Skip to main content

Installation

npx vulnzap init

Setup

1. Authenticate

Set your API key as an environment variable: 
export VULNZAP_API_KEY=your_api_key_here
Get your API key from vulnzap.com/dashboard
Your API key should be stored as an environment variable and never committed to your repository.

2. Connect Your Repository

Navigate to your project directory: 
cd /path/to/your/project
Ensure your VULNZAP_API_KEY environment variable is set

3. Run Your First Scan

Option A: Scan Entire Repository

vulnzap scan
This performs a deep sweep of your entire codebase, ranking findings by exploitability.

Option B: Scan Specific Files

vulnzap scan src/auth.js src/db/queries.ts

Option C: Watch Mode (Inline Scanning)

vulnzap watch
Automatically scans files as you save them during development.

View Results

In the Terminal

Scan results appear immediately in your terminal: 
╔══════════════════════════════════════════════════════════╗
 VulnZap Scan Results
╠══════════════════════════════════════════════════════════╣
 Risk Score: 67 (Medium)                                   ║
 Total Findings: 8
 Critical: 2
 High: 3
 Medium: 2
 Low: 1
╚══════════════════════════════════════════════════════════╝

┌─────────────────────────────────────────────────────────┐
 CRITICAL: SQL Injection
├─────────────────────────────────────────────────────────┤
 File: src/db/queries.ts:45
 Issue: Unsanitized user input in SQL query
 Fix Available: Yes
└─────────────────────────────────────────────────────────┘

In the Dashboard

Visit vulnzap.com/dashboard to see:
  • Visual risk scoring and trends
  • Detailed vulnerability breakdowns
  • One-click patch application
  • Historical scan data

Apply Fixes

Automatic Patching

Apply all recommended fixes at once: 
vulnzap fix --all

Selective Patching

Review and apply specific fixes: 
vulnzap fix --interactive
This opens an interactive prompt where you can:
  • Review each vulnerability
  • See the proposed patch
  • Accept, reject, or modify fixes

Manual Review

Export patches for manual review: 
vulnzap fix --export patches/
Always review patches before applying them to production code. While VulnZap patches are deterministic and context-aware, understanding the changes ensures they align with your application logic.

IDE Integration

For real-time scanning as you code, integrate VulnZap with your IDE:
Once configured, VulnZap will automatically scan AI-generated code and highlight vulnerabilities inline.

CI/CD Integration

GitHub Actions

Add VulnZap to your GitHub Actions workflow:
.github/workflows/vulnzap.yml
name: VulnZap Security Scan

on:
  pull_request:
    branches: [main, develop]
  push:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run VulnZap Scan
        uses: VulnZap/vulnzap-cicd@v1
        with:
          api-key: ${{ secrets.VULNZAP_API_KEY }}
          fail-on: high # Block PRs with high/critical findings
          
      - name: Upload Results
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: vulnzap-results
          path: vulnzap-report.json
Get your API key from vulnzap.com/dashboard and add it to GitHub Secrets at SettingsSecrets and variablesActions

GitLab CI

.gitlab-ci.yml
vulnzap:
  stage: security
  image: node:18
  before_script:
    - npm install -g vulnzap
  script:
    - vulnzap scan --format json > vulnzap-report.json
  artifacts:
    reports:
      vulnzap: vulnzap-report.json
  only:
    - merge_requests
    - main

Next Steps

Dashboard Guide

Explore the full dashboard capabilities

Security Coverage

Learn what vulnerabilities VulnZap detects

CLI Reference

Master the command-line interface

API Documentation

Integrate VulnZap programmatically

Troubleshooting

If authentication fails:
  1. Ensure you’re connected to the internet
  2. Check that your API key is valid at vulnzap.com/dashboard → Settings → API Keys
  3. Verify your VULNZAP_API_KEY environment variable is set correctly
If scans return no results:
  • Verify your language is supported (JS, TS, Python)
  • Check that files aren’t ignored in .vulnzapignore
  • Run with --verbose flag for detailed logging
For IDE integration issues:
  1. Verify your MCP configuration file exists (.cursor/mcp.json or .codeium/windsurf/mcp_config.json)
  2. Check that VULNZAP_API_KEY is set in the configuration
  3. Restart your IDE after configuration changes
  4. See IDE Integration for detailed setup