New here? Start with an interactive guide
Step-by-step walkthroughs for the web scanner, CLI, GitHub Action, and API — written so a non-technical founder can follow along without a security background.
How does the scanner actually work?
Regex + AST dual-layer architecture, the taint tracker's source/sink coverage, the labeled fixture corpus, and the methodology used for fair comparison against Semgrep and Bearer. All open source, all reproducible locally.
Quick Start
XploitScan can be used five ways:
Drag-and-drop files or paste a GitHub URL at xploitscan.com/scan
Run npx xploitscan scan . in your terminal
One-click install for auto-scans + inline PR comments. Setup guide
Auto-scan every PR with SARIF output
Scan from Claude Desktop, Cursor, or Windsurf as you code. Setup guide
CLI Usage
No account required. Install nothing — just run with npx. Your code stays 100% local.
$ npx xploitscan scan .Scan the current directory$ npx xploitscan scan ./srcScan a specific folder$ npx xploitscan scan . --format jsonOutput results as JSON$ npx xploitscan scan . --format sarifOutput SARIF for GitHub Security tab$ npx xploitscan scan . --diff mainScan only files changed vs a base branch$ npx xploitscan scan . --watchRe-scan automatically on file changesOutput Formats
terminal — Human-readable terminal output (default)json — Machine-readable JSON with all findingssarif — SARIF for GitHub Security tab integrationsplunk-hec / elastic-ecs / datadog-logs — SIEM-ready event formatsExit Codes (for CI gating)
0 — Scan completed; no critical or high-severity findings1 — Critical or high-severity findings present (fails the CI step), or the scan was blocked by your plan's rate limitMedium/low/info findings never fail the build — gate on what's exploitable, fix the rest at your own pace.
Connect Your Account (unlock all 210+ rules)
Anonymous CLI scans use the 30 free rules. Logging in connects your plan — paid plans scan with all 210+ rules, and your scans appear in your dashboard.
$ npx xploitscan auth loginOpens your browser, links the CLI to your account — no key copying$ npx xploitscan auth whoamiCheck which account and plan the CLI is using$ npx xploitscan auth logoutDisconnect this machineCI & GitHub Action: use an API key
Headless environments can't open a browser — generate a key under Settings → API Keys and provide it as api-key (GitHub Action) or the XPLOITSCAN_API_KEY environment variable. Keys are shown once and stored hashed — treat them like passwords. (The MCP server needs no key — it scans entirely locally.)
After your first logged-in scan: results land in your dashboard with history and trends, and you can publish a Trust Page to show customers your security posture.
Pre-commit Hook
Scan your code automatically before every git commit. Catches security issues before they land in your repo.
$ npx xploitscan hook installInstall the hook in your git repo$ npx xploitscan hook uninstallRemove the hookHow it works
xploitscan scan . --diff HEAD on every commitgit commit --no-verifyGitHub Action
Automatically scan every push and pull request. Findings appear in the GitHub Security tab.
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run XploitScan
uses: bgage72590/xploitscan-action@v1
with:
path: '.'
fail-on: 'critical'
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: xploitscan-results.sarifAction Inputs
path — Directory to scan (default: .)fail-on — Fail if findings at this severity or above: critical, high, medium, low, none (default: none)sarif-file — Path for SARIF output (default: xploitscan-results.sarif)comment — Post a severity-table summary comment on pull requests (default: true)api-key — XploitScan API key (xpls_...); paid plans scan with all 210+ rules, otherwise the 30 free rules runanthropic-api-key — Optional; enables the AI false-positive filter on CI runsAction Outputs
grade — Security grade (A+ to F)score — Security score (0-100)findings-count — Total number of findingscritical-count — Number of critical findingshigh-count — Number of high findingsmedium-count — Number of medium findingslow-count — Number of low findingssarif-file — Path to the SARIF output fileSecurity Badge
Add a security grade badge to your README. Configure your badge in Settings.
[](https://xploitscan.com)<a href="https://xploitscan.com"><img src="https://xploitscan-api.vercel.app/api/badge/A" alt="XploitScan"></a>Configuration
Add a .xploitscanrc file to your project root to customize scan behavior. All settings are optional: rules.disable skips rules by ID across the whole project, and ai set to false turns off the AI analysis pass (same as --no-ai).
// .xploitscanrc (JSON, project root)
{
"rules": {
"disable": ["VC042", "VC017"]
},
"ai": false
}SBOM Generation
Generate a Software Bill of Materials in CycloneDX 1.4 format. SBOMs catalog all dependencies and their versions for supply chain security.
Generate SBOM on the results.package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, and more) are cataloged and downloaded as sbom-cyclonedx.json.Compliance Mapping
Every rule maps to industry standards so you can track compliance posture directly from scan results.
Trust Service Criteria mappings
Annex A control mappings
Web application risk coverage
Common Weakness Enumeration IDs
API Reference
The public scan API is available at xploitscan-api.vercel.app. No API key is required — anonymous requests run the 30 free rules under per-IP rate limits. See the API guide for a full walkthrough with request and response examples.
POST /api/scans/upload-json— Scan a JSON payload of files (5MB limit); returns grade, score, and findingsPOST /api/scans/upload— Scan a ZIP upload (multipart form)GET /api/badge/:grade— Security badge image (public)Supported Languages & Files
Languages
JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and more.
Config & IaC
Dockerfile, docker-compose, Terraform, Kubernetes manifests, GitHub Actions workflows, .env files, package.json, and more.
Need Help?
Questions or feedback? We're here to help.
Contact Us