Documentation

206 security rules. Three ways to scan. Everything you need to integrate XploitScan into your workflow.

New here? Start with an interactive guide

Step-by-step walkthroughs for the web scanner, CLI, GitHub Action, and API — written so a non-technical founder can follow along without a security background.

Open guides →

How does the scanner actually work?

Regex + AST dual-layer architecture, the taint tracker's source/sink coverage, the labeled fixture corpus, and the methodology used for fair comparison against Semgrep and Bearer. All open source, all reproducible locally.

Read methodology →

Quick Start

XploitScan can be used four ways:

Web App

Drag-and-drop files or paste a GitHub URL at xploitscan.com/scan

CLI

Run npx xploitscan scan . in your terminal

GitHub App

One-click install for auto-scans + inline PR comments. Setup guide

GitHub Action

Auto-scan every PR with SARIF output

CLI Usage

No account required. Install nothing — just run with npx. Your code stays 100% local.

$ npx xploitscan scan .Scan the current directory
$ npx xploitscan scan ./srcScan a specific folder
$ npx xploitscan scan . --format jsonOutput results as JSON
$ npx xploitscan scan . --format sarifOutput SARIF for GitHub Security tab
$ npx xploitscan scan . --sbomGenerate CycloneDX 1.4 SBOM

Output Formats

text — Human-readable terminal output (default)
json — Machine-readable JSON with all findings
sarif — SARIF for GitHub Security tab integration

Pre-commit Hook

Scan your code automatically before every git commit. Catches security issues before they land in your repo.

$ npx xploitscan hook installInstall the hook in your git repo
$ npx xploitscan hook uninstallRemove the hook

How it works

• Runs xploitscan scan . --diff HEAD on every commit
• Only scans files that changed in the commit (fast)
• Blocks the commit if critical or high-severity issues are found
• Preserves any existing pre-commit hooks you already have
• To skip a scan for a single commit: git commit --no-verify

GitHub Action

Automatically scan every push and pull request. Findings appear in the GitHub Security tab.

.github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run XploitScan
        uses: bgage72590/xploitscan-action@v1
        with:
          path: '.'
          format: 'sarif'
          fail-on: 'critical'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: xploitscan-results.sarif

Action Inputs

path — Directory to scan (default: .)
format — Output format: text, json, or sarif (default: sarif)
fail-on — Fail if findings at this severity or above: critical, high, medium, low, none (default: critical)
sarif-file — Path for SARIF output (default: xploitscan-results.sarif)

Action Outputs

grade — Security grade (A+ to F)
score — Security score (0-100)
findings-count — Total number of findings
critical-count — Number of critical findings
high-count — Number of high findings

Security Badge

Add a security grade badge to your README. Configure your badge in Settings.

Markdown[![XploitScan](https://xploitscan-api.vercel.app/api/badge/A)](https://xploitscan.com)
HTML<a href="https://xploitscan.com"><img src="https://xploitscan-api.vercel.app/api/badge/A" alt="XploitScan"></a>

Configuration

Add a .xploitscanrc file to your project root to customize scan behavior. All settings are optional.

.xploitscanrc
// .xploitscanrc
{
  "rules": {
    "include": ["VC001-VC131"],
    "exclude": ["VC042"]
  },
  "format": "json",
  "fail-on": "high",
  "ignore": ["node_modules", "dist", ".git"]
}

SBOM Generation

Generate a Software Bill of Materials in CycloneDX 1.4 format. SBOMs catalog all dependencies and their versions for supply chain security.

Run npx xploitscan scan . --sbom to generate a CycloneDX SBOM alongside your scan results.
Output is saved to xploitscan-sbom.json by default.

Compliance Mapping

Every rule maps to industry standards so you can track compliance posture directly from scan results.

SOC 2

Trust Service Criteria mappings

ISO 27001

Annex A control mappings

OWASP Top 10

Web application risk coverage

CWE

Common Weakness Enumeration IDs

API Reference

The XploitScan API is available at xploitscan-api.vercel.app. Authenticated endpoints require your API key in the Authorization header.

POST /api/scan— Submit files for scanning
GET /api/scans— List scan history
GET /api/scans/:id— Get scan results by ID
GET /api/badge/:grade— Security badge image (public)

Supported Languages & Files

Languages

JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and more.

Config & IaC

Dockerfile, docker-compose, Terraform, Kubernetes manifests, GitHub Actions workflows, .env files, package.json, and more.

Need Help?

Questions or feedback? We're here to help.

Contact Us
Documentation — XploitScan