NativeFoundation
Security & compliance

NF Vulnerability Scanner

All-in-one website security audit — active scanning, CVEs, and misconfigurations in one run

View on Apify Store →See all Actors
Overview

What it is.

NF Vulnerability Scanner runs against a target and returns one normalized, severity-and-priority-graded report instead of several separate tool outputs to reconcile by hand. Standard mode ($0.25) runs 9 engines: active scanning, known-CVE detection, server misconfiguration checks, port scanning, and tech fingerprinting (all of which send real traffic to the target), plus four passive engines — DNS/email posture (SPF/DMARC/DKIM/BIMI, TLS/domain expiry), leaked-secret scanning of client-side JS, HTTP security headers, and CMS fingerprinting — that never send attack traffic.

Deep mode ($0.50) adds four more-intrusive engines on top of Standard's nine: directory/file brute-forcing, a dedicated SQL injection detector, passive OSINT recon (subdomains and emails from public sources), and DNS subdomain enumeration with a zone-transfer attempt.

By default every engine scans the target's anonymous, logged-out surface; supplying requestHeaders/cookies enables authenticated scanning across the CVE, content-discovery, injection-test, and native engines. Because several engines send real crawling, fuzzing, injection, and port-scanning traffic, every run must set permissionConfirmed: true, and the Actor refuses to start otherwise — only ever scan targets you own or have explicit authorization to test.

Feature

What it checks and does.

  • Active scan + known-CVE detection

    Active crawling/fuzzing/injection testing, plus CVE, exposed-panel, and misconfiguration detection via an actively-maintained template set.
  • Server, port & tech fingerprinting

    Web-server misconfigurations, a top-1000 TCP port scan, and deep technology/version fingerprinting (CDNs, frameworks, JS libraries).
  • DNS, email & secrets posture (passive)

    SPF/DMARC/DKIM/BIMI email-spoofing checks, TLS/domain-expiry monitoring, leaked API keys/tokens in client-side JS, and HTTP security-header checks — none of these send attack traffic.
  • CMS fingerprinting

    Native detection for WordPress, Drupal, Joomla, and Magento — version disclosure and platform-specific misconfigurations, self-gated to the platform actually detected.
  • Deep mode: injection, brute-force & recon

    Directory/file brute-forcing, a dedicated SQL injection detector, passive OSINT recon, and subdomain enumeration with a zone-transfer attempt — gated behind the higher tier.
  • Risk score, grade, SARIF + CI gating

    A 0–100 risk score maps to a letter grade (A safest–F worst); outputFormat: "sarif" and failOnGrade/failOnSeverity support CI/CD gating.
Use cases

Where it fits.

  • Run an authorized, pre-launch security sweep across a web application
  • Feed CVE and misconfiguration findings into a CI pipeline with severity gating
  • Monitor email-spoofing protection (SPF/DMARC) and TLS/domain expiry on a schedule
  • Combine active scanning, CVE detection, and server-misconfig checks into one report instead of stitching together separate tools
Input

Call it with this.

FieldTypeRequiredDescription
urlstringYesThe target to scan.
permissionConfirmedbooleanYesMust be true — the caller's representation that they own or are authorized to test the target. The Actor refuses to run without it.
scanMode"standard" | "deep"No"standard" (9 engines, $0.25) or "deep" (13 engines — adds SQL injection, directory brute-forcing & subdomain recon, $0.50).
portScanTiming"polite" | "normal" | "aggressive"NoHow fast port-scan probes the target; ignored unless port-scan runs.
requestHeaders / cookiesobject / stringNoEnables authenticated scanning across the CVE, content-discovery, injection-test, and native engines.
outputFormat / failOnGrade / failOnSeveritystringNoSARIF export and CI-gating thresholds, same pattern as the accessibility scanner.

Pricing:Two flat event fees: $0.25 for a completed Standard-mode run, $0.50 for Deep mode — plus your own Apify platform compute/proxy usage for that run.

FAQ

Frequently asked questions.

What's the difference between Standard and Deep mode?

Standard ($0.25) runs 9 engines: active scan, CVE scan, server scan, port scan, and tech fingerprint (all sending real traffic), plus 4 passive engines — DNS/email posture, JS-secrets, security headers, and CMS scan. Deep ($0.50) adds 4 more-intrusive engines: content discovery (directory brute-forcing), a dedicated injection test, OSINT recon, and subdomain enumeration.

Do I need authorization to scan a target?

Yes. Several engines send real crawling, fuzzing, injection, and port-scanning traffic. Every run must set permissionConfirmed: true as a representation that you own the target or have explicit permission to test it — the Actor will not start without it, and scanning a system without authorization can be illegal.

Can it do authenticated scanning, behind a login?

Yes — pass requestHeaders and/or cookies in the input and the CVE, content-discovery, injection-test, and native engines scan the authenticated surface as well as the anonymous one.

Can I gate a CI pipeline on scan severity?

Yes — set outputFormat: "sarif" for a SARIF 2.1.0 record you can upload to GitHub/GitLab code scanning, and failOnGrade/failOnSeverity make the run exit non-zero once a scan crosses your threshold.

Does this replace a professional penetration test?

No — it's built for continuous, automated coverage (CI/CD gating, recurring audits), not a substitute for manual, human-led testing. It also doesn't cover dedicated WordPress plugin/theme CVE enumeration (WPScan), full TLS protocol/cipher auditing, or client-side JS-library CVE detection.