Skip to content
BoringSec

Documentation

Everything you need to secure your vibe-coded projects

Getting Started

Scanning

BoringSec offers 4 scan modes: URL, GitHub repo, code files, and full project payloads. Each mode runs the relevant security analyzers and feeds into reports, exports, and AI-ready remediation.

What changed in the deeper product

Fresh reports now surface richer technical details, explicit verification notes, developer handoff exports, and broader scanner coverage across website, GitHub, code, and project analysis paths.

Free+

URL Scan

Paste any URL — we scan the live site for headers, SSL, secrets in bundles, database exposure, and deeper web analysis.

75+ checks across web + deep scanners

Typical scan time: ~15 seconds

Pro+

GitHub Repo Scan

Paste a GitHub repo link — we review for committed secrets, vulnerable dependencies, auth flaws, unsafe code, and operational gaps.

Code patterns + review signals + dependency audit

Typical scan time: ~30 seconds

Pro+

Code Scan

Upload or paste code files — we detect hardcoded secrets, unsafe patterns, and configuration issues without needing a deployed URL.

30+ detection patterns

Typical scan time: ~5 seconds

Business+

Project Scan

Send a project payload through the API when you want multi-file or generated-code review without exposing a public URL.

Cross-file patterns + repo-level review metadata

Typical scan time: ~10 seconds

How Scoring Works

Every scan produces two scores:

Security Score (0-100)

Weighted average across all scanner categories. Headers, SSL, and injection have the highest weights. If a CRITICAL vulnerability is found, the score is capped at 30.

A+ (90-100)Excellent
A (80-89)Good
B (70-79)Fair
C (60-69)Needs work
D (40-59)Poor
F (0-39)Critical

Vibe Score (0-100)

Specifically weighted for AI-generated code vulnerabilities. Secrets and database security count for 65% of this score.

Secrets (bundle + hardcoded)40%
Database (Supabase RLS, Firebase)25%
Auth & Injection20%
Headers, SSL, CORS15%

What We Detect

Core scanners run in parallel, and newer report surfaces preserve richer coverage, trust semantics, and export paths. Each issue includes severity, detailed context, and a fix recommendation.

Secret Detection

Stripe, Supabase, OpenAI, Anthropic, AWS, GitHub tokens — 11 provider-specific patterns in source code and JS bundles

Supabase Security

Live RLS testing with anon key, service_role key exposure, overpermissive policies

Firebase Security

Open Firestore/RTDB rules, publicly writable storage buckets

Auth & Middleware

Clerk publicRoutes wildcard, missing middleware, JWT in localStorage, OAuth email linking

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Server header

SSL/TLS

Certificate validity, weak protocols (TLS 1.0/1.1), cipher strength, expiry warnings

DNS Security

SPF, DKIM, DMARC records — protects against email spoofing

Injection & XSS

SQL injection, command injection, template injection, reflected and DOM-based XSS, SSRF

Exposed Files

.git, .env, backups, source maps, admin panels, debug endpoints — 40+ paths checked

Cookies

HttpOnly, Secure, SameSite attributes on session cookies

CORS

Wildcard origins, credentials with wildcard — cross-origin abuse vectors

Vulnerable Dependencies

20+ JS and 7 Python packages with known CVEs (lodash, jsonwebtoken, axios, etc.)

Stripe & Payments

Webhook signature verification, hardcoded keys, missing CSRF on payment flows

GDPR

Cookie consent, privacy policy presence, third-party trackers without consent

Platform Detection

Identifies Lovable, Bolt, v0, Vercel, Netlify, Firebase hosting — tailors checks accordingly

WAF Detection

Identifies web application firewalls (Cloudflare, Vercel, AWS WAF)

Severity Levels

CRITICALImmediate exploitation risk. Exposed secrets, open databases, active injection vectors. Fix before anything else.
HIGHSignificant vulnerability that should be fixed within days. Missing auth, weak crypto, XSS vectors.
MEDIUMSecurity weakness that should be addressed. Missing headers, insecure cookie flags, deprecated dependencies.
LOWMinor issue or best practice recommendation. Informational headers, outdated but not vulnerable deps.
INFOInformational finding. Technology detection, configuration details, no action required.

How to Run a Scan

Option 1: Dashboard (no API key needed)

Go to New Scan, paste a URL or GitHub repo link, and click Scan. Results appear in ~15 seconds. Free tier: 3 scans/month. Pro: unlimited.

Option 2: REST API

Use the REST API to scan programmatically. Great for CI/CD pipelines, agent workflows, automated testing, and custom integrations.

curl -X POST https://boringsec.com/api/v1/scan \
  -H "Authorization: Bearer bsk_your_key" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-app.com"}'

For deeper coding workflows, also use /api/v1/scan/code and /api/v1/scan/project.

Option 3: Claude Code MCP

Set up the BoringSec MCP plugin and ask Claude: "Scan https://myapp.com for security issues". Claude runs the scan and formats the results for you. The preferred setup now uses one-time device authorization rather than manually copying an API key.

Ready to scan?

3 free scans/month. No credit card.

Start Scanning