TL;DR: We are launching our SecretsBuster API. You can register an API key or discover this product features through our API documentation.
In may 2024, we launched SecretsBuster as a demo tool with one goal: prevent your web application secrets leakage. We were convinced that by scanning your public surface instead of trying to prevent every possible potential risks upfront, we could dramatically improve secret leakage detection and precision.
Since then, we have used our product by scanning thousands of domains from various bug bounty programs. Results were overwhelming, showing secrets leakage from companies with little to very large online presence. We disclosed dozens of secrets leaks, with very concrete exploits for many of them. Now its time to give this power to company that need to protect themself instead of relying on third party will.
Today we are thrilled to announce the launch of our public API! You can’t rely on our website form to automatize your scans and we believe that the new API will be versatile enough to fulfill all your needs.
Whenever you need to check for one of your ressources, you just have to:
- Request API for a new scan
- Wait for the scan to complete. You can check scan status periodically
- Retrieve your scan report. If the report is marked as ‘leaky’, it will contain the list of all leaks, including their type, the document leaking a secret and the occurrences
This simple workflow can be used in different places: as a part of your Q/A process to ensure no unsafe application will make it to production, included in your CI/CD pipelines, as a tool for your pentesting team… Use it your way and if you think something is missing, let’s have a chat!
Besides scan reporting, we have included in this API first version the basic features everyone will need: retrieving all your reports (with some useful filters), comment your report so that you can implement a reviewing process, and get your account details (mostly your API key consumption).
Take a step toward better securing your web application, try our API! Checkout our extensive documentation and get your API key. Here again security is our priority, so we choose to store as little information as possible. Your SecretsBuster API account is a passwordless service: when you are ready to purchase, just fill in your email address and you will be guided through the whole process. We rely on Stripe for payment and billing so only them will need your personal and banking info, not us.
We have designed our API plans for simplicity and transparency: 3 usages that should cover must of your use cases:
- « Enthusiast », for those we just wan’t to test our service or protect a personal website
- « Small Business » if you need professional protection for a reduced public surface
- « Enterprise » if you have many online applications to secure
Each plan is associated to a maximum number of scans per month. By subscribing, you will receive an API key that must be present in all your API requests.
This is a new product and despite our conviction that it will be useful for a large range of companies, we can always add some cool new features. As always, we are eager to receive your feedback!