Skip to content
BoringSec

Documentation

Everything you need to secure your vibe-coded projects

REST API Reference

All endpoints require Authorization: Bearer bsk_your_key

Scanning

POST/api/v1/scanPro+

Run a synchronous security scan on a URL. Returns full results with score, grade, and issues.

Request Body

{ "url": "https://example.com" }

Response

{
  "scan": {
    "id": "cln...",
    "url": "https://example.com",
    "score": 85,
    "grade": "A",
    "duration": 12340,
    "issues": [
      {
        "scanner": "headers",
        "code": "missing_csp",
        "title": "Missing Content-Security-Policy",
        "severity": "HIGH",
        "remediation": "Add CSP header..."
      }
    ]
  }
}
POST/api/v1/scan/codePro+

Scan code files for hardcoded secrets, unsafe patterns, and misconfigurations. Supports 30+ detection patterns.

Request Body

{
  "files": [
    {
      "filename": "src/app.ts",
      "content": "const apiKey = 'sk_live_abc123';"
    }
  ]
}

Response

{
  "summary": {
    "totalFiles": 1,
    "totalFindings": 1,
    "critical": 1
  },
  "findings": [
    {
      "file": "src/app.ts",
      "line": 1,
      "patternId": "stripe-key-in-code",
      "severity": "critical",
      "title": "Stripe Secret Key in Code",
      "recommendation": "Rotate and store server-side only."
    }
  ]
}
POST/api/v1/scan/projectBusiness+

Scan a full project structure: dependencies, .env files, sensitive file detection.

Request Body

{
  "files": [{ "path": ".env" }, { "path": "src/index.ts" }],
  "packageJson": { "dependencies": { "lodash": "4.17.0" } },
  "envExample": "API_KEY=sk_live_real_key"
}
POST/api/v1/scan/githubPro+

Scan a GitHub repository for committed secrets, vulnerable dependencies, and auth misconfigurations.

Request Body

{ "repository": "owner/repo" }

Scan Results

GET/api/v1/scans/{id}Pro+

Get full scan results by ID.

GET/api/v1/scans/{id}/statusBusiness+

Poll scan status for async scans.

GET/api/v1/scans/{id}/compliance/{framework}Business+

Get compliance report. Frameworks: PCI_DSS_4, GDPR, SOC2, HIPAA, ISO27001.

Developer Tools

GET/api/v1/usagePro+

Get current usage stats, remaining quota, subscription tier, and available features.

Response

{
  "tier": "PRO",
  "scans": { "used": 42, "limit": null, "unlimited": true },
  "apiCalls": { "remaining": 87, "limit": 100 },
  "features": { "githubScanning": true, "compliance": false }
}
GET/api/v1/fix-suggestions/{issueCode}Pro+

Get fix prompts optimized for AI coding tools (Cursor, Lovable, Bolt, Claude Code, v0, Windsurf, Replit).

Response

{
  "issueCode": "supabase-rls",
  "builtin": [{ "title": "Enable RLS", "prompts": { "cursor": "..." } }],
  "community": [{ "title": "...", "upvotes": 12 }]
}
POST/api/v1/generate-rulesPro+

Generate .cursorrules or AGENTS.md files to make AI coding sessions security-aware.

Request Body

{
  "format": "both",
  "stack": "nextjs-supabase",
  "scanId": "cln..."
}

Response

{
  "cursorrules": "# BoringSec Security Rules\n...",
  "agentsMd": "# BoringSec Security Context\n..."
}

Domains

GET/api/v1/domainsPro+

List all domains.

POST/api/v1/domainsPro+

Add a new domain.

Request Body

{ "url": "https://example.com" }
GET/api/v1/domains/{id}/historyBusiness+

Scan history for a domain.

GET/api/v1/domains/{id}/trendsBusiness+

Score trends over time.

Webhooks

GET/api/v1/webhooksBusiness+

List webhook endpoints.

POST/api/v1/webhooksBusiness+

Create a webhook. Events: SCAN_COMPLETED, SCORE_CHANGED, ISSUE_NEW_CRITICAL, SSL_EXPIRING.

Request Body

{
  "url": "https://your-app.com/webhook",
  "events": ["SCAN_COMPLETED", "ISSUE_NEW_CRITICAL"]
}

Authentication

All requests require an API key in the Authorization header:

Authorization: Bearer bsk_your_api_key_here

API keys use the bsk_ prefix. Manage keys at /api-keys. Keys are stored as SHA-256 hashes and scoped to specific permissions.