Free Security Audit API: Scan Your Code in 30 Seconds
Source: Dev.to
The Problem With Security Scanning Today
Static analysis tools are powerful but heavyweight. Setting up Semgrep, CodeQL, or Snyk in a CI pipeline can take hours. For a quick check on a code snippet, you need something lighter—an API that accepts code and returns findings without any CLI installation or large Docker images.
SecureScope: Security Audit as an API
SecureScope is a REST API that scans source code for security vulnerabilities. Send code in, get findings out. Each finding includes severity, description, affected line, and remediation steps.
Getting Your API Key
Free tier gives you 10 scans per month. No credit card required.
curl -X POST https://api.aaido.dev/signup \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com"}'Response
{
"api_key": "ak_abc123...",
"tier": "free",
"monthly_limit": 100
}Save that key; it will not be shown again.
Your First Scan
Here is a Python snippet with an obvious vulnerability:
import pickle
data = pickle.loads(user_input)Scan it
curl -X POST https://api.aaido.dev/v1/products/securescope/scan \
-H "X-API-Key: ak_your_key" \
-H "Content-Type: application/json" \
-d '{
"code": "import pickle\ndata = pickle.loads(user_input)",
"language": "python"
}'Response
{
"findings": [
{
"severity": "HIGH",
"rule": "unsafe-deserialization",
"line": 2,
"message": "pickle.loads with untrusted input enables arbitrary code execution",
"remediation": "Use json.loads() or validate input before deserialization"
}
],
"scan_id": "sc_a1b2c3",
"risk_score": 8.5
}Each finding tells you exactly what is wrong, where, and how to fix it.
A More Realistic Example
Scanning a Flask route that has multiple issues:
from flask import Flask, request
import subprocess
import sqlite3
app = Flask(__name__)
@app.route('/search')
def search():
query = request.args.get('q')
conn = sqlite3.connect('app.db')
results = conn.execute(f"SELECT * FROM items WHERE name LIKE '%{query}%'")
return str(results.fetchall())
@app.route('/run')
def run_cmd():
cmd = request.args.get('cmd')
output = subprocess.check_output(cmd, shell=True)
return outputThe scan picks up:
- SQL Injection (HIGH) on line 11 – f‑string in SQL query
- Command Injection (CRITICAL) on line 16 – unsanitized user input in shell command
- No CSRF Protection (MEDIUM) – Flask app without CSRF tokens
Remediation suggestions: use parameterized queries, replace subprocess.check_output with subprocess.run and a whitelist, add flask-wtf for CSRF protection.
Integrating Into CI/CD
A simple GitHub Actions step:
- name: Security scan
run: |
RESULT=$(curl -s -X POST https://api.aaido.dev/v1/products/securescope/scan \
-H "X-API-Key: ${{ secrets.SECURESCOPE_KEY }}" \
-H "Content-Type: application/json" \
-d "{\"code\": \"$(cat src/main.py | jq -Rs .)\", \"language\": \"python\"}")
HIGH_COUNT=$(echo $RESULT | jq '[.findings[] | select(.severity == "HIGH" or .severity == "CRITICAL")] | length')
if [ "$HIGH_COUNT" -gt "0" ]; then
echo "Found $HIGH_COUNT high/critical vulnerabilities"
echo $RESULT | jq '.findings[] | select(.severity == "HIGH" or .severity == "CRITICAL")'
exit 1
fiThis blocks PRs with high‑severity findings. The free tier covers most small teams with 10 scans per month.
Supported Languages
Python, JavaScript, TypeScript, Go, Rust, Java, Solidity, Ruby, PHP. The scanner combines pattern matching with AI analysis, catching both known vulnerability patterns and context‑specific issues.
Why an API Instead of a CLI Tool?
- Zero installation – works from any environment with
curl - Always updated – new rules deploy server‑side without client updates
- Composable – pipe output to Slack, Jira, or your own dashboard
The API returns structured JSON, not messy terminal output. Parse it, filter it, and route it wherever you need.
Pricing
- Free tier: 10 scans/month (covers casual use)
- Pro: $49/month for 50 scans with deeper analysis
- Enterprise: $199/month adds multi‑model consensus scanning
Product page: