CI/CD & IDE
Integrations
CI/CD & IDE integrations
Run BoringSec scans automatically in your CI pipeline, from your terminal, or let Claude Code check your code as you write it.
/api/v1/scan/code and /api/v1/scan/project, plus rules generation and editor workflows.GitHub Actions
Run BoringSec from your CI pipeline on every push and pull request. This example blocks a merge when the completed base report contains critical findings; the policy below explains how to wait for isolated deep scanners when your release gate requires them too.
# .github/workflows/boringsec.yml
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Run BoringSec
env:
BORINGSEC_API_KEY: ${{ secrets.BORINGSEC_API_KEY }}
run: |
JOB=$(curl -fsS -X POST https://www.boringsec.com/api/v1/scan \
-H "Authorization: Bearer $BORINGSEC_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "${{ vars.APP_URL }}", "async": true}')
SCAN_ID=$(echo "$JOB" | jq -r '.scan.id')
STATUS=PENDING
POLL_DELAY=1
DEADLINE=$((SECONDS + 600))
while [ "$SECONDS" -lt "$DEADLINE" ]; do
REMAINING=$((DEADLINE - SECONDS))
WAIT_SECONDS=$POLL_DELAY
if [ "$WAIT_SECONDS" -gt "$REMAINING" ]; then WAIT_SECONDS=$REMAINING; fi
sleep "$WAIT_SECONDS"
STATUS_JSON=$(curl -fsS \
-H "Authorization: Bearer $BORINGSEC_API_KEY" \
"https://www.boringsec.com/api/v1/scans/$SCAN_ID/status")
STATUS=$(echo "$STATUS_JSON" | jq -r '.scan.status')
if [ "$STATUS" = "COMPLETED" ]; then break; fi
if [ "$STATUS" = "FAILED" ]; then
echo "$STATUS_JSON" | jq .
exit 1
fi
POLL_DELAY=$((POLL_DELAY * 2))
if [ "$POLL_DELAY" -gt 15 ]; then POLL_DELAY=15; fi
done
if [ "$STATUS" != "COMPLETED" ]; then
echo "::error::BoringSec scan did not finish before the CI deadline"
echo "Scan ID: $SCAN_ID"
echo "Resume: https://www.boringsec.com/api/v1/scans/$SCAN_ID/status"
echo "Result: https://www.boringsec.com/api/v1/scans/$SCAN_ID"
exit 1
fi
RESULT=$(curl -fsS \
-H "Authorization: Bearer $BORINGSEC_API_KEY" \
"https://www.boringsec.com/api/v1/scans/$SCAN_ID")
SCORE=$(echo "$RESULT" | jq '.scan.score')
SCORE_DISPLAY="$SCORE/100"
if [ "$SCORE" = "null" ]; then SCORE_DISPLAY="not assessable"; fi
CRITICALS=$(echo "$RESULT" | jq '[.scan.issues[] | select(.severity=="CRITICAL")] | length')
echo "Score: $SCORE_DISPLAY | Criticals: $CRITICALS"
if [ "$CRITICALS" -gt 0 ]; then
echo "::error::Critical vulnerabilities found!"
exit 1
fiBORINGSEC_API_KEY as a GitHub Secret. Tier: Business+ (CI/CD integration feature). You can also generate this workflow from the VS Code extension or dashboard. URL scan creation returns HTTP 202; this example polls the status endpoint before reading the base report.COMPLETED base scan can still have isolated Nuclei, ZAP, or Medusa jobs queued, running, or scheduled for retry. The workflow above deliberately proceeds as soon as the base report is ready. If your CI policy requires deep results, keep polling while deepScan.active is true, honor the Retry-After header, and inspect each job when deepScan.terminal becomes true.REST API — any CI system
The REST API works with GitLab CI, Azure DevOps, Jenkins, CircleCI, and everything else. Use curl to scan and jq to parse results. Set the exit code based on score or critical count.
Scan a deployed URL
POST /api/v1/scan
Scan code files
POST /api/v1/scan/code
Scan GitHub repo
POST /api/v1/scan/github
Full project analysis
POST /api/v1/scan/project
Full endpoint details in the REST API reference.
.cursorrules & AGENTS.md generator
Prevention beats detection. Instead of just finding vulnerabilities after the fact, you can prevent them. Generate a .cursorrules or AGENTS.md file that instructs AI tools to follow security best practices specific to your stack.
How it works: the generated rules file covers secrets management, RLS policies, auth middleware, CORS, input validation, and more. Drop it in your project root and every AI-generated change follows these security rules automatically.
POST /api/v1/generate-rules
{ "format": "both", "stack": "nextjs-supabase" }Also available from the Integrations dashboard with a visual UI.