Skip to content
NANOTESTINGNANOTESTING
Documentation

Integrations

Integrations

What you can wire into NANOTESTING. Most are optional; configure the ones that match how your team works.

Alerts: Slack, Discord, generic webhook

Fire on every critical or high finding. Configure under Settings > Notifications. URLs are encrypted at rest with AES-256-GCM; only the worker decrypts them at send time.

  • Slack: paste an Incoming Webhook URL from your Slack workspace (https://hooks.slack.com/services/T.../B.../...).
  • Discord: paste a Discord webhook URL from channel settings.
  • Generic webhook: any URL we can POST JSON to. The payload schema is documented inline. Add an HMAC secret if you want to verify the signature on your side.

Cloud audit: AWS / Azure / GCP

Connect a read-only IAM credential to run scheduled CIS benchmark and best-practice audits. Configure under Settings > Cloud integrations. We do NOT request any write permissions.

Minimum permissions: AWS arn:aws:iam::aws:policy/SecurityAudit + read-only on a few additional services; Azure built-in Reader role at the subscription scope; GCP Viewer + Security Reviewer at the project scope. We document the exact set in the dashboard at credential-create time.

Kubernetes snapshot

Upload kubectl get all -A -o yaml output (capped at 10 MiB). We run a Kubernetes posture audit against the manifests; no outbound connection to your cluster ever happens. Snapshot is wiped after the scan completes.

Mobile binaries (APK / IPA)

Upload the shipped binary under Settings > Cloud integrations > Mobile binary. See the dedicated guide at Docs > Mobile app scan for the full flow, limits, and what the report contains.

GitHub repository scans

Add a GitHub PAT to the target (encrypted at rest). The worker does a shallow clone (depth 50, single branch) then runs the full repo deep-scan: dependency CVEs across every lockfile, secret scanning across the commit history, filesystem CVE + IaC misconfiguration + secret patterns, SAST patterns, mobile-source patterns when detected, Kubernetes manifest posture when detected. The clone is wiped after the scan.

OpenAPI spec upload

Upload an OpenAPI 3.x JSON / YAML or Swagger 2.0 spec on a web / API target. Capped at 4 MiB. Once present, the worker runs:

  • OpenAPI contract fuzz - status code, response schema, content type, server-error conformance.
  • OWASP API1 BOLA - path-param endpoints reached with the primary AND alt bearer token.
  • OWASP API3 BOPLA - mass-assignment with canary fields (is_admin, role, plan, ...).
  • OWASP API5 BFLA - admin-tagged paths reached with a non-admin token.

IDOR pair credentials live separately at the target's Credentials tab. See Scan types reference for details.

Cloudflare DNS (one-click verify)

If your DNS lives on Cloudflare, connect with a scoped API token in Settings > Integrations and we can write the verification TXT record for you. The token needs only Zone -> DNS -> Editon the specific zone you're verifying.

Jira + Linear (ticket export)

On every finding you can click Export to Jira or Export to Linearto file a ticket pre-populated with title, severity, evidence, remediation, and the finding permalink. Configure the project + auth token once under Settings > Notifications. Growth+.

What we do NOT integrate with (yet)

  • SSO / SAML / SCIM - Enterprise plan only. Contact support.
  • PagerDuty / Opsgenie - use the generic webhook with a wrapper.
  • Datadog / Splunk / Sumo - the audit_logs table is exportable via the future API; raw export not yet shipped.
PreviousRead a scan reportNextScan types reference