API reference

Programmatic access to 5 subscanners (auto-detect within each domain), 27 specialized endpoints, and full stack. Upload a single config file or a .zip archive — nested paths inside the zip are scanned automatically. Get JSON findings (or add ?format=pdf for a report, ?format=sarif for GitHub/GitLab SAST). Every product scan includes intent_gaps where names or tags contradict settings. Use ?fail_on=critical,high to fail the request when findings exceed your severity threshold. Base path: /api/v1

GitHub Actions

Scan pull requests automatically

Add one GitHub Actions workflow file to your repo. On every pull request, GitHub runs it automatically — no server to host, no manual uploads.

GitHub triggers the workflow

When someone opens or updates a PR, Actions checks out the code.

Base and head are zipped

git archive builds a snapshot of the target branch and of the PR branch (whole repo tree, not a raw diff patch).

misconfigs compares attack paths

Starts an async scan job (async=1), polls until both zips are fully scanned (IaC, CI/CD, AI, network, identity), then surfaces new and fixed cross-domain kill chains. Expect ~10–12 minutes per run.

Comment + optional fail

Posts (or updates) a PR comment with the delta and minimum fix set. Use fail_on_new=critical,high to fail the check when the PR introduces new critical/high paths.

Copy workflow from Account

Subscanners auto-detect file types within a domain — same behavior as the upload forms on each scanner page. Use specialized endpoints when you want to target one engine.

Subscanners

subscanner POST /api/v1/ai

AI / MCP Scanner

Auto-detect MCP configs, agents, prompts, tool definitions, and RAG pipelines — same as the AI upload form.

View reference →

subscanner POST /api/v1/iac

IaC Scanner

Auto-detect Terraform, Kubernetes, Compose, CloudFormation, Helm, and Istio in an upload or zip.

View reference →

subscanner POST /api/v1/cicd

CI/CD Scanner

Auto-detect GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, and CircleCI configs.

View reference →

subscanner POST /api/v1/network

Network Scanner

Auto-detect NGINX, Apache, HAProxy, Envoy, firewall rules, and load balancer configs.

View reference →

subscanner POST /api/v1/identity

Identity Scanner

Auto-detect IAM policies, AWS trust policies, Okta exports, and Azure Entra configs.

View reference →

Full stack

stack POST /api/v1/fullstack

Full Stack Scanner

Scan IaC, AI/MCP, CI/CD, network, and identity from one project .zip — includes cross-domain correlations and executive PDF

View reference →

Specialized scanners

Pin a specific engine when you already know the config type.

AI / MCP Scanner

ai POST /api/v1/ai/mcp

MCP Scanner

Dangerous tools, prompt leakage, permission escalation, tool chaining

ai POST /api/v1/ai/agent

Agent Config Scanner

Excessive permissions, unsafe tool access, autonomous execution

ai POST /api/v1/ai/prompt

Prompt Security Scanner

Hidden secrets, system prompt leakage, prompt injection

ai POST /api/v1/ai/tools

Tool Definition Scanner

Shell access, SSRF, file deletion, arbitrary code execution

ai POST /api/v1/ai/rag

RAG Security Scanner

Sensitive documents indexed, PII exposure, access control gaps

IaC Scanner

iac POST /api/v1/iac/terraform

Terraform Scanner

Trivy static analysis for Terraform/HCL

iac POST /api/v1/iac/kubernetes

Kubernetes Manifest Scanner

Privileged pods, HostPath, missing limits, root containers, cluster-admin

iac POST /api/v1/iac/docker_compose

Docker Compose Scanner

Host mounts, privileged mode, admin ports, hardcoded secrets

iac POST /api/v1/iac/cloudformation

CloudFormation Scanner

AWS misconfigurations in CFN templates

iac POST /api/v1/iac/helm

Helm Chart Scanner

Insecure defaults, privileged pods, secret exposure

iac POST /api/v1/iac/istio

Istio Scanner

mTLS mode, permissive authz, wildcard hosts, insecure gateways

CI/CD Scanner

cicd POST /api/v1/cicd/github_actions

GitHub Actions Scanner

Secrets, unpinned actions, dangerous triggers, privilege escalation

cicd POST /api/v1/cicd/gitlab_ci

GitLab CI Scanner

Runner abuse, secret leakage, privileged jobs

cicd POST /api/v1/cicd/jenkins

Jenkins Scanner

Anonymous access, script console, dangerous plugins

cicd POST /api/v1/cicd/azure_pipelines

Azure Pipelines Scanner

Container pinning, secret leakage, pipeline hygiene (Checkov + ci-doctor)

cicd POST /api/v1/cicd/circleci

CircleCI Scanner

Orb pinning, resource abuse, shell risks (Checkov + ci-doctor)

