Alerts: Slack, Discord, generic webhook
Fire whenever a scan produces a critical or high finding. Configure under Settings > Notifications (owner / admin only). URLs are encrypted at rest with AES-256-GCM; only the worker decrypts them at send time.
- Slack: paste an Incoming Webhook URL from your Slack workspace (must start with
https://hooks.slack.com/). - Discord: paste a channel webhook URL (a
discord.com/api/webhooks/endpoint). - Generic webhook: any https URL we can POST a plain JSON body to. The finding-summary event is
scan.completed.with_findings.
Risk-rating-drop webhook
The same connected webhooks also fire a scan.risk_rating.droppedevent when a target's letter grade gets strictly worse than the previous scan (e.g. B → C). The payload carries the previous and new grade and score, so you can route a regression straight into your own on-call or chat flow. No separate setup - it rides on the webhooks you connect under Settings > Notifications.
Cloud audit: AWS / Azure / GCP
Connect a read-only credential to run Prowler-based CIS benchmark and best-practice audits. Configure under Settings > Cloud integrations. We never request write permissions; the scan runs read-only. Credentials are encrypted at rest with AES-256-GCM and only decrypted by the worker for the lifetime of one Prowler run.
- AWS: a dedicated IAM user with the managed
SecurityAuditpolicy, then paste the access-key pair. - Azure: register an App in Azure AD, assign the built-in Reader role on the subscriptions you want audited, then paste tenant id, client id and a client secret.
- GCP: a service account with
roles/viewerandroles/iam.securityRevieweron the target projects, then upload the downloaded JSON key.
Kubernetes snapshot
Upload a YAML snapshot captured with kubectl get all -A -o yaml under Settings > Cloud integrations > Kubernetes. The worker scans the manifests with Kubescape's NSA framework. No outbound connection to your cluster ever happens; the snapshot is wiped after the scan completes.
Mobile binaries (APK / IPA)
Upload your release artifact under Settings > Cloud integrations > Mobile app. The worker decompiles APK files via apktool, unzips IPA files, then runs mobsfscan with the MASVS / OWASP Mobile Top 10 rule pack. See the dedicated guide at Docs > Mobile app scan for the full flow, limits, and what the report contains.
GitHub repository scans
Create a GitHub-type target and click Connect GitHubin the repo picker. This is a GitHub OAuth App flow - you authorize NANOTESTING (public repos by default, or include private repos), pick a repository, and the OAuth token is stored encrypted at rest. For a private repo you can alternatively paste a read-only Personal Access Token on the target's Credentials tab.
Once connected, the worker does a shallow clone (depth 50, single branch) and runs the full repo deep-scan: dependency CVEs across every lockfile, secret scanning across the commit history, filesystem CVE + IaC misconfiguration + secret patterns, SAST patterns, mobile-source patterns when detected, and Kubernetes manifest posture when detected. The clone is wiped after the scan.
OpenAPI spec upload
Upload an OpenAPI 3.x JSON / YAML or Swagger 2.0 spec on a web / API target. Once present, the worker runs:
- OpenAPI contract fuzz - status code, response schema, content type, server-error conformance.
- OWASP API1 BOLA - path-param endpoints reached with the primary AND alt bearer token.
- OWASP API3 BOPLA - mass-assignment with canary fields (is_admin, role, plan, ...).
- OWASP API5 BFLA - admin-tagged paths reached with a non-admin token.
IDOR / BOLA pair credentials are configured separately on the target's Credentials tab under Authenticated access testing (IDOR / BOLA). See Scan types reference for details.
Cloudflare DNS (one-click verify)
If your DNS lives on Cloudflare, connect a scoped API token under Settings > Integrations and we can write the target-verification TXT record for you. The token needs only Zone > DNS > Editon the zone you're verifying. The token is encrypted at rest; you can also pass a one-shot token at verify time instead of storing one.
README risk badge + JSON rating API
Every target exposes an embeddable risk-rating badge and a machine-readable rating endpoint. Open a target and use the Embed risk rating in your README card to copy ready-made snippets:
- SVG badge at
/badge/target/<id>.svg- shields-style grade + score, re-fetched every few minutes so it stays current. Markdown and HTML embeds are provided. - JSON rating API at
/badge/target/<id>/rating.json- returns overall score, letter grade, methodology version, and scan id. It surfaces only the rating, never per-finding detail. - GitHub Actions CI gate - a copy-paste workflow that curls the JSON endpoint and fails the build when the rating drops below your threshold.
These endpoints are public by URL - the target UUID is the secret. If you don't want a rating shared, simply don't paste the URL anywhere public.
Export: CSV / JSON / PDF
- Findings export (CSV / JSON): the Export button on a scan, a target, or the whole workspace streams the finding set. Growth plan and up.
- Compliance packs (CSV / JSON / PDF): per-framework evidence packs export to all three formats.
- Reports (PDF / ZIP): download the executive / developer / compliance / trend PDFs individually or as a single ZIP from a completed scan.
Brand monitoring
Tell the worker which brand keywords to watch under Settings > Brand monitoring. We watch public certificate-transparency logs for newly-issued certificates whose subjects match your keywords and surface anything not on your approved list. Read-only - we never actively probe a domain you don't own.
Blog RSS feed
Subscribe to product and security write-ups at /blog/rss.xml (RSS 2.0). This is a content feed, not a feed of your scan findings.
What we do NOT integrate with (yet)
- Jira / Linear / ServiceNow ticketing - no one-click ticket export yet. Use the generic webhook to file tickets from your own automation.
- PagerDuty / Opsgenie - use the generic webhook (or the
scan.risk_rating.droppedevent) with a thin wrapper. - Datadog / Splunk / Sumo Logic - no raw log/SIEM export shipped yet; the finding CSV / JSON export is the supported path today.
- SSO / SAML / SCIM - Enterprise plan only. Contact support.