VulnZap/Documentation
Get API Key
Complete Documentation

VulnZap Documentation

Comprehensive documentation for VulnZap Server API and CLI tools. Integrate vulnerability scanning into your development workflow with real-time security analysis.

Quick StartCLI Tools

Quick Start

Get up and running with VulnZap in under 5 minutes. Install CLI, connect to your IDE, and start scanning.

Start here

CLI Tools

Command-line interface with MCP protocol integration for real-time vulnerability scanning.

Explore CLI
Multi-Language
Support for 8+ Ecosystems
Real-time
Instant Vulnerability Detection
AI-Powered
Intelligent Security Analysis
MCP Ready
Model Context Protocol

Quick Start

Recommended

VulnZap provides security-first AI development with real-time vulnerability detection and automated security fixes.

Complete Onboarding (Recommended)

One Command

The fastest way to get started with VulnZap. This command handles authentication, API key setup, and IDE integration automatically.

Complete setup (recommended for new users)bash
npx vulnzap@latest init

What this does:

  • • Guides you through authentication setup
  • • Configures your API key
  • • Sets up IDE integration automatically
  • • Enables real-time vulnerability scanning

Manual Setup (Advanced)

Optional

If you prefer manual configuration, you can set up VulnZap step by step.

1. Configure API key:

Manual API key setupbash
vulnzap setup -k YOUR_API_KEY

2. Connect to your IDE:

IDE integrationbash
# For Cursor IDE
vulnzap connect --ide cursor

# For Windsurf IDE
vulnzap connect --ide windsurf

# For Cline (Claude Dev)
vulnzap connect --ide cline

Get your API key from the dashboard

Available Commands

Once configured, these commands are available for manual security scanning and management.

init

Complete VulnZap setup with authentication and IDE integration

setup

Configure VulnZap with your API key

connect

Connect VulnZap to your AI-powered IDE

check <package>

Check a package for vulnerabilities

batch-scan

Scan all packages in current directory

status

Check VulnZap server health

account

View account information

help

Display help information

Usage Examples

Complete setup (recommended):

Complete setupbash
vulnzap init

Check individual packages:

Package checkingbash
# Check a specific package
vulnzap check npm:express@4.17.1
vulnzap check pip:requests@2.25.1

# Alternative syntax  
vulnzap check express --ecosystem npm --version 4.17.1

Manual API key setup:

Manual setupbash
vulnzap setup -k your-api-key

Connect to IDE:

IDE integrationbash
vulnzap connect --ide cursor

Scan entire project:

Project scanningbash
# Batch scan current directory
vulnzap batch-scan

# Scan specific ecosystem  
vulnzap batch-scan --ecosystem npm

# Save results to file
vulnzap batch-scan --output security-report.json

Check status and account:

Status and accountbash
# Check server status
vulnzap status

# View account information
vulnzap account

Automatic Security Layer

AI-Powered

Once configured, VulnZap automatically protects your AI development workflow.

How it works:

  1. Your AI assistant suggests a package installation
  2. VulnZap automatically scans the package for vulnerabilities
  3. You receive security recommendations before installation
  4. Make informed decisions about package safety

Need Help?

Installation

VulnZap provides comprehensive vulnerability scanning across multiple ecosystems with native IDE integration.

System Requirements

Prerequisites

  • • Node.js 16+ or compatible runtime
  • • VulnZap API key
  • • Compatible IDE (optional but recommended)

Supported Operating Systems

  • • Windows 10/11
  • • macOS 10.15+
  • • Linux (Ubuntu, CentOS, etc.)

Installation Methods

VulnZap can be installed through your preferred package manager.

Using npm (recommended):

npm install -g vulnzap

Using yarn:

yarn global add vulnzap

Using pnpm:

pnpm add -g vulnzap

Ecosystem Support

Multi-language

VulnZap supports vulnerability scanning across multiple programming ecosystems.

npm

JavaScript/Node.js

package.json

pip

Python

requirements.txt

go

Go

go.mod

rust

Rust

Cargo.toml

maven

Java

pom.xml

gradle

Java/Kotlin

build.gradle

nuget

.NET

*.csproj

composer

PHP

composer.json

IDE Integration

MCP Protocol

VulnZap integrates with AI-powered IDEs using the Model Context Protocol (MCP) for seamless vulnerability scanning.