Network Scanner

network POST /api/v1/network/firewall

Firewall Rule Scanner

Any-any rules, exposed management ports, shadowed rules

network POST /api/v1/network/nginx

NGINX Scanner

Missing TLS, internal exposure, dangerous rewrites

network POST /api/v1/network/apache

Apache Scanner

Directory listing, weak TLS, missing security headers

network POST /api/v1/network/haproxy

HAProxy Scanner

Insecure frontends, exposed admin interfaces

network POST /api/v1/network/load_balancer

Load Balancer Scanner

Weak ciphers, open admin endpoints

network POST /api/v1/network/reverse_proxy

Reverse Proxy Scanner

Internal app exposure, TLS issues

network POST /api/v1/network/envoy

Envoy Scanner

Admin exposure, missing TLS, insecure CORS, XFF trust

Identity Scanner

identity POST /api/v1/identity/iam_policy

IAM Policy Scanner

Admin permissions, wildcards, privilege escalation

identity POST /api/v1/identity/aws_trust

AWS Trust Policy Scanner

Dangerous AssumeRole trust, cross-account risks

identity POST /api/v1/identity/okta

Okta Scanner

Weak MFA, excessive admin roles

identity POST /api/v1/identity/azure_entra

Azure Entra ID Scanner

Global admin sprawl, weak conditional access

Subscanners

subscanner Open AI / MCP Scanner →

AI / MCP Scanner

Auto-detect MCP configs, agents, prompts, tool definitions, and RAG pipelines — same as the AI upload form.

Endpoint: POST /api/v1/ai
Behavior: Auto-detects which specialized scanners to run from file names and content — same as the ai upload form.
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .md, .prompt, .txt, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/ai" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

subscanner Open IaC Scanner →

IaC Scanner

Auto-detect Terraform, Kubernetes, Compose, CloudFormation, Helm, and Istio in an upload or zip.

Endpoint: POST /api/v1/iac
Behavior: Auto-detects which specialized scanners to run from file names and content — same as the iac upload form.
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .hcl, .json, .tf, .tfvars, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.hcl"

subscanner Open CI/CD Scanner →

CI/CD Scanner

Auto-detect GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, and CircleCI configs.

Endpoint: POST /api/v1/cicd
Behavior: Auto-detects which specialized scanners to run from file names and content — same as the cicd upload form.
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: , .groovy, .xml, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/cicd" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.groovy"

subscanner Open Network Scanner →

Network Scanner

Auto-detect NGINX, Apache, HAProxy, Envoy, firewall rules, and load balancer configs.

Endpoint: POST /api/v1/network
Behavior: Auto-detects which specialized scanners to run from file names and content — same as the network upload form.
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .cfg, .conf, .json, .rules, .xml, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.cfg"

subscanner Open Identity Scanner →

Identity Scanner

Auto-detect IAM policies, AWS trust policies, Okta exports, and Azure Entra configs.

Endpoint: POST /api/v1/identity
Behavior: Auto-detects which specialized scanners to run from file names and content — same as the identity upload form.
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/identity" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

Specialized scanners

AI / MCP Scanner

MCP Scanner

Dangerous tools, prompt leakage, permission escalation, tool chaining

Endpoint: POST /api/v1/ai/mcp
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/ai/mcp" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

Agent Config Scanner

Excessive permissions, unsafe tool access, autonomous execution

Endpoint: POST /api/v1/ai/agent
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/ai/agent" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

Prompt Security Scanner

Hidden secrets, system prompt leakage, prompt injection

Endpoint: POST /api/v1/ai/prompt
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .md, .prompt, .txt, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/ai/prompt" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

Tool Definition Scanner

Shell access, SSRF, file deletion, arbitrary code execution

Endpoint: POST /api/v1/ai/tools
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/ai/tools" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

RAG Security Scanner

Sensitive documents indexed, PII exposure, access control gaps

Endpoint: POST /api/v1/ai/rag
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/ai/rag" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

IaC Scanner

iac

Terraform Scanner

Trivy static analysis for Terraform/HCL

Endpoint: POST /api/v1/iac/terraform
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .hcl, .tf, .tfvars, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac/terraform" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.hcl"

iac

Kubernetes Manifest Scanner

Privileged pods, HostPath, missing limits, root containers, cluster-admin

Endpoint: POST /api/v1/iac/kubernetes
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac/kubernetes" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

iac

Docker Compose Scanner

Host mounts, privileged mode, admin ports, hardcoded secrets

Endpoint: POST /api/v1/iac/docker_compose
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac/docker_compose" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

iac

CloudFormation Scanner

AWS misconfigurations in CFN templates

Endpoint: POST /api/v1/iac/cloudformation
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac/cloudformation" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

iac

Helm Chart Scanner

Insecure defaults, privileged pods, secret exposure

Endpoint: POST /api/v1/iac/helm
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac/helm" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

iac

Istio Scanner

mTLS mode, permissive authz, wildcard hosts, insecure gateways

Endpoint: POST /api/v1/iac/istio
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/iac/istio" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

