Scan API
Security scanning in one HTTP call.
POST a URL or GitHub repo. Get back structured findings — security headers, hardcoded secrets, injection vectors, misconfigurations. Free tier: 100 scans/month. No setup beyond an API key.
What you can scan
Two scan types. One endpoint.
URL scan
Popular"target": "https://example.com"HTTPS · HSTS · CSP · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · X-Powered-By · Server banner · Cookie flags (HttpOnly, Secure, SameSite)
GitHub repo scan
"target": "owner/repo"17 CI/CD workflow checks (script injection, unpinned actions, secrets in run:, pull_request_target) + 60+ code SAST checks (SQL injection, hardcoded secrets, XSS, command injection, SSRF…)
Pricing
Free to start.
Free
$0
100 scans / month per key
- ✓URL security scans
- ✓GitHub repo scans
- ✓JSON response
- ✓callback_url webhook
Unlimited
Included with GitHub Action plan
Unlimited scans
- ✓Everything in Free
- ✓Unlimited scans
- ✓Priority rate limits
- ✓Saved to dashboard history
Examples
Integrate in minutes.
Scan a website (URL)
curl -X POST https://vu1nz.com/api/v1/scan \
-H "Authorization: Bearer vk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"target": "https://example.com"}'Scan a GitHub repo
curl -X POST https://vu1nz.com/api/v1/scan \
-H "Authorization: Bearer vk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"target": "owner/repo"}'Async with callback URL
Results are POSTed to your endpoint when the scan finishes — ideal for integrations.
curl -X POST https://vu1nz.com/api/v1/scan \
-H "Authorization: Bearer vk_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"target": "https://your-users-site.com",
"callback_url": "https://yourplatform.com/webhooks/vu1nz"
}'Response shape
{
"ok": true,
"scan_id": "3f8a1c2d-...",
"target_type": "url",
"findings": [
{
"type": "web",
"severity": "high",
"title": "Missing Content Security Policy (CSP)",
"description": "No CSP header. XSS attacks can load scripts from any origin.",
"recommendation": "Add Content-Security-Policy: default-src 'self'",
"cwe": "CWE-79",
"location": "https://example.com"
}
],
"counts": { "critical": 0, "high": 2, "medium": 3, "low": 1, "info": 1 },
"total": 7,
"duration_ms": 380
}JavaScript
// Node.js / browser
const res = await fetch('https://vu1nz.com/api/v1/scan', {
method: 'POST',
headers: {
'Authorization': 'Bearer vk_live_YOUR_KEY',
'Content-Type': 'application/json',
},
body: JSON.stringify({ target: 'https://example.com' }),
});
const { findings, counts } = await res.json();Python
import requests
resp = requests.post(
'https://vu1nz.com/api/v1/scan',
headers={'Authorization': 'Bearer vk_live_YOUR_KEY'},
json={'target': 'https://example.com'}
)
data = resp.json()
print(f"{data['counts']['high']} high-severity issues")Reference
Endpoint
| Field | Type | Description |
|---|---|---|
| target | string required | URL (https://...) or GitHub repo (owner/repo) |
| checks | string[] optional | Subset of ['cicd','code','web']. Defaults to all applicable. |
| callback_url | string optional | Receive results as a POST webhook when done. |
| Authorization header | Bearer vk_live_... | API key from dashboard. Without it: anonymous free tier (rate limited). |