Cursor IDE

Popular

Native MCP integration with automatic configuration.

vulnzap setup -k YOUR_API_KEY --ide cursor

Windsurf IDE

AI-native

Seamless integration with Codeium's AI IDE.

vulnzap setup -k YOUR_API_KEY --ide windsurf

Cline (Claude Dev)

Full compatibility with Claude-based development tools.

vulnzap setup -k YOUR_API_KEY --ide cline

Generic MCP

Compatible with any MCP-enabled environment.

vulnzap secure --ide custom --port 3000

Installation Verification

Verify that VulnZap is correctly installed and configured:

Check installation:

vulnzap --version

Verify server connectivity:

vulnzap status

Test basic functionality:

vulnzap check npm:express@4.17.1

Success indicators:

  • • Version number displays correctly
  • • Server status shows "online"
  • • Test scan returns vulnerability data

Authentication

All API requests require authentication using VulnZap API keys. Learn how to obtain and use them securely.

Obtaining API Keys

Free tier available

API keys are automatically generated during account creation and can be managed from your dashboard.

Steps to get your API key:

  1. Sign up at vulnzap.com
  2. Navigate to API Keys in your dashboard
  3. Your default API key is automatically created
  4. Copy the key for use in your applications

API Key Format

VulnZap API keys follow a structured format for identification and security purposes.

API Key Structuretext
vz_12345678.abcdef123456789012345678

Prefix: vz_

Identifies the key as a VulnZap API key

Token: 24 characters

Cryptographically secure unique identifier

Using API Keys

Include your API key in the Authorization header of all HTTP requests using Bearer authentication.

HTTP Header Authentication

Request Headershttp
Authorization: Bearer vz_12345678.abcdef123456789012345678
Content-Type: application/json

cURL Example

Vulnerability Check Requestbash
curl -X GET "https://api.vulnzap.com/v1/scan" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"package": "express", "version": "4.17.1"}'

JavaScript/Node.js Example

JavaScript API Calljavascript
const response = await fetch('https://api.vulnzap.com/v1/scan', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer ' + process.env.VULNZAP_API_KEY,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    package: 'express',
    version: '4.17.1'
  })
});

const data = await response.json();
console.log(data);

Python Example

Python API Callpython
import requests
import os

headers = {
    'Authorization': f'Bearer {os.getenv("VULNZAP_API_KEY")}',
    'Content-Type': 'application/json'
}

payload = {
    'package': 'express',
    'version': '4.17.1'
}

response = requests.post(
    'https://api.vulnzap.com/v1/scan',
    headers=headers,
    json=payload
)

print(response.json())

Security Best Practices

Use Environment Variables

Store API keys in environment variables, never hardcode them in source code.

export VULNZAP_API_KEY=vz_12345678.abcdef123456789012345678

Rotate Keys Regularly

Generate new API keys periodically and revoke unused keys.

Restrict Access

Only share API keys with authorized team members who require access.

Never Commit Keys

Add API keys to your .gitignore file and never commit them to version control.

Rate Limits

API usage is rate-limited by subscription tier to ensure service reliability and fair usage.

Free Tier

100

requests/hour

Core Tier

1,000

requests/hour

Pro Tier

10,000

requests/hour

Rate limit response headers:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200

VulnZap CLI Tools

Security-first CLI tool that integrates with AI-powered IDEs like Cursor, Cline, and Windsurf to provide real-time vulnerability scanning using the Model Context Protocol (MCP).

CLI Overview

VulnZap is a security-first CLI tool that integrates with AI-powered IDEs like Cursor, Cline, and Windsurf to provide real-time vulnerability scanning for packages before they are installed.

