RepoPreflight
Roadmap

A trust layer for code, agents and supply chains.

ScanGit started as a preflight check for a single repo. The long-term goal is to become the default trust layer developers consult before interacting with any code, tool, agent or MCP server they do not control.

Shipped

  • Preflight scanner

    shipped

    Public API + UI that scores any GitHub repo on safety dimensions before you clone, install, or attach an AI agent.

    • · Trust score, safe-to-open / clone / install / for-AI dimensions
    • · Workspace execution, AI-agent and MCP heuristics
    • · Web reputation lookup
    • · Per-commit cache + IP-based daily quota
    • · Cursor & Claude Code skill bundle

Next

  • Repository timeline

    shipped

    Track trust score across commits so users can see when a repo deteriorates.

    • · Score trendline per repo
    • · Findings-category drift
    • · Alerting on drops (later)

  • Browser extension

    next

    Show the trust badge directly on github.com — no need to open ScanGit.

    • · Inline badge on repo header
    • · Hover for top findings
    • · Later: GitLab + Bitbucket

  • Git clone wrapper

    next

    `rp clone <url>` — a CLI that gates `git clone` on the preflight result.

  • VS Code & Cursor extensions

    next

    Preflight before opening a workspace. Optional Safe Mode disables tasks, launchers, devcontainers and lifecycle scripts.

Later

  • Community reputation network

    later

    VirusTotal-style: users report repos, vote trustworthiness, attach evidence. Verified reporter tier for security researchers.

  • MCP security directory

    later

    Reputation database for MCP servers — permissions, owners, incidents, trust score.

  • Repository DNA

    later

    Auto-classify repos: developer tool, AI tooling, MCP-heavy, automation, infra, high-agent-exposure, etc.

  • AI agent simulation

    later

    Replay what an agent would actually do when handed the repo — read AGENTS.md, run setup.sh, call MCP tools, touch the filesystem. Show the execution path.

  • Supply-chain watch

    later

    Follow repos, MCP servers, dependencies, orgs. Get alerts when trust drops or risky surfaces appear.

  • Dependency reputation

    later

    Score npm / pip / cargo / go packages independently from their repos: maturity, maintenance, supply-chain, AI-ecosystem trust.

  • Security feed

    later

    Public intelligence feed of suspicious repos, AI-agent attacks, MCP incidents and supply-chain events.

  • Slack integration

    later

    `/repo-preflight <url>` returns trust score and top findings inside the team channel.

Enterprise vision

  • Policy engine

    vision

    Block repos by rules: younger than N days, safe-for-agents below threshold, MCP risk above threshold, unknown maintainers. Compliance reports.

  • Team dashboard

    vision

    Org-wide visibility: scanned repos, high-risk findings, MCP usage, agent exposure, trust trends.

  • Trust-ranked search

    vision

    Find a Postgres backup tool ranked by trust + maintenance + agent safety + supply-chain — not just stars.

  • Safe-For scores

    vision

    Dedicated dimensions: Safe For Cursor, Claude Code, Copilot, MCP, Enterprise, Production.

Long-term

Think Cloudflare + VirusTotal + Snyk, but for the AI-coding era. Repositories, MCP servers, dependencies and agent instructions all routed through a single reputation layer that developers, teams and CI systems can query before trusting anything.