Skip to content

    ● Quin: Technical Setup

    How Quin
    scans.

    Install the CLI, point it at a repository, and get a structured, compliance-ready report — no code instrumentation, no agent-side changes.

    Up and running in three steps.

    01

    Install via Pip

    pip install quin-scanner
    02

    Configuration

    cp .env.example .env
    cp scanner-config.yaml my-scanner-config.yaml
    03

    Run and Review

    quin-scanner scan <target> --config my-scanner-config.yaml
    quin-scanner scan-org <org> --config my-scanner-config.yaml

    What happens during a scan.

    Repo → 13 scanners → vulnerability lookup → two LLM passes → report.

    01

    13 scanners (parallel)

    Dependency, config, code-pattern, file-structure, framework, prompt-discovery, Dockerfile, Jupyter, IaC, CI, MCP, agent-instance, and tool-definition scanners run locally against your repo — no LLM call yet.

    02

    Vulnerability lookup

    Once a framework and base version are identified (e.g. CrewAI 0.80.0), Quin queries OSV.dev — unauthenticated, framework name + version only — and optionally an LLM with web search for recent advisories.

    03

    Pass 1 — Classification

    An LLM call classifies the system type (standard_ai, agentic_ai, mcp_enabled, multi_agent) and identifies relevant threats from a taxonomy sourced from OWASP LLM Top 10, OWASP Agentic Top 10, OWASP MCP Top 10, MAESTRO, and Databricks DASF.

    04

    Pass 2 — Synthesis

    A second LLM call profiles each agent against the taxonomy, maps tool usage to service categories, and writes the narrative summary that lands in your report.

    Scan time scales with repo size and your LLM provider's latency — there's no fixed duration. Use --no-llm to run scanners only and skip both LLM passes.

    Where your code actually goes.

    The question every security engineer asks first — answered plainly.

    Your API key, your provider

    Quin uses the LLM API key you configure (Anthropic, OpenAI, Google, or a local Ollama model). Extracted code and prompts go directly from your machine to that provider — never to Gaincontrol.

    Fully local mode available

    Run with --no-llm to skip both LLM passes entirely. Scanners still run and produce findings; the only network call in this mode is the unauthenticated OSV.dev lookup, unless you also pass --no-vuln-check.

    Vulnerability lookup is minimal

    The OSV.dev query sends only the detected framework name and version — not your source code. The optional web-search step for advisories reuses your existing provider API key.

    Beta software. Reviewed findings, not blind trust.

    Quin is currently at v0.1.0b2 — an early public release under active development. Like any static- and LLM-assisted analysis tool, it can produce false positives and false negatives. Every finding ships with a confidence score so you can triage accordingly, but findings should be independently reviewed before driving security, compliance, or architectural decisions.

    Quin follows Semantic Versioning. Every change is tracked in the project changelog.

    Structured reports, ready for your pipeline.

    Every scan produces a JSON or YAML report with confidence scores, capability tags, agent intent summaries, and risk signals, ready for SIEM ingestion or manual review.

    • Confidence-scored findings per file
    • Capability tags (llm-api, rag, multi-agent, tool-use)
    • Agent intent and risk signal summary
    • Scan timestamp and repo metadata
    scan-report.json
    {
      "repo_path": "/path/to/repo",
      "scan_timestamp": "2026-03-30T09:00:00Z",
      "is_ai_application": true,
      "confidence": 0.92,
      "capability_tags": [
        "llm-api", "rag", "multi-agent", "tool-use"
      ],
      "agent_intents": [
        {
          "agent_name": "ResearcherAgent",
          "goal": "Search and synthesize from web sources",
          "capabilities": ["web-search", "summarization"],
          "risk_signals": [
            "has internet access",
            "writes files"
          ]
        }
      ]
    }

    Free to run today. Enterprise-ready when you need it.

    The core scanner is MIT-licensed and self-hosted. The enterprise edition adds remote GitHub org scanning, SIEM integration, and SSO.