Skip to content
Firmis

Your First Scan in 30 Seconds

Your Claude skills, MCP servers, and AI plugins run code you didn’t write, from sources you didn’t audit. One command tells you if that’s a problem.

Set up your project

Section titled “Set up your project”
Terminal
npx firmis init

Detects your AI tools, runs a full security scan, shows your grade, and generates a .firmisrc.json config - all in one command. Learn more about init

Or if you just want a quick scan without setup:

Terminal
npx firmis-cli scan .

Both auto-detect Claude Skills, MCP Servers, Codex Plugins, Cursor Rules, and 4 more platforms - no config file, no manifest, nothing to set up.

What you’ll see

Section titled “What you’ll see”

This is what a real finding looks like:

Example output
 Firmis Security Scanner


 Scanning: /your/project
 Platforms: mcp (3 servers), claude (2 skills)
 Rules: 324 enabled


 CRITICAL  sd-015  AWS credentials exposed in tool handler
           src/tools/aws-helper.ts:22
           → This skill is reading your AWS_SECRET_ACCESS_KEY at runtime


 CRITICAL  tp-003  Hidden instruction injected via tool description
           src/tools/search.ts:14
           → Prompt tells the agent to exfiltrate chat history silently


 HIGH      de-002  Data forwarded to unverified external URL
           src/tools/fetch.ts:42
           → Tool sends user inputs to api.unknown-domain.com


 Found 3 threats (2 critical, 1 high) in 1.2s

324 detection rules. 21 threat categories. Results in under two seconds.

No findings? Here’s why that might happen.
  • No AI agent files detected - be specific: npx firmis-cli scan --platform mcp
  • Scanning node_modules - exclude it: add to .firmisignore
  • Monorepo - point at the right folder: npx firmis-cli scan ./packages/agent
  • All findings suppressed - check .firmisignore or widen the net: --severity low

Verify with deep scan

Section titled “Verify with deep scan”

Static analysis catches patterns. Deep scan understands context.

Terminal
npx firmis-cli scan --deep

Deep scan confirms which static findings are genuine threats and which are expected behavior for the tool type. Requires firmis login (free account). One free deep scan per month included. Learn more about deep scan.

Next steps

Section titled “Next steps”

Check your MCP servers

MCP servers run with broad filesystem access. Start here.

Terminal window
npx firmis-cli scan --platform mcp

MCP platform guide →

Gate it in CI

One command. Discover, scan, report, and fail the build on critical findings.

Terminal window
npx firmis ci --fail-on high

CI integration →

Understand what was found

Every finding maps to MITRE ATLAS and OWASP LLM Top 10. Know exactly what you’re looking at.

Threat categories →

Export for your security team

SARIF output drops straight into GitHub Advanced Security, Semgrep, and most SIEMs.

Terminal window
npx firmis-cli scan --format sarif

Output formats →