CI/CD Scanner

cicd

GitHub Actions Scanner

Secrets, unpinned actions, dangerous triggers, privilege escalation

Endpoint: POST /api/v1/cicd/github_actions
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/cicd/github_actions" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

cicd

GitLab CI Scanner

Runner abuse, secret leakage, privileged jobs

Endpoint: POST /api/v1/cicd/gitlab_ci
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/cicd/gitlab_ci" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

cicd

Jenkins Scanner

Anonymous access, script console, dangerous plugins

Endpoint: POST /api/v1/cicd/jenkins
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: , .groovy, .xml, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/cicd/jenkins" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.groovy"

cicd

Azure Pipelines Scanner

Container pinning, secret leakage, pipeline hygiene (Checkov + ci-doctor)

Endpoint: POST /api/v1/cicd/azure_pipelines
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/cicd/azure_pipelines" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

cicd

CircleCI Scanner

Orb pinning, resource abuse, shell risks (Checkov + ci-doctor)

Endpoint: POST /api/v1/cicd/circleci
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/cicd/circleci" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

Network Scanner

network

Firewall Rule Scanner

Any-any rules, exposed management ports, shadowed rules

Endpoint: POST /api/v1/network/firewall
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .conf, .json, .rules, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/firewall" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.conf"

network

NGINX Scanner

Missing TLS, internal exposure, dangerous rewrites

Endpoint: POST /api/v1/network/nginx
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .cfg, .conf, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/nginx" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.cfg"

network

Apache Scanner

Directory listing, weak TLS, missing security headers

Endpoint: POST /api/v1/network/apache
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .cfg, .conf, .htaccess, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/apache" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.cfg"

network

HAProxy Scanner

Insecure frontends, exposed admin interfaces

Endpoint: POST /api/v1/network/haproxy
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .cfg, .conf, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/haproxy" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.cfg"

network

Load Balancer Scanner

Weak ciphers, open admin endpoints

Endpoint: POST /api/v1/network/load_balancer
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .conf, .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/load_balancer" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.conf"

network

Reverse Proxy Scanner

Internal app exposure, TLS issues

Endpoint: POST /api/v1/network/reverse_proxy
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .cfg, .conf, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/reverse_proxy" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.cfg"

network

Envoy Scanner

Admin exposure, missing TLS, insecure CORS, XFF trust

Endpoint: POST /api/v1/network/envoy
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/network/envoy" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.yaml"

Identity Scanner

identity

IAM Policy Scanner

Admin permissions, wildcards, privilege escalation

Endpoint: POST /api/v1/identity/iam_policy
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/identity/iam_policy" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

identity

AWS Trust Policy Scanner

Dangerous AssumeRole trust, cross-account risks

Endpoint: POST /api/v1/identity/aws_trust
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/identity/aws_trust" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

identity

Okta Scanner

Weak MFA, excessive admin roles

Endpoint: POST /api/v1/identity/okta
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/identity/okta" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

identity

Azure Entra ID Scanner

Global admin sprawl, weak conditional access

Endpoint: POST /api/v1/identity/azure_entra
Query params: format=json (default), format=pdf, or format=sarif
CI policy: fail_on=critical,high — returns HTTP 422 and X-Misconfigs-Exit-Code: 1 when matched
Upload: Single file or .zip archive (max 10 MB). Zip contents are extracted and scanned recursively.
File types: .json, .yaml, .yml, .zip
Auth: X-API-Key header or signed-in session cookie

curl -X POST "http://api.misconfigs.com/api/v1/identity/azure_entra" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@project.json"

Compliance mapping

Every finding is tagged with CIS, NIST 800-53, SOC 2, PCI DSS, and HIPAA controls. Filter by framework and control ID; each scan includes a compliance % score per framework.

Frameworks: GET /api/v1/compliance/frameworks — list all controls
Filter: framework=soc2 and control=CC6.1 on any scan endpoint
Response: compliance.frameworks.soc2.score_pct — passing controls / in-scope controls

# Show everything affecting SOC 2 CC6.1 (logical access)
curl -X POST "http://api.misconfigs.com/api/v1/identity/iam_policy?framework=soc2&control=CC6.1" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@policy.json"

GitHub pull request checks

This is a ready-to-paste GitHub Actions workflow. Commit it once; GitHub runs it on every pull request (open, update, reopen). You do not call the API yourself — the Action zips the repo, scans both sides of the PR, and comments the results.

