SecuScan API

Embed SecuScan everywhere: SDK, REST, webhooks

OpenAPI 3.1, Bearer/JWT authentication, HMAC-signed webhooks, official Python and Go SDKs.

# Lancer un scan EASM sur un nouveau périmètre
curl -X POST https://api.secuaas.com/v1/secuscan/scans \
  -H "Authorization: Bearer $SECUSCAN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "scope": ["example.com", "api.example.com"],
    "scan_type": "easm",
    "priority": "high"
  }'
# → { "scan_id": "scn_01HX...", "status": "queued", "eta_seconds": 180 }

bash

Authentication

Long-lived bearer tokens for backend integration, short-lived JWT for UI sessions. Automatic rotation.

Idempotency-Key

Tous les endpoints POST acceptent un header Idempotency-Key (UUID) pour éviter les doublons sur retry.

HMAC-signed webhooks

`X-Secuscan-Signature` header (SHA-256), immutable JSON payload. Replay protection via `X-Secuscan-Timestamp`.

OpenAPI 3.1

Full schema available: automatic client generation (openapi-generator, swagger-codegen), Postman collection.

Vérification webhook

Chaque webhook envoyé par SecuScan est signé. Vérifiez la signature côté serveur pour rejeter les payloads non authentiques.

webhook-verify.js

// Vérification HMAC-SHA256 d'un webhook SecuScan
import crypto from 'node:crypto';

function verify(signature, body, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected),
  );
}

Endpoints principaux

POST /v1/scansLancer un scan
GET /v1/scans/{id}Récupérer le statut
GET /v1/scans/{id}/findingsPaginated vulnerability list, filterable by severity, CWE, target, status.
POST /v1/agentsProvisionner un agent endpoint
GET /v1/reports/{id}.pdfPDF/HTML/JSON download, HMAC signature for integrity.
POST /v1/webhooksRegister a signed webhook (scan.completed, finding.created, target.changed).