Real-time Scanning

Automatically scans packages before installation

Multi-Ecosystem

npm, pip, go, rust, maven, gradle, composer, nuget

MCP Integration

Native Model Context Protocol support

Installation

Global Installation

npm install -g vulnzap

From Source

git clone https://github.com/vulnzap/vulnzap.git\ncd vulnzap\nnpm install\nnpm run build\nnpm link

Key Commands

vulnzap init

Complete onboarding and configuration with interactive prompts.

vulnzap init

vulnzap check

Analyze a specific package for security vulnerabilities.

vulnzap check npm:express@4.17.1\nvulnzap check pip:requests@2.25.1

vulnzap batch-scan

Scan all packages in the current directory.

vulnzap batch-scan

Resources

Dashboard
Manage your account
API Keys
Get your API key

Examples

Production-ready examples demonstrating VulnZap integration across different platforms and workflows.

Production Ready

GitHub Actions CI/CD

Automation

Integrate VulnZap into your GitHub Actions workflow for automated security scanning on pull requests and deployments. Full CI/CD integration available now!

.github/workflows/security-scan.ymlyaml
name: Security Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'
      
      - name: Run VulnZap Security Scan
        run: |
          npx vulnzap@latest init
          npx vulnzap@latest batch-scan --format json --output security-report.json
        env:
          VULNZAP_API_KEY: ${{ secrets.VULNZAP_API_KEY }}
      
      - name: Upload Security Report
        uses: actions/upload-artifact@v4
        with:
          name: security-report
          path: security-report.json
      
      - name: Comment PR with Results
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const report = JSON.parse(fs.readFileSync('security-report.json', 'utf8'));
            
            const vulnerabilities = report.data.vulnerabilities || [];
            const totalVulns = vulnerabilities.length;
            
            let comment = `## Security Scan Results\n\n`;
            
            if (totalVulns === 0) {
              comment += `**Status**: No vulnerabilities detected\n`;
            } else {
              comment += `**Status**: ${totalVulns} vulnerabilities found\n\n`;
              
              vulnerabilities.forEach(vuln => {
                comment += `- **${vuln.severity.toUpperCase()}**: ${vuln.title}\n`;
                comment += `  - Package: ${vuln.package}@${vuln.version}\n`;
                comment += `  - CVE: ${vuln.cve || 'N/A'}\n\n`;
              });
            }
            
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: comment
            });

Node.js Application Integration

Runtime

Implement a comprehensive security monitoring service for automated dependency scanning and reporting.

security-monitor.jsjavascript
const VulnZapClient = require('./vulnzapent');

class SecurityMonitor {
  constructor(apiKey) {
    this.client = new VulnZapClient(apiKey);
    this.vulnerabilities = new Map();
  }

  async scanPackageJson(packageJsonPath = './package.json') {
    const packageJson = require(packageJsonPath);
    const dependencies = {
      ...packageJson.dependencies,
      ...packageJson.devDependencies
    };

    const packages = Object.entries(dependencies).map(([name, version]) => ({
      name,
      version: version.replace(/^[^\d]*/, '') // Remove ^ ~ etc.
    }));

    try {
      const results = await this.client.batchScan(packages);
      return this.processResults(results);
    } catch (error) {
      console.error('Security scan failed:', error.message);
      throw error;
    }
  }

  processResults(results) {
    const vulnerabilities = [];
    const summary = {
      totalPackages: results.data.summary.total_packages,
      vulnerablePackages: results.data.summary.vulnerable_packages,
      totalVulnerabilities: results.data.summary.total_vulnerabilities,
      riskScore: results.data.summary.average_risk_score
    };

    results.data.results.forEach(result => {
      if (result.status === 'vulnerable') {
        vulnerabilities.push({
          package: result.package,
          version: result.version,
          vulnerabilityCount: result.vulnerabilities,
          riskScore: result.risk_score
        });
      }
    });

    return { vulnerabilities, summary };
  }

  async generateReport(format = 'json') {
    const scanResults = await this.scanPackageJson();
    
