Documentation

210+ security rules. Three ways to scan. Everything you need to integrate XploitScan into your workflow.

New here? Start with an interactive guide

Step-by-step walkthroughs for the web scanner, CLI, GitHub Action, and API — written so a non-technical founder can follow along without a security background.

Open guides →

How does the scanner actually work?

Regex + AST dual-layer architecture, the taint tracker's source/sink coverage, the labeled fixture corpus, and the methodology used for fair comparison against Semgrep and Bearer. All open source, all reproducible locally.

Read methodology →

Quick Start

XploitScan can be used five ways:

Web App

Drag-and-drop files or paste a GitHub URL at xploitscan.com/scan

CLI

Run npx xploitscan scan . in your terminal

GitHub App

One-click install for auto-scans + inline PR comments. Setup guide

GitHub Action

Auto-scan every PR with SARIF output

MCP Server

Scan from Claude Desktop, Cursor, or Windsurf as you code. Setup guide

CLI Usage

No account required. Install nothing — just run with npx. Your code stays 100% local.

$ npx xploitscan scan .Scan the current directory
$ npx xploitscan scan ./srcScan a specific folder
$ npx xploitscan scan . --format jsonOutput results as JSON
$ npx xploitscan scan . --format sarifOutput SARIF for GitHub Security tab
$ npx xploitscan scan . --diff mainScan only files changed vs a base branch
$ npx xploitscan scan . --watchRe-scan automatically on file changes

Output Formats

terminal — Human-readable terminal output (default)
json — Machine-readable JSON with all findings
sarif — SARIF for GitHub Security tab integration
splunk-hec / elastic-ecs / datadog-logs — SIEM-ready event formats

Exit Codes (for CI gating)

0 — Scan completed; no critical or high-severity findings
1 — Critical or high-severity findings present (fails the CI step), or the scan was blocked by your plan's rate limit

Medium/low/info findings never fail the build — gate on what's exploitable, fix the rest at your own pace.

Connect Your Account (unlock all 210+ rules)

Anonymous CLI scans use the 30 free rules. Logging in connects your plan — paid plans scan with all 210+ rules, and your scans appear in your dashboard.

$ npx xploitscan auth loginOpens your browser, links the CLI to your account — no key copying
$ npx xploitscan auth whoamiCheck which account and plan the CLI is using
$ npx xploitscan auth logoutDisconnect this machine

CI & GitHub Action: use an API key

Headless environments can't open a browser — generate a key under Settings → API Keys and provide it as api-key (GitHub Action) or the XPLOITSCAN_API_KEY environment variable. Keys are shown once and stored hashed — treat them like passwords. (The MCP server needs no key — it scans entirely locally.)

After your first logged-in scan: results land in your dashboard with history and trends, and you can publish a Trust Page to show customers your security posture.

Pre-commit Hook

Scan your code automatically before every git commit. Catches security issues before they land in your repo.

$ npx xploitscan hook installInstall the hook in your git repo
$ npx xploitscan hook uninstallRemove the hook

How it works

• Runs xploitscan scan . --diff HEAD on every commit
• Only scans files that changed in the commit (fast)
• Blocks the commit if critical or high-severity issues are found
• Preserves any existing pre-commit hooks you already have
• To skip a scan for a single commit: git commit --no-verify

GitHub Action

Automatically scan every push and pull request. Findings appear in the GitHub Security tab.

.github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run XploitScan
        uses: bgage72590/xploitscan-action@v1
        with:
          path: '.'
          fail-on: 'critical'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: xploitscan-results.sarif

Action Inputs

path — Directory to scan (default: .)
fail-on — Fail if findings at this severity or above: critical, high, medium, low, none (default: none)
sarif-file — Path for SARIF output (default: xploitscan-results.sarif)
comment — Post a severity-table summary comment on pull requests (default: true)
api-key — XploitScan API key (xpls_...); paid plans scan with all 210+ rules, otherwise the 30 free rules run
anthropic-api-key — Optional; enables the AI false-positive filter on CI runs

Action Outputs

grade — Security grade (A+ to F)
score — Security score (0-100)
findings-count — Total number of findings
critical-count — Number of critical findings
high-count — Number of high findings
medium-count — Number of medium findings
low-count — Number of low findings
sarif-file — Path to the SARIF output file

Security Badge

Add a security grade badge to your README. Configure your badge in Settings.

Markdown[![XploitScan](https://xploitscan-api.vercel.app/api/badge/A)](https://xploitscan.com)
HTML<a href="https://xploitscan.com"><img src="https://xploitscan-api.vercel.app/api/badge/A" alt="XploitScan"></a>

Configuration

Add a .xploitscanrc file to your project root to customize scan behavior. All settings are optional: rules.disable skips rules by ID across the whole project, and ai set to false turns off the AI analysis pass (same as --no-ai).

.xploitscanrc
// .xploitscanrc (JSON, project root)
{
  "rules": {
    "disable": ["VC042", "VC017"]
  },
  "ai": false
}

SBOM Generation

Generate a Software Bill of Materials in CycloneDX 1.4 format. SBOMs catalog all dependencies and their versions for supply chain security.

Scan your project in the web scanner while signed in, then click Generate SBOM on the results.
Dependency manifests in your upload (package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, and more) are cataloged and downloaded as sbom-cyclonedx.json.

Compliance Mapping

Every rule maps to industry standards so you can track compliance posture directly from scan results.

SOC 2

Trust Service Criteria mappings

ISO 27001

Annex A control mappings

OWASP Top 10

Web application risk coverage

CWE

Common Weakness Enumeration IDs

API Reference

The public scan API is available at xploitscan-api.vercel.app. No API key is required — anonymous requests run the 30 free rules under per-IP rate limits. See the API guide for a full walkthrough with request and response examples.

POST /api/scans/upload-json— Scan a JSON payload of files (5MB limit); returns grade, score, and findings
POST /api/scans/upload— Scan a ZIP upload (multipart form)
GET /api/badge/:grade— Security badge image (public)

Supported Languages & Files

Languages

JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and more.

Config & IaC

Dockerfile, docker-compose, Terraform, Kubernetes manifests, GitHub Actions workflows, .env files, package.json, and more.

Need Help?

Questions or feedback? We're here to help.

Contact Us
Documentation — XploitScan