Skip to content

Documentation

Everything you need to secure your AI-built projects

CI/CD & IDE

Integrations

CI/CD & IDE integrations

Run BoringSec scans automatically in your CI pipeline, from your terminal, or let Claude Code check your code as you write it.

Deep scan entry points
The dashboard launcher handles live website scans and GitHub review. Integrations unlock the deeper code and project paths through /api/v1/scan/code and /api/v1/scan/project, plus rules generation and editor workflows.

GitHub Actions

Run BoringSec from your CI pipeline on every push and pull request. This example blocks a merge when the completed base report contains critical findings; the policy below explains how to wait for isolated deep scanners when your release gate requires them too.

yaml
# .github/workflows/boringsec.yml
name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run BoringSec
        env:
          BORINGSEC_API_KEY: ${{ secrets.BORINGSEC_API_KEY }}
        run: |
          JOB=$(curl -fsS -X POST https://www.boringsec.com/api/v1/scan \
            -H "Authorization: Bearer $BORINGSEC_API_KEY" \
            -H "Content-Type: application/json" \
            -d '{"url": "${{ vars.APP_URL }}", "async": true}')

          SCAN_ID=$(echo "$JOB" | jq -r '.scan.id')
          STATUS=PENDING
          POLL_DELAY=1
          DEADLINE=$((SECONDS + 600))
          while [ "$SECONDS" -lt "$DEADLINE" ]; do
            REMAINING=$((DEADLINE - SECONDS))
            WAIT_SECONDS=$POLL_DELAY
            if [ "$WAIT_SECONDS" -gt "$REMAINING" ]; then WAIT_SECONDS=$REMAINING; fi
            sleep "$WAIT_SECONDS"

            STATUS_JSON=$(curl -fsS \
              -H "Authorization: Bearer $BORINGSEC_API_KEY" \
              "https://www.boringsec.com/api/v1/scans/$SCAN_ID/status")
            STATUS=$(echo "$STATUS_JSON" | jq -r '.scan.status')
            if [ "$STATUS" = "COMPLETED" ]; then break; fi
            if [ "$STATUS" = "FAILED" ]; then
              echo "$STATUS_JSON" | jq .
              exit 1
            fi
            POLL_DELAY=$((POLL_DELAY * 2))
            if [ "$POLL_DELAY" -gt 15 ]; then POLL_DELAY=15; fi
          done

          if [ "$STATUS" != "COMPLETED" ]; then
            echo "::error::BoringSec scan did not finish before the CI deadline"
            echo "Scan ID: $SCAN_ID"
            echo "Resume: https://www.boringsec.com/api/v1/scans/$SCAN_ID/status"
            echo "Result: https://www.boringsec.com/api/v1/scans/$SCAN_ID"
            exit 1
          fi

          RESULT=$(curl -fsS \
            -H "Authorization: Bearer $BORINGSEC_API_KEY" \
            "https://www.boringsec.com/api/v1/scans/$SCAN_ID")
          SCORE=$(echo "$RESULT" | jq '.scan.score')
          SCORE_DISPLAY="$SCORE/100"
          if [ "$SCORE" = "null" ]; then SCORE_DISPLAY="not assessable"; fi
          CRITICALS=$(echo "$RESULT" | jq '[.scan.issues[] | select(.severity=="CRITICAL")] | length')

          echo "Score: $SCORE_DISPLAY | Criticals: $CRITICALS"

          if [ "$CRITICALS" -gt 0 ]; then
            echo "::error::Critical vulnerabilities found!"
            exit 1
          fi
Setup
Add BORINGSEC_API_KEY as a GitHub Secret. Tier: Business+ (CI/CD integration feature). You can also generate this workflow from the VS Code extension or dashboard. URL scan creation returns HTTP 202; this example polls the status endpoint before reading the base report.
Deep scanners do not block the base report
A COMPLETED base scan can still have isolated Nuclei, ZAP, or Medusa jobs queued, running, or scheduled for retry. The workflow above deliberately proceeds as soon as the base report is ready. If your CI policy requires deep results, keep polling while deepScan.active is true, honor the Retry-After header, and inspect each job when deepScan.terminal becomes true.

REST API — any CI system

The REST API works with GitLab CI, Azure DevOps, Jenkins, CircleCI, and everything else. Use curl to scan and jq to parse results. Set the exit code based on score or critical count.

Scan a deployed URL

POST /api/v1/scan

Scan code files

POST /api/v1/scan/code

Scan GitHub repo

POST /api/v1/scan/github

Full project analysis

POST /api/v1/scan/project

Full endpoint details in the REST API reference.

.cursorrules & AGENTS.md generator

Prevention beats detection. Instead of just finding vulnerabilities after the fact, you can prevent them. Generate a .cursorrules or AGENTS.md file that instructs AI tools to follow security best practices specific to your stack.

Next.js + SupabaseNext.js + FirebaseNext.js + ClerkNext.js + Stripe

How it works: the generated rules file covers secrets management, RLS policies, auth middleware, CORS, input validation, and more. Drop it in your project root and every AI-generated change follows these security rules automatically.

http
POST /api/v1/generate-rules
{ "format": "both", "stack": "nextjs-supabase" }

Also available from the Integrations dashboard with a visual UI.

Related references