    if (format === 'json') {
      return JSON.stringify(scanResults, null, 2);
    }
    
    if (format === 'markdown') {
      return this.generateMarkdownReport(scanResults);
    }

    throw new Error(`Unsupported format: ${format}`);
  }

  generateMarkdownReport({ vulnerabilities, summary }) {
    let report = `# Security Scan Report\n\n`;
    report += `**Scan Date:** ${new Date().toISOString()}\n\n`;
    report += `## Summary\n\n`;
    report += `- **Total Packages:** ${summary.totalPackages}\n`;
    report += `- **Vulnerable Packages:** ${summary.vulnerablePackages}\n`;
    report += `- **Total Vulnerabilities:** ${summary.totalVulnerabilities}\n`;
    report += `- **Average Risk Score:** ${summary.riskScore.toFixed(2)}\n\n`;

    if (vulnerabilities.length > 0) {
      report += `## Vulnerabilities Found\n\n`;
      vulnerabilities.forEach(vuln => {
        report += `### ${vuln.package}@${vuln.version}\n`;
        report += `- **Vulnerabilities:** ${vuln.vulnerabilityCount}\n`;
        report += `- **Risk Score:** ${vuln.riskScore}\n\n`;
      });
    } else {
      report += `## No Vulnerabilities Detected\n\nAll dependencies are secure.\n`;
    }

    return report;
  }
}

module.exports = SecurityMonitor;
vulnzapent.jsjavascript
class VulnZapClient {
  constructor(apiKey) {
    this.apiKey = apiKey;
    this.baseUrl = 'https://api.vulnzap.com/v1';
  }

  async makeRequest(endpoint, options = {}) {
    const url = `${this.baseUrl}${endpoint}`;
    const headers = {
      'Authorization': `Bearer ${this.apiKey}`,
      'Content-Type': 'application/json',
      ...options.headers
    };

    const response = await fetch(url, {
      ...options,
      headers
    });

    if (!response.ok) {
      const error = await response.json();
      throw new Error(`API Error: ${error.message}`);
    }

    return response.json();
  }

  async scanPackage(packageName, version) {
    const endpoint = `/scan?package=${packageName}&version=${version}`;
    return this.makeRequest(endpoint);
  }

  async batchScan(packages) {
    const endpoint = '/scan/batch';
    return this.makeRequest(endpoint, {
      method: 'POST',
      body: JSON.stringify({ packages })
    });
  }
}

module.exports = VulnZapClient;
scan.jsjavascript
const SecurityMonitor = require('./security-monitor');

async function main() {
  const monitor = new SecurityMonitor(process.env.VULNZAP_API_KEY);

  try {
    console.log('Starting security scan...');
    
    const report = await monitor.generateReport('markdown');
    console.log(report);

    // Save report to file
    const fs = require('fs');
    fs.writeFileSync('security-report.md', report);
    
    console.log('Security report saved to security-report.md');
  } catch (error) {
    console.error('Security scan failed:', error.message);
    process.exit(1);
  }
}

if (require.main === module) {
  main();
}

Docker Integration

Container

Integrate security scanning into your Docker build process to fail builds on critical vulnerabilities.

Dockerfiledockerfile
FROM node:18-alpine

WORKDIR /app

# Copy package files
COPY package*.json ./

# Install dependencies
RUN npm ci --only=production

# Security scan step
ARG VULNZAP_API_KEY
ENV VULNZAP_API_KEY=${VULNZAP_API_KEY}

# Run security scan and fail build if vulnerabilities found
RUN npx vulnzap@latest init && \
    npx vulnzap@latest batch-scan --fail-on=high --format=json || \
    (echo "High severity vulnerabilities detected. Build failed." && exit 1)

