Skip to content

hegner123/scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
justfile
justfile
 
 
main.go
main.go
 
 
plan.md
plan.md
 
 

Repository files navigation

scanner

Post-incident investigation tool for macOS. Inspects every running process — checking executable paths, code signing status, and network connections — then flags suspicious indicators with severity-ranked explanations. Works as both a standalone CLI and an MCP server for Claude Code.

What it detects

Flag Meaning
unsigned Binary has no Apple code signature
invalid-signature Signature present but fails verification (possible tampering)
hidden-executable Binary path contains a dotfile directory
temp-location Running from /tmp or /var/tmp
non-standard-port ESTABLISHED connection on a port outside the standard set
deleted-binary Executable no longer exists on disk
no-executable-path No path available (typically kernel threads)

Flags are combined into severity levels (HIGH / MEDIUM / LOW) with plain-language explanations of why each process was flagged.

Installation

just install

Requires Go 1.25+ and just.

CLI Usage

# Full security scan (flagged processes only by default)
scanner scan

# Show only suspicious processes, exit 1 if any found
scanner scan --suspicious

# JSON output for scripting
scanner scan --json

# List running processes with path analysis
scanner ps

# Show network connections with external IP highlighting
scanner net

# Manage the allowlist (suppress unsigned flags for known binaries)
scanner allow add /usr/local/bin/mytool
scanner allow list
scanner allow remove /usr/local/bin/mytool

All commands support --json for machine-readable output and --verbose for diagnostic detail on stderr.

MCP Server

Scanner exposes its full capability set as an MCP server over stdio, compatible with Claude Code and other MCP clients.

# Register with Claude Code
just mcp-add

# Or manually
scanner mcp

Available tools

Tool Description
scan_full Full security analysis with severity ranking and explanations
scan_processes Process listing with summary or detailed JSON
scan_network Network connections with external IP highlighting
scan_kill Kill a process by PID (SIGTERM or SIGKILL)
scan_allow_add Add a binary to the allowlist
scan_allow_list List allowlisted binaries
scan_allow_remove Remove a binary from the allowlist

Development

just test      # run tests
just lint      # vet and staticcheck
just fmt       # format code
just check     # full check: fmt, lint, test, build

License

MIT

About

macOS process investigation tool — inspects running processes, network connections, and code signing status. Flags suspicious activity. CLI + MCP server for Claude Code.

Topics

macos cli golang security incident-response code-signing process-scanner mcp-server

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages