Skip to content
Documentation

Integrations

Integrations

Everything NANOTESTING connects to. Most are optional; wire up the ones that match how your team works. This page lists only what actually ships today.

Alerts: Slack, Discord, generic webhook

Fire whenever a scan produces a critical or high finding. Configure under Settings > Notifications (owner / admin only). URLs are encrypted at rest with AES-256-GCM; only the worker decrypts them at send time.

  • Slack: paste an Incoming Webhook URL from your Slack workspace (must start with https://hooks.slack.com/).
  • Discord: paste a channel webhook URL (a discord.com/api/webhooks/ endpoint).
  • Generic webhook: any https URL we can POST a plain JSON body to. The finding-summary event is scan.completed.with_findings.

Risk-rating-drop webhook

The same connected webhooks also fire a scan.risk_rating.droppedevent when a target's letter grade gets strictly worse than the previous scan (e.g. B → C). The payload carries the previous and new grade and score, so you can route a regression straight into your own on-call or chat flow. No separate setup - it rides on the webhooks you connect under Settings > Notifications.

Cloud audit: AWS / Azure / GCP

Connect a read-only credential to run Prowler-based CIS benchmark and best-practice audits. Configure under Settings > Cloud integrations. We never request write permissions; the scan runs read-only. Credentials are encrypted at rest with AES-256-GCM and only decrypted by the worker for the lifetime of one Prowler run.

  • AWS: a dedicated IAM user with the managed SecurityAudit policy, then paste the access-key pair.
  • Azure: register an App in Azure AD, assign the built-in Reader role on the subscriptions you want audited, then paste tenant id, client id and a client secret.
  • GCP: a service account with roles/viewer and roles/iam.securityReviewer on the target projects, then upload the downloaded JSON key.

Kubernetes snapshot

Upload a YAML snapshot captured with kubectl get all -A -o yaml under Settings > Cloud integrations > Kubernetes. The worker scans the manifests with Kubescape's NSA framework. No outbound connection to your cluster ever happens; the snapshot is wiped after the scan completes.

Mobile binaries (APK / IPA)

Upload your release artifact under Settings > Cloud integrations > Mobile app. The worker decompiles APK files via apktool, unzips IPA files, then runs mobsfscan with the MASVS / OWASP Mobile Top 10 rule pack. See the dedicated guide at Docs > Mobile app scan for the full flow, limits, and what the report contains.

GitHub repository scans

Create a GitHub-type target and click Connect GitHubin the repo picker. This is a GitHub OAuth App flow - you authorize NANOTESTING (public repos by default, or include private repos), pick a repository, and the OAuth token is stored encrypted at rest. For a private repo you can alternatively paste a read-only Personal Access Token on the target's Credentials tab.

Once connected, the worker does a shallow clone (depth 50, single branch) and runs the full repo deep-scan: dependency CVEs across every lockfile, secret scanning across the commit history, filesystem CVE + IaC misconfiguration + secret patterns, SAST patterns, mobile-source patterns when detected, and Kubernetes manifest posture when detected. The clone is wiped after the scan.

OpenAPI spec upload

Upload an OpenAPI 3.x JSON / YAML or Swagger 2.0 spec on a web / API target. Once present, the worker runs:

  • OpenAPI contract fuzz - status code, response schema, content type, server-error conformance.
  • OWASP API1 BOLA - path-param endpoints reached with the primary AND alt bearer token.
  • OWASP API3 BOPLA - mass-assignment with canary fields (is_admin, role, plan, ...).
  • OWASP API5 BFLA - admin-tagged paths reached with a non-admin token.

IDOR / BOLA pair credentials are configured separately on the target's Credentials tab under Authenticated access testing (IDOR / BOLA). See Scan types reference for details.

Cloudflare DNS (one-click verify)

If your DNS lives on Cloudflare, connect a scoped API token under Settings > Integrations and we can write the target-verification TXT record for you. The token needs only Zone > DNS > Editon the zone you're verifying. The token is encrypted at rest; you can also pass a one-shot token at verify time instead of storing one.

README risk badge + JSON rating API

Every target exposes an embeddable risk-rating badge and a machine-readable rating endpoint. Open a target and use the Embed risk rating in your README card to copy ready-made snippets:

  • SVG badge at /badge/target/<id>.svg - shields-style grade + score, re-fetched every few minutes so it stays current. Markdown and HTML embeds are provided.
  • JSON rating API at /badge/target/<id>/rating.json - returns overall score, letter grade, methodology version, and scan id. It surfaces only the rating, never per-finding detail.
  • GitHub Actions CI gate - a copy-paste workflow that curls the JSON endpoint and fails the build when the rating drops below your threshold.

These endpoints are public by URL - the target UUID is the secret. If you don't want a rating shared, simply don't paste the URL anywhere public.

Export: CSV / JSON / PDF

  • Findings export (CSV / JSON): the Export button on a scan, a target, or the whole workspace streams the finding set. Growth plan and up.
  • Compliance packs (CSV / JSON / PDF): per-framework evidence packs export to all three formats.
  • Reports (PDF / ZIP): download the executive / developer / compliance / trend PDFs individually or as a single ZIP from a completed scan.

Brand monitoring

Tell the worker which brand keywords to watch under Settings > Brand monitoring. We watch public certificate-transparency logs for newly-issued certificates whose subjects match your keywords and surface anything not on your approved list. Read-only - we never actively probe a domain you don't own.

Blog RSS feed

Subscribe to product and security write-ups at /blog/rss.xml (RSS 2.0). This is a content feed, not a feed of your scan findings.

What we do NOT integrate with (yet)

  • Jira / Linear / ServiceNow ticketing - no one-click ticket export yet. Use the generic webhook to file tickets from your own automation.
  • PagerDuty / Opsgenie - use the generic webhook (or the scan.risk_rating.dropped event) with a thin wrapper.
  • Datadog / Splunk / Sumo Logic - no raw log/SIEM export shipped yet; the finding CSV / JSON export is the supported path today.
  • SSO / SAML / SCIM - Enterprise plan only. Contact support.