DevSecOps pipeline integration
Run Vulny's DAST scanner straight from your CI/CD pipeline. Start a scan on a deploy target, wait for it to finish, and fail the build when critical or high vulnerabilities are found — so insecure code never ships. Available on the Pro and Corporate plans (and during your free trial).
How it works
Three simple REST calls — your pipeline stays in control:
- Start a scan:
POST /api/v1/scanswith a target → returns a scanid. - Poll the status:
GET /api/v1/scans/{id}untildone: true(ports → CVE matching → web/DAST checks). - Gate: read
summary(counts per severity) andfindings, then pass or fail the job.
Generate an API key in Settings → API and store it as a CI secret named VULNY_API_KEY. Full reference: API documentation · openapi.json.
GitLab CI
The pipeline waits for the scan and fails on critical/high findings:
# .gitlab-ci.yml — add VULNY_API_KEY as a masked CI/CD variable (Settings > CI/CD > Variables)
security_scan:
stage: test
image: alpine:3
variables:
TARGET: "example.com"
before_script:
- apk add --no-cache curl jq
script:
set -e
BASE="https://vulny.app/api/v1"
AUTH="Authorization: Bearer $VULNY_API_KEY"
# 1) Start a scan and capture its id
ID=$(curl -s -X POST "$BASE/scans" -H "$AUTH" -H "Content-Type: application/json" \
-d "{\"target\":\"$TARGET\"}" | jq -r .id)
echo "Started Vulny scan $ID for $TARGET"
# 2) Poll until the scan is done
while true; do
RES=$(curl -s "$BASE/scans/$ID" -H "$AUTH")
[ "$(echo "$RES" | jq -r .done)" = "true" ] && break
echo "scanning... $(echo "$RES" | jq -r .progress)%"
sleep 15
done
# 3) Show the summary; fail the build on any critical/high finding
echo "$RES" | jq .summary
GATE=$(echo "$RES" | jq ".summary.critical + .summary.high")
if [ "$GATE" -gt 0 ]; then
echo "Security gate FAILED: $GATE critical/high finding(s)"
echo "$RES" | jq -r ".findings[] | \"[\(.severity)] \(.title) \(.port // \"\")\""
exit 1
fi
echo "Security gate passed"GitHub Actions
# .github/workflows/vulny.yml — add VULNY_API_KEY as a repository secret
name: Vulny DAST
on: [push]
jobs:
security_scan:
runs-on: ubuntu-latest
env:
VULNY_API_KEY: ${{ secrets.VULNY_API_KEY }}
TARGET: example.com
steps:
- name: Run Vulny scan and gate the build
run: |
set -e
BASE="https://vulny.app/api/v1"
AUTH="Authorization: Bearer $VULNY_API_KEY"
# 1) Start a scan and capture its id
ID=$(curl -s -X POST "$BASE/scans" -H "$AUTH" -H "Content-Type: application/json" \
-d "{\"target\":\"$TARGET\"}" | jq -r .id)
echo "Started Vulny scan $ID for $TARGET"
# 2) Poll until the scan is done
while true; do
RES=$(curl -s "$BASE/scans/$ID" -H "$AUTH")
[ "$(echo "$RES" | jq -r .done)" = "true" ] && break
echo "scanning... $(echo "$RES" | jq -r .progress)%"
sleep 15
done
# 3) Show the summary; fail the build on any critical/high finding
echo "$RES" | jq .summary
GATE=$(echo "$RES" | jq ".summary.critical + .summary.high")
if [ "$GATE" -gt 0 ]; then
echo "Security gate FAILED: $GATE critical/high finding(s)"
echo "$RES" | jq -r ".findings[] | \"[\(.severity)] \(.title) \(.port // \"\")\""
exit 1
fi
echo "Security gate passed"What gets reported
When done is true, the status response includes a severity summary and the list of active findings (known CVEs matched from the NVD plus web/DAST issues), each with severity, title, CVE id, CVSS, source and port. Tune your gate to taste — for example, fail only on critical, or on critical + high as shown above.
Ship secure code, automatically
Start a free 14-day trial — generate an API key and wire up your first pipeline in minutes.
Start free trial →