Quick start
Codifie Scan runs a full passive scan in 90 seconds. No signup is required to test a site — paste a URL and you're scanning.
- Go to the homepage and paste your URL into the scan bar.
- Wait ~90 seconds while we run 15 security modules.
- Review the findings — each ships with a paste-ready AI fix prompt.
- Paste the prompt into Cursor, Lovable, Bolt, v0, or Replit and ship the fix.
Active testing
Active testing sends real attack probes (SQLi, XSS, auth bypass, API fuzzing) against a domain you own. Findings are CONFIRMED exploitable, never speculative.
Prerequisites
- Verify ownership of the target domain (DNS TXT record or HTML meta tag).
- 3 credits per active test (~$0). Replaces a $5,000 manual pentest.
- Probes are rate-limited and run from a fixed IP block so you can allowlist them.
How long does it take?
~8 minutes on average for a 5-page site. Larger surfaces scale linearly.
POST /api/v1/active-test
{
"domain": "yoursite.com",
"tests": ["sqli", "xss", "auth"],
"scope": "owned-only"
}API reference
Every dashboard action is available over the REST API. Authenticate with a bearer token from your dashboard.
Endpoints
/api/v1/scansStart a passive scan/api/v1/scans/:idGet scan status & findings/api/v1/scans/:id/findingsPaginated findings list/api/v1/active-testStart an active DAST scan/api/v1/active-test/:id/progressSSE stream of progress/api/v1/verifyVerify a DNS TXT or meta tagWebhooks
Subscribe to scan lifecycle events. We retry failed deliveries with exponential backoff up to 8 times.
Event types
scan.started— fired when a scan beginsscan.completed— fired when a scan finishesscan.failed— fired if the scan errorsfinding.critical— fired the moment a critical finding is detected
Payload
{
"event": "scan.completed",
"scan_id": "scn_8f3c…",
"url": "https://yoursite.com",
"grade": "B",
"critical": 0,
"high": 2,
"report_url": "https://vibesafe.app/report/scn_8f3c…",
"signature": "v1,t=1731,…"
}CI/CD integration
Block merges on regressions. The Codifie Scan CLI exits non-zero if your grade drops or new critical findings appear vs. the last main-branch scan.
GitHub Actions
# .github/workflows/security.yml
- uses: vibesafe/scan-action@v1
with:
url: ${{ vars.PREVIEW_URL }}
token: ${{ secrets.VIBESAFE_TOKEN }}
fail-on: criticalGitLab / CircleCI / others
npx @vibesafe/cli scan --url $PREVIEW_URL --fail-on criticalFix prompts
Every finding ships with a paste-ready prompt tuned for your AI assistant. Prompts are versioned and include the surrounding code context.
Supported assistants
- Cursor — drops into ⌘K with the file already open
- Lovable — pasted into the chat panel
- Bolt.new — pasted into the project chat
- v0 — pasted into a new generation
- Replit Agent — pasted into the Agent chat
FAQ
Do you store the scanned site's content?
We store findings, a screenshot, and request/response samples for findings — never the full site. All data is encrypted at rest (AES-256) and deleted after 90 days on free, 365 days on paid.
Is this legal for sites I don't own?
Passive scans are legal anywhere — they only access publicly available data. Active scans require domain ownership verification (CFAA compliance).
Can I self-host?
Self-host is on the Enterprise tier — contact sales for details.
What about false positives?
Every active-test finding is CONFIRMED exploitable (we capture a proof-of-exploit payload). Passive findings have a confidence score; high-confidence findings have a false-positive rate below 0.5%.