Skip to content
BoringSec

Documentation

Everything you need to secure your vibe-coded projects

Integrations

CI/CD & IDE Integrations

Run BoringSec scans automatically in your CI pipeline, from your terminal, or let Claude Code check your code as you write it.

Deep scan entry points

The dashboard launcher handles live website scans and GitHub review. Integrations unlock the deeper code and project paths through /api/v1/scan/code and /api/v1/scan/project, plus rules generation and editor workflows.

GitHub Actions

Block merges on critical vulnerabilities

Add BoringSec to your CI pipeline. Every push and PR gets scanned automatically. The workflow fails if critical issues are found, preventing insecure code from reaching production.

# .github/workflows/boringsec.yml
name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run BoringSec
        env:
          BORINGSEC_API_KEY: ${{ secrets.BORINGSEC_API_KEY }}
        run: |
          RESULT=$(curl -s -X POST https://boringsec.com/api/v1/scan \
            -H "Authorization: Bearer $BORINGSEC_API_KEY" \
            -H "Content-Type: application/json" \
            -d '{"url": "${{ vars.APP_URL }}"}')

          SCORE=$(echo "$RESULT" | jq '.scan.score')
          CRITICALS=$(echo "$RESULT" | jq '[.scan.issues[] | select(.severity=="CRITICAL")] | length')

          echo "Score: $SCORE | Criticals: $CRITICALS"

          if [ "$CRITICALS" -gt 0 ]; then
            echo "::error::Critical vulnerabilities found!"
            exit 1
          fi

Setup: Add BORINGSEC_API_KEY as a GitHub Secret.

Tier: Business+ (CI/CD integration feature).

You can also generate this workflow from the VS Code extension or dashboard.

REST API (Any CI System)

GitLab CI, Azure DevOps, Jenkins, CircleCI

The REST API works with any CI system. Use curl to scan and jq to parse results. Set exit code based on score or critical count.

Scan a deployed URL

POST /api/v1/scan

Scan code files

POST /api/v1/scan/code

Scan GitHub repo

POST /api/v1/scan/github

Full project analysis

POST /api/v1/scan/project

Full endpoint details in the REST API Reference.

.cursorrules & AGENTS.md Generator

Prevention > Detection

Instead of just finding vulnerabilities after the fact, you can prevent them. Generate a .cursorrules or AGENTS.md file that instructs AI tools to follow security best practices specific to your stack.

Next.js + Supabase

Next.js + Firebase

Next.js + Clerk

Next.js + Stripe

How it works: The generated rules file covers secrets management, RLS policies, auth middleware, CORS, input validation, and more. Drop it in your project root and every AI-generated code will follow these security rules automatically.

POST /api/v1/generate-rules
{ "format": "both", "stack": "nextjs-supabase" }

Also available from the Integrations dashboard with a visual UI.

REST API Reference

15+ endpoints with examples

Claude Code MCP Plugin

6 security tools for Claude Code