● Quin: Technical Setup
How Quin
scans.
Install the CLI, point it at a repository, and get a structured, compliance-ready report — no code instrumentation, no agent-side changes.
Up and running in three steps.
Install via Pip
pip install quin-scanner
Configuration
cp .env.example .env cp scanner-config.yaml my-scanner-config.yaml
Run and Review
quin-scanner scan <target> --config my-scanner-config.yaml quin-scanner scan-org <org> --config my-scanner-config.yaml
What happens during a scan.
Repo → 13 scanners → vulnerability lookup → two LLM passes → report.
13 scanners (parallel)
Dependency, config, code-pattern, file-structure, framework, prompt-discovery, Dockerfile, Jupyter, IaC, CI, MCP, agent-instance, and tool-definition scanners run locally against your repo — no LLM call yet.
Vulnerability lookup
Once a framework and base version are identified (e.g. CrewAI 0.80.0), Quin queries OSV.dev — unauthenticated, framework name + version only — and optionally an LLM with web search for recent advisories.
Pass 1 — Classification
An LLM call classifies the system type (standard_ai, agentic_ai, mcp_enabled, multi_agent) and identifies relevant threats from a taxonomy sourced from OWASP LLM Top 10, OWASP Agentic Top 10, OWASP MCP Top 10, MAESTRO, and Databricks DASF.
Pass 2 — Synthesis
A second LLM call profiles each agent against the taxonomy, maps tool usage to service categories, and writes the narrative summary that lands in your report.
Scan time scales with repo size and your LLM provider's latency — there's no fixed duration. Use --no-llm to run scanners only and skip both LLM passes.
Where your code actually goes.
The question every security engineer asks first — answered plainly.
Your API key, your provider
Quin uses the LLM API key you configure (Anthropic, OpenAI, Google, or a local Ollama model). Extracted code and prompts go directly from your machine to that provider — never to Gaincontrol.
Fully local mode available
Run with --no-llm to skip both LLM passes entirely. Scanners still run and produce findings; the only network call in this mode is the unauthenticated OSV.dev lookup, unless you also pass --no-vuln-check.
Vulnerability lookup is minimal
The OSV.dev query sends only the detected framework name and version — not your source code. The optional web-search step for advisories reuses your existing provider API key.
Beta software. Reviewed findings, not blind trust.
Quin is currently at v0.1.0b2 — an early public release under active development. Like any static- and LLM-assisted analysis tool, it can produce false positives and false negatives. Every finding ships with a confidence score so you can triage accordingly, but findings should be independently reviewed before driving security, compliance, or architectural decisions.
Quin follows Semantic Versioning. Every change is tracked in the project changelog.
Structured reports, ready for your pipeline.
Every scan produces a JSON or YAML report with confidence scores, capability tags, agent intent summaries, and risk signals, ready for SIEM ingestion or manual review.
- Confidence-scored findings per file
- Capability tags (llm-api, rag, multi-agent, tool-use)
- Agent intent and risk signal summary
- Scan timestamp and repo metadata
{
"repo_path": "/path/to/repo",
"scan_timestamp": "2026-03-30T09:00:00Z",
"is_ai_application": true,
"confidence": 0.92,
"capability_tags": [
"llm-api", "rag", "multi-agent", "tool-use"
],
"agent_intents": [
{
"agent_name": "ResearcherAgent",
"goal": "Search and synthesize from web sources",
"capabilities": ["web-search", "summarization"],
"risk_signals": [
"has internet access",
"writes files"
]
}
]
}