SecureScan
Self-hosted security-scanning orchestrator: 14 scanners across code, dependencies, IaC, containers, secrets, DAST, and network targets, normalized into a single deterministic finding stream — fronted by a CLI, a GitHub Action, and a web dashboard.
This is the operator + developer reference for SecureScan v0.11.0. If you have not used SecureScan before, Quick start: your first scan is the place to begin.
What you can do with SecureScan
- Run diff-aware scans on every PR. The
Metbcy/securescan@v1GitHub Action wrapssecurescan diff, posts a single upserted PR comment of NEW findings, and uploads SARIF to GitHub's Security tab. See GitHub Action. - Triage findings across rescans. Each finding has a stable
fingerprint, so verdicts (
false_positive,accepted_risk,fixed, …) and per-finding comments surviveDELETE /scans/{id}and reappear on every later scan of the same target. See Triage workflow. - Watch scans in real time. The dashboard's scan-detail page streams live per-scanner progress over Server-Sent Events. See Real-time scan progress.
- Fan out events to your tools. Outbound webhooks deliver
HMAC-signed
scan.complete/scan.failed/scanner.failedevents to Slack, Discord, or any HTTP receiver, with a durable retry queue. See Webhooks. - Issue scoped, hashed API keys. v0.8.0 replaces the single shared
env-var key with DB-backed keys carrying explicit
read/write/adminscopes per route. See API keys.
Audience
This documentation is for three readers, in roughly that order:
| Reader | What they need | Start here |
|---|---|---|
| Operator | Install, configure, harden, deploy, and maintain SecureScan in their org. Health probes, env vars, signed artifacts. | Install → Production checklist |
| Developer | Talk to the API. Ship a PR scan. Verify webhook signatures. | API overview → Webhook payloads |
| Security team | Understand what SecureScan covers, what it deliberately does not, and how findings are scored / suppressed / triaged. | Scan types → Supported scanners |
What this is not
SecureScan is intentionally not a SaaS, not an SBOM database, and not a vulnerability database in its own right. It orchestrates the open-source scanners you already trust (Semgrep, Bandit, Trivy, Checkov, ZAP, nmap, …), normalizes their output into a single shape, and adds diff-awareness, signed artifacts, and a deterministic serialization contract on top. See Architecture overview for the full picture.
How does this compare?
If you're evaluating SecureScan against tools you already use or are also considering, the Compare section has factual side-by-side write-ups:
- vs DefectDojo — different problem (vuln management hub vs PR-loop scanner); many teams use both.
- vs Trivy — SecureScan wraps Trivy and adds 13 more scanners plus a diff-aware PR loop.
- vs Snyk — OSS, self-hosted, deterministic vs SaaS with reachability analysis.
Project links
- Source: github.com/Metbcy/securescan
- Container image:
ghcr.io/metbcy/securescan - Wheel + sdist + sigstore bundles: attached to every GitHub Release
- Changelog: reference/changelog
- Release process: reference/release-process
This site documents the stable public API surface and the
operational behavior. For the full request/response schema of every
endpoint — including the schemas you will not find here — point your
browser at the running server's /docs (FastAPI Swagger UI) or
/redoc. See API endpoints for the entry point.