GitHub triggers the workflow

When someone opens or updates a PR, Actions checks out the code.

Base and head are zipped

git archive builds a snapshot of the target branch and of the PR branch (whole repo tree, not a raw diff patch).

misconfigs compares attack paths

Comment + optional fail

Posts (or updates) a PR comment with the delta and minimum fix set. Use fail_on_new=critical,high to fail the check when the PR introduces new critical/high paths.

Copy workflow from Account

Advanced: call the API directly

The workflow above is a thin wrapper around POST /api/v1/fullstack/pr-delta?async=1 with multipart base and head zip uploads, then polling GET /api/scan-jobs/{job_id}/result. Use this from other CI systems (GitLab, Buildkite, etc.). Omit async=1 for a synchronous response.

# Start async job (recommended for CI)
curl -X POST "http://api.misconfigs.com/api/v1/fullstack/pr-delta?fail_on_new=critical,high&async=1" \
  -H "X-API-Key: mc_your_key" \
  -F "base=@base.zip" \
  -F "head=@head.zip"

# Poll until status is complete, then read result.delta / result.ci
curl "http://api.misconfigs.com/api/scan-jobs/JOB_ID/result" -H "X-API-Key: mc_your_key"

Full stack scan (manual / scheduled CI)

Upload a project .zip when you want a one-off or scheduled snapshot of the whole repo — e.g. nightly on main. Use fail_on=critical,high to fail if the snapshot has any critical/high findings (different from PR checks, which use fail_on_new).

Endpoint: POST /api/v1/fullstack
Upload: .zip archive only (max 10 MB) — monorepo with IaC, CI/CD, AI, network, and identity configs
Formats: format=json, format=pdf (executive summary), format=sarif
Cross-domain: Response includes attack_paths (step-by-step kill chains with graph data), correlations, intent_gaps (names/tags that contradict settings), and contradictions (two configs in the same repo that fight each other)
SARIF: format=sarif adds graphs, result relationships, and misconfigs/attackPaths run properties

curl -X POST "http://api.misconfigs.com/api/v1/fullstack?format=pdf&fail_on=critical,high" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@my-project.zip" \
  -o fullstack-report.pdf

Risk regression radar

Each full-stack scan is compared to the previous scan of the same archive name. Returns new/fixed/persistent attack paths, score and compliance drift, and a minimum fix set for new regressions. Visible on /scans and in the UI after upload.

Endpoint: POST /api/v1/fullstack (same as full-stack scan; prior scan required in history)
Policy: fail_on_regression=critical,high — fail CI when new attack paths vs last scan match severities

curl -X POST "http://api.misconfigs.com/api/v1/fullstack?fail_on_regression=critical,high" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@my-project.zip"

Multi-repository full stack scan (Pro / Team)

Scan several repository archives in one API call — useful for portfolio views across microservices, infra, and shared libraries. Each repository counts as one scan against your monthly API quota. Pro allows up to 10 repos per request; Team allows up to 25.

Endpoint: POST /api/v1/fullstack/multi-repo
Upload: Repeat -F "files=@repo.zip" for each repository (minimum 2). Optional repo_names form field: comma-separated labels in the same order.
Response: Merged findings and attack_paths tagged with repo; per-repo summaries in repos

curl -X POST "http://api.misconfigs.com/api/v1/fullstack/multi-repo?fail_on=critical,high" \
  -H "X-API-Key: mc_your_key" \
  -F "files=@payments-api.zip" \
  -F "files=@platform-infra.zip" \
  -F "repo_names=payments-api,platform-infra"

CI / SARIF

Export SARIF for GitHub Advanced Security or GitLab SAST. Findings include stable rule_id values for suppressions. Use fail_on to gate merges on severity.

# SARIF upload (GitHub Advanced Security / GitLab SAST)
curl -X POST "http://api.misconfigs.com/api/v1/iac/kubernetes" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@k8s.yaml" \
  -o results.sarif.json \
  --fail-with-body \
  -G --data-urlencode "format=sarif" --data-urlencode "fail_on=critical,high"

# Local CLI (no API quota — runs scanners directly)
python -m app.cli scan iac kubernetes sample/iac/k8s-bad.yaml \
  --format sarif --fail-on critical,high -o results.sarif.json
echo "exit code: $?"  # 0 pass, 1 policy fail, 2 scan error

Exit codes (CLI): 0 pass · 1 fail-on triggered · 2 scan error · 3 auth/quota
HTTP headers (API): X-Misconfigs-Exit-Code, X-Misconfigs-Policy-Passed when fail_on is set
Rule IDs: Built-in rules use stable IDs (e.g. K8S-001, IAM-003). Others derive from product/scanner/category/title.