl): the only non-interactive format. It emits one JSON object per finding to stdout, ideal for agents, CI, and pipelines. Add--yes/-yto auto-apply solutions.
JSONL shape
One line per finding:
{ "file": "src/db.py", "vulnerabilities": ["CWE-89"], "vulnerability_name": "SQL Injection", "solution": "cursor.execute(\"SELECT * FROM users WHERE id = %s\", (uid,))" }solution is omitted if the model has no resolution capabilities.
Commands
| Command | What it does |
| --- | --- |
| vscan auth | Authenticate client |
| vscan model [<id>] | Set scanning model |
| vscan about | Account, features, and dependencies |
| vscan agent [<dir>] | Interactive security agent: scans, fixes, verifies |
| vscan isolated <path> | Scan inside a local air-gapped container |
| vscan usage | View your usage |
| vscan mcp | Local MCP server over stdio |
| vscan mcp init | Install MCP config for Claude, Codex, or Cursor |
| vscan help | Show help message |
Flags: --format jsonl, --yes / -y, --version / -v, --help / -h.
MCP
vscan mcp starts a local stdio MCP server exposing tools to coding agents. Compatible agents can use it to scan files inside the current project and apply suggested resolutions.
Run vscan mcp init to install config into a supported local MCP host. The installer asks which package manager to use (npm, bun, pnpm, or yarn) and which host to configure (Claude, Codex, or Cursor).
Agent mode
vscan agent [dir] opens an interactive agent session. It reads your recent
git changes first (or plans a full scan without git), decides what to scan
using the same VScan scanner, applies fixes it judges correct — asking only
before destructive edits — and verifies every fix (syntax parse + re-scan)
before it finishes.
