Security Scanning
Detect vulnerabilities, misconfigurations, and exposed secrets across your attack surface with automated scanning.
Overview
SecPortal provides three types of security scanning, each targeting a different layer of your infrastructure:
Domain-level reconnaissance: SSL, headers, DNS, ports, tech fingerprint, subdomains, exposed paths, and more.
Test behind login pages: SQLi, XSS, IDOR, SSRF, broken access control, CSRF, and 11 more vulnerability classes.
Static analysis (SAST) and dependency auditing (SCA) on connected GitHub, GitLab, or Bitbucket repositories.
External Scans
External scans run against verified domains using a two-phase architecture:
Phase 1 — Instant Results
Six fast modules run synchronously and return results within seconds:
Phase 2 — Deep Analysis
Ten deep modules run asynchronously via the background worker:
Authenticated Scans
Authenticated scans test web applications from behind a login, using stored credentials. They run all external scan modules plus 17 specialised security tests:
Credential Types
- Cookie — Paste a session cookie from your browser
- Bearer Token — API token or JWT for stateless authentication
- Basic Auth — Username and password sent via HTTP Basic
- Form Login — Scanner fills in a login form automatically, capturing the session
Code Scans (SAST & SCA)
Code scanning analyses your source code for vulnerabilities and insecure dependencies:
Uses Semgrep to detect security issues in your source code: injection flaws, hardcoded secrets, insecure patterns, and more.
Analyses package manifests via npm audit, pip-audit, and Go vulncheck. Flags known CVEs in your dependency tree.
Supported Providers
- GitHub — Connect via OAuth, scan public and private repos
- GitLab — Connect via OAuth, supports self-hosted instances
- Bitbucket — Connect via OAuth
Domain Verification
Before scanning a domain, you must prove ownership by verifying it. This prevents unauthorised scanning of domains you don't control.
Verification Methods
- DNS TXT Record — Add a TXT record to your domain's DNS. Available on all plans.
- Meta Tag — Add a meta tag to your homepage HTML. Pro and Team only.
- File Upload — Host a verification file at a known path. Pro and Team only.
Verified domains expire after 90 days and must be re-verified. Non-owned domains require an attestation confirming authorised testing.
Scan Scheduling
Create recurring scan schedules for any scan type — external, authenticated, or code. Available frequencies:
- Daily — Runs every day at midnight UTC
- Weekly — Runs every Monday at midnight UTC
- Biweekly — Runs on the 1st and 15th of each month
- Monthly — Runs on the 1st of each month
Schedules respect your plan's monthly scan quota. If the quota is exhausted, the schedule advances to the next interval without running. Schedules auto-disable if your plan is downgraded below the required tier.
Scoring & Grades
Every scan produces a score from 0 to 100 using a logarithmic penalty system. Findings reduce the score based on severity, with diminishing returns for additional findings of the same severity:
| Severity | Base Penalty | Example |
|---|---|---|
| Critical | 25 pts | 1 critical = 75, 3 = 47 |
| High | 15 pts | 1 high = 85, 5 = 61 |
| Medium | 8 pts | 1 medium = 92, 22 = 67 |
| Low | 3 pts | 1 low = 97, 10 = 90 |
| Info | 0 pts | No impact on score |
Grade Scale
Plan Limits
| Feature | Starter | Pro | Team |
|---|---|---|---|
| Verified domains | 1 | 5 | 10 |
| External scans/month | 2 | 50 | 100 |
| Scan cooldown | 24h | None | None |
| Verification methods | DNS | All | All |
| Subdomain scanning | ✗ | ✓ | ✓ |
| Attack surface discovery | ✗ | ✓ | ✓ |
| Authenticated scanning | ✗ | ✓ | ✓ |
| Code scans/month | ✗ | 20 | 100 |
| Connected repos | ✗ | 5 | 25 |
| Scheduled scans | ✗ | ✗ | ✓ |