Documentation
Everything you need to integrate Securisky into your workflow.
Quick start
The fastest way to check your app's security posture:
- Go to /scan and paste your live app URL — no account required.
- Results appear in ~60 seconds with a security grade (A–F) and severity-ranked findings.
- Create a free account to save scan history (5 URL scans/month).
- Upgrade to Indie for repo scans, AI fix prompts, and API access.
URL scanning
Securisky fetches your deployed page and analyzes HTML, JavaScript, response headers, and TLS configuration for security vulnerabilities.
What gets checked
- Hardcoded secrets and API keys in page content and bundles
- SQL, NoSQL, and command injection patterns
- Missing authentication on exposed endpoints
- CORS, CSP, HSTS, and other security header misconfigurations
- TLS certificate expiry (checking for <14 days)
- DNS posture: SPF, DMARC, DKIM, and MX records
Rate limits
- Unauthenticated: 5 URL scans per day per IP
- Free plan: 5 URL scans per month
- Indie: 30 URL scans per month
- Pro: 150 URL scans per month
- Team: 500 URL scans per month
Repository scanning
Paste a public GitHub URL or use the GitHub Action to scan on every push. Securisky clones the repository (shallow, depth=1) and analyzes all source files.
Supported file types
.py .js .jsx .ts .tsx .json .yml .yaml .env .toml .sh .rb .php .java .go .rs .vue .svelte .prisma .sql .html .css .scss .cfg .conf .ini
Plus: .env, .env.local, .env.production, and Dockerfile
Excluded directories
.git node_modules vendor .venv __pycache__ .next .nuxt dist build .vercel .cache
API reference
All API endpoints are available at https://securisky.dev/api/v1. Responses are JSON. Authentication is via Firebase ID token or API key.
POST /api/v1/auth/verify
Verify a Firebase ID token and bootstrap the organization record. Called automatically on sign-in.
// Request (Authorization: Bearer <firebase-id-token>)
// Response 200
{
"uid": "firebase-uid",
"email": "user@example.com",
"org_id": "uuid",
"plan": "free",
"created": false // true if org was just created
}POST /api/v1/scans/url
Trigger a URL security scan (authenticated).
// Request
POST /api/v1/scans/url
Authorization: Bearer <token>
{
"url": "https://your-app.com"
}
// Response 201
{
"id": "scan-uuid",
"status": "pending"
}POST /api/v1/scans/repo
Trigger a repository scan (authenticated, Indie+ plan).
// Request
POST /api/v1/scans/repo
Authorization: Bearer <token>
{
"repo_url": "https://github.com/org/repo"
}GET /api/v1/scans/{scan_id}
Get scan status and summary.
// Response 200
{
"id": "scan-uuid",
"status": "completed", // pending | running | completed | failed
"score": 42,
"grade": "D",
"findings_count": 7,
"critical_count": 1,
"high_count": 2,
"medium_count": 1,
"low_count": 3,
"duration_ms": 58300,
"target_url": "https://your-app.com",
"share_token": "unguessable-token",
"created_at": "2026-07-01T12:00:00Z",
"completed_at": "2026-07-01T12:01:00Z"
}GET /api/v1/scans/{scan_id}/findings
Get all findings for a scan, with optional filters.
// Query params: ?severity=critical&category=secret&limit=50&offset=0
// Response 200
[
{
"id": "finding-uuid",
"rule_id": "SEC-001",
"severity": "critical",
"category": "secret",
"title": "Hardcoded database credential",
"description": "A database connection string...",
"fix_prompt": "Move the connection string to an environment variable...",
"cwe_id": "CWE-798",
"owasp_category": "A03:2021",
"file_path": "src/lib/db.ts",
"line_number": 14,
"evidence": "postgres://admin:password@..."
}
]}GET /api/v1/scans/{scan_id}/pdf
Download a PDF report of the scan results.
GET /api/v1/scans/{scan_id}/findings/export
Export findings as CSV (Indie+ plan).
POST /api/v1/public/scan-url
Public URL scan — no authentication required (rate-limited per IP).
// Request
POST /api/v1/public/scan-url
{
"url": "https://your-app.com"
}
// Response 201 — same as authenticated scanGET /api/v1/public/scan/{scan_id}
Get public scan status and results.
GET /api/v1/report/{share_token}
Access a shared scan report via unguessable share token.
Authentication
Securisky supports two authentication methods:
Firebase ID tokens (user-facing)
Pass the Firebase ID token in the Authorization: Bearer <token> header. Tokens are obtained via Firebase Authentication SDK on the frontend.
