API & CI/CD Integration
Shift security left. Integrate vulnerability scanning directly into your development workflow with our developer-friendly REST API.
Two Ways to Authenticate
Choose the authentication method that fits your use case. Bearer tokens offer short-lived security for development, while API keys provide persistent access for automated pipelines. Both methods support the full API surface — there are no feature restrictions based on auth type.
Bearer Tokens
Bearer tokens are issued when you authenticate with your email and password. They expire after one hour and are best suited for interactive sessions, short-lived scripts, and development environments where you want tight control over session lifetime.
- 1-hour expiration for security
- Issued via /auth/login endpoint
- Ideal for development and testing
API Keys
API keys use the ss_ prefix and never expire, making them the right choice for CI/CD pipelines, automated workflows, and server-to-server integrations. You can create multiple keys with descriptive names and rotate them independently without affecting other integrations.
- ss_ prefix, never expire
- Create multiple named keys
- Rotate independently per integration
Start Scanning in Minutes
Our API is designed to get you from zero to scanning with minimal friction. A single cURL command triggers a full scan. A few lines of YAML integrate security into your GitHub Actions workflow.
Trigger a Scan via cURL
Replace the API key and target URL, and you have a working scan command you can run from any terminal or script. The response includes a scan ID you can poll for results.
curl -X POST https://api.vuln0x.com/v1/scans \
-H "Authorization: Bearer ss_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"target": "https://your-app.vercel.app",
"scanners": ["headers", "ssl", "cors",
"cookies", "nextjs"],
"profile": "ci-check"
}'Response includes scan_id, status, and estimated_duration
GitHub Actions Workflow
Add this step to your existing workflow to scan on every push to main. The SARIF output uploads directly to GitHub Security so findings appear in your Security tab and pull request annotations.
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Run Vuln0x Scan
env:
VULN0X_API_KEY: ${{ secrets.VULN0X_KEY }}
run: |
SCAN=$(curl -s -X POST \
https://api.vuln0x.com/v1/scans \
-H "Authorization: Bearer $VULN0X_API_KEY" \
-H "Content-Type: application/json" \
-d '{"target": "${{ github.event.repository.homepage }}"}')
SCAN_ID=$(echo $SCAN | jq -r '.scan_id')
# Poll for completion
while true; do
STATUS=$(curl -s \
https://api.vuln0x.com/v1/scans/$SCAN_ID \
-H "Authorization: Bearer $VULN0X_API_KEY" \
| jq -r '.status')
[ "$STATUS" = "completed" ] && break
sleep 10
done
# Download SARIF report
curl -s \
https://api.vuln0x.com/v1/scans/$SCAN_ID/report?format=sarif \
-H "Authorization: Bearer $VULN0X_API_KEY" \
-o results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifBuilt for Developer Workflows
Security scanning should be a seamless part of your development process, not a separate chore. Our API covers the full scan lifecycle — trigger, poll, retrieve results, manage findings — so you can automate everything from a single integration point.
RESTful Endpoints
Clean, predictable REST endpoints for scans, findings, projects, reports, and webhooks. JSON request and response bodies throughout. Every endpoint is documented with request examples, response schemas, and error codes.
Webhook Integration
Register webhook endpoints programmatically via the API. Configure event types, manage delivery history, and test endpoints — all without touching the dashboard. HMAC-SHA256 signed payloads ensure authenticity.
API Key Rotation
Rotate keys without downtime. Create a new key, update your pipeline configuration, then revoke the old one. Key metadata includes creation date, last used timestamp, and a custom label for easy identification.
JSON Reports for CI/CD
JSON reports are structured for machine parsing. Use them to build quality gates: fail the pipeline if the risk score drops below a threshold, if critical findings are detected, or if specific scanners report issues.
SARIF Reports in Your Security Tab
The Static Analysis Results Interchange Format (SARIF) is the standard that GitHub uses for its Security tab. When you upload Vuln0x SARIF reports through GitHub Actions, vulnerabilities appear directly in your repository's Security overview and as inline annotations on pull requests.
This means developers see security findings in the same place they review code — no context switching, no separate dashboards to check. Each finding includes severity, CWE mapping, confidence level, and a remediation recommendation so the developer can fix the issue immediately.
Findings appear as code annotations on pull requests
Security tab shows trend data across all Vuln0x scans
Compatible with GitHub Advanced Security and Dependabot alerts
Works with GitHub Enterprise and GitHub.com
Webhook HMAC Verification
Every webhook payload includes an X-Vuln0x-Signature header. Verify it server-side to ensure the payload is genuine and untampered.
import crypto from "crypto";
function verifyWebhook(
payload: string,
signature: string,
secret: string
): boolean {
const expected = crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}Start securing your vibe-coded projects today
20 free credits on signup. No credit card required.