📚 Documentation

Everything you need to ship secure

Get started in 60 seconds, integrate with your CI, or dig into the API.

Quick start

Codifie Scan runs a full passive scan in 90 seconds. No signup is required to test a site — paste a URL and you're scanning.

  1. Go to the homepage and paste your URL into the scan bar.
  2. Wait ~90 seconds while we run 15 security modules.
  3. Review the findings — each ships with a paste-ready AI fix prompt.
  4. Paste the prompt into Cursor, Lovable, Bolt, v0, or Replit and ship the fix.

Active testing

Active testing sends real attack probes (SQLi, XSS, auth bypass, API fuzzing) against a domain you own. Findings are CONFIRMED exploitable, never speculative.

Prerequisites

  • Verify ownership of the target domain (DNS TXT record or HTML meta tag).
  • 3 credits per active test (~$0). Replaces a $5,000 manual pentest.
  • Probes are rate-limited and run from a fixed IP block so you can allowlist them.

How long does it take?

~8 minutes on average for a 5-page site. Larger surfaces scale linearly.

POST /api/v1/active-test
{
  "domain": "yoursite.com",
  "tests": ["sqli", "xss", "auth"],
  "scope": "owned-only"
}

API reference

Every dashboard action is available over the REST API. Authenticate with a bearer token from your dashboard.

Endpoints

POST/api/v1/scansStart a passive scan
GET/api/v1/scans/:idGet scan status & findings
GET/api/v1/scans/:id/findingsPaginated findings list
POST/api/v1/active-testStart an active DAST scan
GET/api/v1/active-test/:id/progressSSE stream of progress
POST/api/v1/verifyVerify a DNS TXT or meta tag

Webhooks

Subscribe to scan lifecycle events. We retry failed deliveries with exponential backoff up to 8 times.

Event types

  • scan.startedfired when a scan begins
  • scan.completedfired when a scan finishes
  • scan.failedfired if the scan errors
  • finding.criticalfired the moment a critical finding is detected

Payload

{
  "event": "scan.completed",
  "scan_id": "scn_8f3c…",
  "url": "https://yoursite.com",
  "grade": "B",
  "critical": 0,
  "high": 2,
  "report_url": "https://vibesafe.app/report/scn_8f3c…",
  "signature": "v1,t=1731,…"
}

CI/CD integration

Block merges on regressions. The Codifie Scan CLI exits non-zero if your grade drops or new critical findings appear vs. the last main-branch scan.

GitHub Actions

# .github/workflows/security.yml
- uses: vibesafe/scan-action@v1
  with:
    url: ${{ vars.PREVIEW_URL }}
    token: ${{ secrets.VIBESAFE_TOKEN }}
    fail-on: critical

GitLab / CircleCI / others

npx @vibesafe/cli scan --url $PREVIEW_URL --fail-on critical

Fix prompts

Every finding ships with a paste-ready prompt tuned for your AI assistant. Prompts are versioned and include the surrounding code context.

Supported assistants

  • Cursor — drops into ⌘K with the file already open
  • Lovable — pasted into the chat panel
  • Bolt.new — pasted into the project chat
  • v0 — pasted into a new generation
  • Replit Agent — pasted into the Agent chat

FAQ

Do you store the scanned site's content?

We store findings, a screenshot, and request/response samples for findings — never the full site. All data is encrypted at rest (AES-256) and deleted after 90 days on free, 365 days on paid.

Is this legal for sites I don't own?

Passive scans are legal anywhere — they only access publicly available data. Active scans require domain ownership verification (CFAA compliance).

Can I self-host?

Self-host is on the Enterprise tier — contact sales for details.

What about false positives?

Every active-test finding is CONFIRMED exploitable (we capture a proof-of-exploit payload). Passive findings have a confidence score; high-confidence findings have a false-positive rate below 0.5%.

Codifie Support
Hi! Send us a message and we'll get back to you. 👋