Skip to content

Documentation

Everything you need to secure your AI-built projects

Your Report

Getting Started

Understanding your report

A BoringSec report is built to be acted on, not admired: a score you can verify, findings with proof attached, and a fix path for every issue. This page walks through each section.

The score panel

The top of every report shows the Security Score (0–100, graded A++ to F) and, for AI-built apps, the Boring Score — the same data reweighted toward the failure modes of AI-generated code.

  • Any confirmed critical finding caps the Security Score at 30, regardless of everything else.
  • If scan coverage falls below 85%, the score is labeled provisional rather than presented as final.
  • The score-transparency panel shows the per-category breakdown and lists any categories that were withheld — nothing is silently dropped from the math.

Weights, caps and honesty rules are documented in full in How the Security Score works.

Findings

Every finding follows the same anatomy:

  • A severity level and a plain-language explanation of why it matters
  • Captured evidence — the exact URL, header, DNS record or response that proves the issue exists
  • The standard it cites: OWASP, CWE, RFC or MDN
  • Step-by-step remediation and an AI fix prompt for your tool

The evidence-first rule applies throughout: any critical or high finding without captured proof is downgraded to medium, with a disclosure in the finding text.

Severity levels

CRITICAL

Exploitable right now: exposed secrets, open databases, an expired certificate. Fix immediately — a single confirmed critical caps the score at 30.

HIGH

Serious weaknesses that need scheduling, not someday: missing HSTS on a sensitive site, a reflected origin with credentials allowed.

MEDIUM

Meaningful gaps: missing security headers, weak policies.

LOW

Hardening opportunities — worth doing, not worth paging anyone over.

INFO

Context for the humans reading the report: version disclosure notes and similar observations.

Passed checks

Reports also list what you got right. Passed checks are more than reassurance — they double as evidence for compliance questionnaires and audit conversations, showing which controls were verified and when.

AI fix prompts & autofix

Every finding ships with a fix path sized to the problem:

  • Per-finding fix prompts for Cursor, Lovable, Bolt, Claude Code, Replit, v0 and Windsurf — paste one into your assistant with the finding’s context already included
  • Deterministic autofix templates for mechanical fixes — the exact change, no generation
  • Workspace rules generation, so the class of bug stops reappearing in new code

See The AI Security Workflow for the full loop.

Compliance mapping

Findings map to OWASP Top 10 and CWE identifiers, plus framework contexts for GDPR, SOC 2 and PCI DSS — so when an auditor or enterprise customer asks, you answer in their vocabulary instead of translating on the spot. Details in Compliance Reports.

Retests & history

Fixed something? Rescan to verify — findings close only when the new scan captures evidence that the issue is gone. Paid plans keep scan history and diffs so you can show progression over time, and the Care plan re-scans automatically every week.

Sharing

Reports export to PDF, can be delivered by email, and back the public security badge you can embed on your site. See Security Badges for setup.