Scan API Overview
The Cert-IX Scan API provides programmatic access to 10 enterprise-grade security scanning engines through a single, unified REST API. Submit scans, receive real-time results, and integrate vulnerability assessments directly into your workflows, CI/CD pipelines, and security automation.
Why Use the Scan API?​
- Unified Interface — One API for 10 industry-leading scanning engines
- Asynchronous Architecture — Submit scans and get notified via webhooks when complete
- Enterprise Scale — Built for high-throughput environments with Kafka-backed processing
- Granular Access Control — Scoped API keys with IP allowlisting and per-key rate limits
- Real-Time Notifications — Webhooks with HMAC-SHA256 signature verification
- Reusable Templates — Save scan configurations and launch with a single API call
- Full Observability — Usage analytics, quota tracking, and detailed API call logs
Base URL​
All API endpoints are available at:
https://api.cert-ix.com/scan-api/api/v1
All requests must use HTTPS. Plain HTTP connections are rejected.
Available Scan Engines​
The Scan API supports 10 professional security engines, each purpose-built for a specific domain:
| Engine | Type | Use Case |
|---|---|---|
| Nmap | nmap | Network discovery, port scanning, service detection, OS fingerprinting |
| OWASP ZAP | zap | Dynamic application security testing (DAST), OWASP Top 10 |
| Trivy | trivy | Container image vulnerability scanning, IaC misconfigurations, secrets |
| Nuclei | nuclei | Template-based vulnerability detection across thousands of CVEs |
| Nikto | nikto | Web server scanning for dangerous files, outdated software, misconfigs |
| SQLMap | sqlmap | Automated SQL injection detection and exploitation testing |
| Wapiti | wapiti | Black-box web application vulnerability scanning |
| theHarvester | harvester | OSINT — email harvesting, subdomain enumeration, metadata collection |
| Sublist3r | sublist3r | Subdomain enumeration using search engines and DNS services |
| Sentinel | sentinel | Cert-IX proprietary multi-engine orchestrated scanning with correlation |
API at a Glance​
| Resource | Endpoint | Description |
|---|---|---|
| Scans | POST /scans | Submit a new scan |
GET /scans/:id | Check scan status | |
GET /scans/:id/results | Retrieve scan results | |
POST /scans/:id/cancel | Cancel a running scan | |
GET /scans | List all scans | |
| Templates | POST /scan-templates | Create a reusable scan template |
POST /scan-templates/:id/launch | Launch a scan from a template | |
GET /scan-templates | List templates | |
| Webhooks | POST /webhooks | Register a webhook endpoint |
POST /webhooks/:id/test | Send a test event | |
GET /webhooks/:id/deliveries | View delivery logs | |
| Usage | GET /usage/summary | Aggregated usage statistics |
GET /usage/history | Time-series usage data | |
GET /usage/by-scan-type | Usage breakdown by engine | |
| API Keys | POST /api-keys | Create an API key |
POST /api-keys/:id/rotate | Rotate a key with grace period | |
DELETE /api-keys/:id | Revoke a key |
Authentication​
All API requests require an API key passed via the X-API-Key header:
curl -X GET https://api.cert-ix.com/scan-api/api/v1/scans \
-H "X-API-Key: cix_sk_your_api_key_here"
API keys support:
- Granular scopes — Control exactly what each key can do
- Scan type restrictions — Limit which engines a key can invoke
- IP allowlisting — Restrict usage to specific source IPs
- Automatic expiration — Set time-to-live on keys
- Zero-downtime rotation — Grace periods for seamless key replacement
Learn more about authentication →
Security & Compliance​
The Scan API is built with enterprise security requirements in mind:
- TLS 1.3 — All connections encrypted with modern TLS
- Post-Quantum Cryptography (PQC) — CRYSTALS-Kyber key exchange, CRYSTALS-Dilithium signatures
- HMAC-SHA256 — Webhook signature verification
- SHA-256 Key Hashing — API keys hashed before storage
- Tenant Isolation — Complete data separation between organizations
- Audit Logging — Every API call logged via Kafka for compliance (ANSSI, NIS2, DORA)
- Rate Limiting — Per-key, per-minute/hour/day configurable limits
Standard Response Format​
All responses follow a consistent JSON envelope:
Success:
{
"success": true,
"data": { ... }
}
Error:
{
"success": false,
"error": "Human-readable error message",
"code": "MACHINE_READABLE_CODE"
}
Rate Limits​
| Window | Default | Configurable Range |
|---|---|---|
| Per minute | 60 | 1 – 1,000 |
| Per hour | 1,000 | 1 – 50,000 |
| Per day | 10,000 | 1 – 500,000 |
Rate limit headers are included in every response:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1709654460
Getting Help​
- Documentation — Browse the guides in this section
- Bobby AI — Ask Bobby for help with scan configurations
- Support — Contact [email protected]
- Status Page — Check platform status at status.cert-ix.com
Next Steps:
- Getting Started → — Your first scan in under 5 minutes
- Authentication → — API key management and security
- Code Examples → — Production-ready clients in Python, Go, and Node.js