DEV Community

Ahmed Moussa
Ahmed Moussa

Posted on • Originally published at api.aaido.dev

Free Security Audit API: Scan Your Code in 30 Seconds

#security #webdev #devops #api

Most developers know they should scan their code for vulnerabilities. Few actually do it consistently. The friction is real: install a tool, configure rules, wait for a slow scan, parse noisy output.

What if you could scan any code snippet with a single curl command and get structured JSON back in under 30 seconds?

The Problem With Security Scanning Today

Static analysis tools are powerful but heavy. Setting up Semgrep, CodeQL, or Snyk in a CI pipeline takes hours. For a quick check on a code snippet, you need something lighter.

I wanted an API where I could POST code and GET findings. No CLI installation, no configuration files, no 200MB Docker images.

SecureScope: Security Audit as an API

SecureScope is a REST API that scans source code for security vulnerabilities. Send code in, get findings out. Each finding includes severity, description, affected line, and remediation steps.

Getting Your API Key

Free tier gives you 10 scans per month. No credit card.

curl -X POST https://api.aaido.dev/signup \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com"}'
Enter fullscreen mode Exit fullscreen mode

Response:

{
  "api_key": "ak_abc123...",
  "tier": "free",
  "monthly_limit": 100
}
Enter fullscreen mode Exit fullscreen mode

Save that key. It will not be shown again.

Your First Scan

Here is a Python snippet with an obvious vulnerability:

import pickle
data = pickle.loads(user_input)
Enter fullscreen mode Exit fullscreen mode

Scan it:

curl -X POST https://api.aaido.dev/v1/products/securescope/scan \
  -H "X-API-Key: ak_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "import pickle\ndata = pickle.loads(user_input)",
    "language": "python"
  }'
Enter fullscreen mode Exit fullscreen mode

Response:

{
  "findings": [
    {
      "severity": "HIGH",
      "rule": "unsafe-deserialization",
      "line": 2,
      "message": "pickle.loads with untrusted input enables arbitrary code execution",
      "remediation": "Use json.loads() or validate input before deserialization"
    }
  ],
  "scan_id": "sc_a1b2c3",
  "risk_score": 8.5
}
Enter fullscreen mode Exit fullscreen mode

Each finding tells you exactly what is wrong, where, and how to fix it.

A More Realistic Example

Let me scan a Flask route that has multiple issues:

from flask import Flask, request
import subprocess
import sqlite3

app = Flask(__name__)

@app.route('/search')
def search():
    query = request.args.get('q')
    conn = sqlite3.connect('app.db')
    results = conn.execute(f"SELECT * FROM items WHERE name LIKE '%{query}%'")
    return str(results.fetchall())

@app.route('/run')
def run_cmd():
    cmd = request.args.get('cmd')
    output = subprocess.check_output(cmd, shell=True)
    return output
Enter fullscreen mode Exit fullscreen mode

The scan picks up:

  • SQL Injection (HIGH) on line 11 -- f-string in SQL query
  • Command Injection (CRITICAL) on line 16 -- unsanitized user input in shell command
  • No CSRF Protection (MEDIUM) -- Flask app without CSRF tokens

Each with remediation: use parameterized queries, use subprocess.run with a whitelist, add flask-wtf for CSRF.

Integrating Into CI/CD

A simple GitHub Actions step:

- name: Security scan
  run: |
    RESULT=$(curl -s -X POST https://api.aaido.dev/v1/products/securescope/scan \
      -H "X-API-Key: ${{ secrets.SECURESCOPE_KEY }}" \
      -H "Content-Type: application/json" \
      -d "{\"code\": \"$(cat src/main.py | jq -Rs .)\", \"language\": \"python\"}")

    HIGH_COUNT=$(echo $RESULT | jq '[.findings[] | select(.severity == "HIGH" or .severity == "CRITICAL")] | length')

    if [ "$HIGH_COUNT" -gt "0" ]; then
      echo "Found $HIGH_COUNT high/critical vulnerabilities"
      echo $RESULT | jq '.findings[] | select(.severity == "HIGH" or .severity == "CRITICAL")'
      exit 1
    fi
Enter fullscreen mode Exit fullscreen mode

This blocks PRs with high-severity findings. Free tier covers most small teams at 10 scans per month.

Supported Languages

Python, JavaScript, TypeScript, Go, Rust, Java, Solidity, Ruby, PHP. The scanner combines pattern matching with AI analysis, so it catches both known vulnerability patterns and context-specific issues.

Why an API Instead of a CLI Tool?

Three reasons:

  1. Zero installation -- works from any environment with curl
  2. Always updated -- new rules deploy server-side without client updates
  3. Composable -- pipe output to Slack, Jira, or your own dashboard

The API returns structured JSON, not messy terminal output. Parse it, filter it, route it wherever you need.

Pricing

The free tier (10 scans/month) covers casual use. Pro at $49/month gives 50 scans with deeper analysis. Enterprise at $199/month adds multi-model consensus scanning.

Product page: api.aaido.dev/products/securescope

Top comments (0)