Developer documentation
Vuldoo provides a REST API for automation: trigger vulnerability scans from CI/CD pipelines, scripts, or other tools. Access is controlled by API keys that you create in the Vuldoo app (Project Settings → API Access Control).
This documentation covers API keys, how to get the Domain ID, and how to trigger scans from pipelines (GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, AWS CodePipeline). More API capabilities may be added over time.
Quick reference (automation)
- Base URL
https://api.vuldoo.com/v1. All API requests use this base URL.- Auth
- Header
x-api-key: <api-key-value>. API key from Project Settings → API Access Control. - Domain ID
- From Vuldoo app: Domains → domain card → ⋮ menu → Domain Info → copy Domain ID.
- GET /cicd/ping
- Health check; validates API key.
- POST /cicd/scan
- Body
{"domainId":"<id>"}or{"domainId":"<id>","subdomain":"<hostname>"}. Triggers scan.
API keys
Each project can have one API key. Create it in Project Settings → API Access Control. The key value (secret) is shown only once at creation—copy it immediately and store it in your pipeline or environment as a secret.
You can copy the key value later from the same page (Copy button) and revoke the key at any time. Revoking invalidates the key immediately.
Base URL: Use Vuldoo’s API base URL for all requests:
https://api.vuldoo.com/v1You do not need to deploy or host anything; this endpoint is provided by Vuldoo.
Test your API key: Call the ping endpoint to verify your key works:
curl -X GET -H "X-Api-Key: <API-KEY>" https://api.vuldoo.com/v1/cicd/pingWhere to get the Domain ID
The domainId is required when calling POST /cicd/scan. You can get it from the Vuldoo app:
- Open your project in the Vuldoo app and go to Domains.
- Find the domain card for the domain you want to scan.
- Click the ⋮ (more options) button on that card.
- Choose Domain Info. A modal opens with the domain details.
- Copy the Domain ID using the copy button next to it. Use this value as
domainIdin your API requests.
The domain must be validated for the project before you can trigger a scan via the API.
CI/CD integration
Trigger Vuldoo scans from your pipelines by calling the REST API with your API key in the x-api-key header. Below are setup notes for popular pipeline engines.
Prerequisites
- A Vuldoo project with at least one validated domain.
- An API key (Project Settings → API Access Control) and the Domain ID (Domains → ⋮ → Domain Info).
Endpoints
| Endpoint | Method | Purpose |
|---|---|---|
/cicd/ping | GET | Health check; confirms the API key is valid. |
/cicd/scan | POST | Trigger a scan. Body: {"domainId": "<id>"} or {"domainId": "<id>", "subdomain": "<hostname>"}. |
Authentication
Send the API key in the header:
x-api-key: <your-api-key-value>Example: trigger a full domain scan
curl -X POST "https://api.vuldoo.com/v1/cicd/scan" \
-H "Content-Type: application/json" \
-H "x-api-key: $API_KEY" \
-d '{"domainId":"your-domain-id"}'Example: trigger a subdomain-only scan
curl -X POST "https://api.vuldoo.com/v1/cicd/scan" \
-H "Content-Type: application/json" \
-H "x-api-key: $API_KEY" \
-d '{"domainId":"your-domain-id","subdomain":"staging.example.com"}'GitHub Actions
Store VULDOO_API_KEY and VULDOO_DOMAIN_ID as repository or organization secrets. The API base URL is always https://api.vuldoo.com/v1. Example:
# .github/workflows/vuldoo-scan.yml (example)
- name: Trigger Vuldoo scan
run: |
curl -sS -X POST "https://api.vuldoo.com/v1/cicd/scan" \
-H "Content-Type: application/json" \
-H "x-api-key: ${{ secrets.VULDOO_API_KEY }}" \
-d '{"domainId":"${{ secrets.VULDOO_DOMAIN_ID }}"}'GitLab CI
Add VULDOO_API_KEY and VULDOO_DOMAIN_ID as CI/CD variables (masked). Base URL is https://api.vuldoo.com/v1. Example:
# .gitlab-ci.yml (example)
vuldoo-scan:
script:
- curl -sS -X POST "https://api.vuldoo.com/v1/cicd/scan"
-H "Content-Type: application/json"
-H "x-api-key: $VULDOO_API_KEY"
-d "{\"domainId\":\"$VULDOO_DOMAIN_ID\"}"Bitbucket Pipelines
Define repository variables (secured) for the API key and domain ID. Use base URL https://api.vuldoo.com/v1. Example:
# bitbucket-pipelines.yml (example)
pipelines:
default:
- step:
name: Vuldoo scan
script:
- curl -sS -X POST "https://api.vuldoo.com/v1/cicd/scan"
-H "Content-Type: application/json"
-H "x-api-key: $VULDOO_API_KEY"
-d "{\"domainId\":\"$VULDOO_DOMAIN_ID\"}"Jenkins
Store the API key in Jenkins credentials or as an environment variable. Base URL is https://api.vuldoo.com/v1. In a pipeline or freestyle step, run: curl -X POST "https://api.vuldoo.com/v1/cicd/scan" -H "x-api-key: $API_KEY" -H "Content-Type: application/json" -d '{"domainId":"<id>"}'. You can pass the domain ID as a build parameter or from a config file.
AWS CodePipeline
Use a CodeBuild project or Lambda in the pipeline to trigger the scan. Store the API key in Secrets Manager or SSM Parameter Store and the domain ID as an environment variable or parameter. Base URL is https://api.vuldoo.com/v1. From the build or Lambda, send an HTTPS POST to https://api.vuldoo.com/v1/cicd/scan with x-api-key and the JSON body.
Videos
Step-by-step video guides will be added here. For now, use the written documentation above.