API tokens (programmatic)
Create API tokens in Dashboard → API Keys (Indie+ plan). Tokens start with sk_ and are passed in the same header format. Maximum 10 tokens per organization.
Authorization: Bearer sk_<your-api-token>
# Example with curl
curl -X POST https://securisky.dev/api/v1/scans/url \
-H "Authorization: Bearer sk_abc123..." \
-H "Content-Type: application/json" \
-d '{"url": "https://your-app.com"}'GitHub Action
Integrate Securisky into your CI/CD pipeline with the GitHub Action template. The action scans your repository on every push and comments findings on PRs.
Find the template at github-action-template/ in the repository, or use:
# .github/workflows/securisky-scan.yml
name: Securisky Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Securisky scan
run: |
curl -X POST https://securisky.dev/api/v1/scans/repo \
-H "Authorization: Bearer ${{ secrets.SECURISKY_API_KEY }}" \
-H "Content-Type: application/json" \
-d '{"repo_url": "https://github.com/${{ github.repository }}"}'
env:
SECURISKY_API_KEY: ${{ secrets.SECURISKY_API_KEY }}Chrome extension
The Securisky Chrome extension lets you scan the current tab with one click. Load the unpacked extension from chrome-extension/ or install from the Chrome Web Store.
- Open Chrome → Extensions → Manage extensions
- Enable “Developer mode”
- Click “Load unpacked” and select the
chrome-extension/folder - Sign in with your Securisky account
- Click the extension icon on any page to scan
Webhooks
Securisky can deliver scan events to your own endpoints via outgoing webhooks. Configure webhooks in Dashboard → Integrations → Webhooks (Pro+ plan).
Available events
scan_complete— a scan finished (success or failure)critical_finding— a critical-severity finding was detectedscore_drop— scan score dropped significantlymonitoring_regression— a monitored URL regressed in score
Payload format
// POST to your webhook URL
// Headers: X-Securisky-Signature: HMAC-SHA256(secret, body)
{
"event": "scan_complete",
"org_id": "uuid",
"scan_id": "uuid",
"score": 85,
"grade": "B",
"findings_count": 3,
"target_url": "https://your-app.com",
"completed_at": "2026-07-01T12:01:00Z"
}Integrations
Slack
Connect your Slack workspace to receive scan alerts in a channel of your choice (Pro+ plan). Configure in Dashboard → Integrations → Slack.
Jira Cloud
Create Jira issues directly from scan findings (Team plan). Configure your Jira site URL, project key, and API token in Dashboard → Integrations → Jira.
REST API
Full programmatic access via API tokens. See the API reference above.
Plans & limits
| Feature | Free | Indie ($9/mo) | Pro ($29/mo) | Team ($99/mo) |
|---|---|---|---|---|
| URL scans/mo | 5 | 30 | 150 | 500 |
| Repo scans/mo | 0 | 10 | 50 | 200 |
| Detection patterns | 25 | 39 | 63 | 82 |
| Categories | Secrets, Injection | +Auth, Crypto | +Config, Access Ctrl | +Exposure, Dependency |
| AI fix prompts | — | ✓ | ✓ | ✓ |
| PDF reports | ✓ | ✓ | ✓ | ✓ |
| API access | — | ✓ | ✓ | ✓ |
| Team members | — | — | 3 seats | 10 seats |
| Slack integration | — | — | ✓ | ✓ |
| Jira integration | — | — | — | ✓ |
| Webhooks | — | — | 3 hooks | 10 hooks |
| Recurring monitoring | — | — | ✓ | ✓ |
| Priority support | — | — | — | ✓ |
Annual billing available at 20% discount.
Troubleshooting
Scan fails with “Target unreachable”
Ensure the URL is publicly accessible. Securisky cannot scan localhost, private IPs, or internal services. If your app is behind authentication, consider scanning a staging deployment.
Repo scan returns no findings
Repo scanning uses shallow clones (depth 1). Ensure the repository is public. Private repos require a GitHub access token. Some file types are excluded (see supported file types above).
API returns 402 Payment Required
You've hit your plan's scan quota. Upgrade to a higher plan or wait for the monthly reset (1st of each month).
API returns 429 Too Many Requests
Rate limit exceeded. Public endpoints are limited to 5 scans per day per IP. Authenticated endpoints have higher limits. Wait and retry.
How do I delete my account?
Go to Dashboard → Settings → Danger Zone. Type DELETE to confirm. All scans and data are permanently removed within 30 days.
How do I rotate a shared report link?
Org editors can rotate share tokens via the scan detail API. Revoked links stop working immediately.
Need help? Contact support@securisky.dev.