# Copy application code
COPY . .

# Create non-root user
RUN addgroup -g 1001 -S nodejs && \
    adduser -S nextjs -u 1001

USER nextjs

EXPOSE 3000

CMD ["npm", "start"]
docker-compose.ymlyaml
version: '3.8'

services:
  app:
    build:
      context: .
      args:
        VULNZAP_API_KEY: ${VULNZAP_API_KEY}
    environment:
      - NODE_ENV=production
    ports:
      - "3000:3000"
    restart: unless-stopped

  security-scanner:
    image: node:18-alpine
    volumes:
      - ./:/app
    working_dir: /app
    environment:
      - VULNZAP_API_KEY=${VULNZAP_API_KEY}
    command: >
      sh -c "
        npm install &&
        npx vulnzap@latest init &&
        npx vulnzap@latest batch-scan --format=json --output=/app/security-report.json
      "
    profiles:
      - security

Python Integration

Multi-language

Integrate VulnZap API into Python applications for programmatic security scanning and automation.

vulnzap_scanner.pypython
import requests
import json
import os
from typing import List, Dict, Optional

class VulnZapClient:
    def __init__(self, api_key: str):
        self.api_key = api_key
        self.base_url = "https://api.vulnzap.com/v1"
        self.session = requests.Session()
        self.session.headers.update({
            "Authorization": f"Bearer {api_key}",
            "Content-Type": "application/json"
        })

    def scan_package(self, package: str, version: Optional[str] = None) -> Dict:
        """Scan a single package for vulnerabilities."""
        params = {"package": package}
        if version:
            params["version"] = version
            
        response = self.session.get(f"{self.base_url}/scan", params=params)
        response.raise_for_status()
        return response.json()

    def batch_scan(self, packages: List[Dict[str, str]]) -> Dict:
        """Scan multiple packages at once."""
        payload = {"packages": packages}
        response = self.session.post(
            f"{self.base_url}/scan/batch", 
            json=payload
        )
        response.raise_for_status()
        return response.json()

    def scan_requirements_file(self, file_path: str = "requirements.txt") -> Dict:
        """Scan packages from a requirements.txt file."""
        packages = []
        
        with open(file_path, 'r') as f:
            for line in f:
                line = line.strip()
                if line and not line.startswith('#'):
                    if '==' in line:
                        name, version = line.split('==')
                        packages.append({"name": name.strip(), "version": version.strip()})
                    else:
                        packages.append({"name": line.strip()})
        
        return self.batch_scan(packages)

def main():
    api_key = os.getenv("VULNZAP_API_KEY")
    if not api_key:
        raise ValueError("VULNZAP_API_KEY environment variable is required")
    
    client = VulnZapClient(api_key)
    
    try:
        print("Scanning requirements.txt...")
        results = client.scan_requirements_file()
        
        summary = results["data"]["summary"]
        print(f"\nScan Summary:")
        print(f"  Total packages: {summary['total_packages']}")
        print(f"  Vulnerable packages: {summary['vulnerable_packages']}")
        print(f"  Total vulnerabilities: {summary['total_vulnerabilities']}")
        print(f"  Average risk score: {summary['average_risk_score']:.2f}")
        
        if summary["vulnerable_packages"] > 0:
            print("\nVulnerable packages:")
            for result in results["data"]["results"]:
                if result["status"] == "vulnerable":
                    print(f"  {result['package']}@{result['version']} "
                          f"({result['vulnerabilities']} vulnerabilities, "
                          f"risk score: {result['risk_score']})")
        else:
            print("\nNo vulnerabilities detected.")
            
    except requests.RequestException as e:
        print(f"API request failed: {e}")
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    main()

IDE Integrations

MCP Protocol

VulnZap integrates with AI-powered IDEs using the Model Context Protocol (MCP) for seamless vulnerability scanning.

Cursor IDE

Native MCP integration with automatic configuration.

Setup Guide

Windsurf IDE

Seamless integration with Codeium's AI IDE.

Setup Guide

Cline

MCP integration with the popular VS Code AI coding extension.

GitHub Repository

Ready to get started?

Install VulnZap in under 5 minutes and start protecting your applications from vulnerabilities.

Get API KeyDashboard