NF Vulnerability Scanner
All-in-one website security audit — active scanning, CVEs, and misconfigurations in one run
What it is.
NF Vulnerability Scanner runs against a target and returns one normalized, severity-and-priority-graded report instead of several separate tool outputs to reconcile by hand. Standard mode ($0.25) runs 9 engines: active scanning, known-CVE detection, server misconfiguration checks, port scanning, and tech fingerprinting (all of which send real traffic to the target), plus four passive engines — DNS/email posture (SPF/DMARC/DKIM/BIMI, TLS/domain expiry), leaked-secret scanning of client-side JS, HTTP security headers, and CMS fingerprinting — that never send attack traffic.
Deep mode ($0.50) adds four more-intrusive engines on top of Standard's nine: directory/file brute-forcing, a dedicated SQL injection detector, passive OSINT recon (subdomains and emails from public sources), and DNS subdomain enumeration with a zone-transfer attempt.
By default every engine scans the target's anonymous, logged-out surface; supplying requestHeaders/cookies enables authenticated scanning across the CVE, content-discovery, injection-test, and native engines. Because several engines send real crawling, fuzzing, injection, and port-scanning traffic, every run must set permissionConfirmed: true, and the Actor refuses to start otherwise — only ever scan targets you own or have explicit authorization to test.
What it checks and does.
Active scan + known-CVE detection
Active crawling/fuzzing/injection testing, plus CVE, exposed-panel, and misconfiguration detection via an actively-maintained template set.Server, port & tech fingerprinting
Web-server misconfigurations, a top-1000 TCP port scan, and deep technology/version fingerprinting (CDNs, frameworks, JS libraries).DNS, email & secrets posture (passive)
SPF/DMARC/DKIM/BIMI email-spoofing checks, TLS/domain-expiry monitoring, leaked API keys/tokens in client-side JS, and HTTP security-header checks — none of these send attack traffic.CMS fingerprinting
Native detection for WordPress, Drupal, Joomla, and Magento — version disclosure and platform-specific misconfigurations, self-gated to the platform actually detected.Deep mode: injection, brute-force & recon
Directory/file brute-forcing, a dedicated SQL injection detector, passive OSINT recon, and subdomain enumeration with a zone-transfer attempt — gated behind the higher tier.Risk score, grade, SARIF + CI gating
A 0–100 risk score maps to a letter grade (A safest–F worst); outputFormat: "sarif" and failOnGrade/failOnSeverity support CI/CD gating.
Where it fits.
- Run an authorized, pre-launch security sweep across a web application
- Feed CVE and misconfiguration findings into a CI pipeline with severity gating
- Monitor email-spoofing protection (SPF/DMARC) and TLS/domain expiry on a schedule
- Combine active scanning, CVE detection, and server-misconfig checks into one report instead of stitching together separate tools
Call it with this.
| Field | Type | Required | Description |
|---|---|---|---|
url | string | Yes | The target to scan. |
permissionConfirmed | boolean | Yes | Must be true — the caller's representation that they own or are authorized to test the target. The Actor refuses to run without it. |
scanMode | "standard" | "deep" | No | "standard" (9 engines, $0.25) or "deep" (13 engines — adds SQL injection, directory brute-forcing & subdomain recon, $0.50). |
portScanTiming | "polite" | "normal" | "aggressive" | No | How fast port-scan probes the target; ignored unless port-scan runs. |
requestHeaders / cookies | object / string | No | Enables authenticated scanning across the CVE, content-discovery, injection-test, and native engines. |
outputFormat / failOnGrade / failOnSeverity | string | No | SARIF export and CI-gating thresholds, same pattern as the accessibility scanner. |
Pricing:Two flat event fees: $0.25 for a completed Standard-mode run, $0.50 for Deep mode — plus your own Apify platform compute/proxy usage for that run.
Frequently asked questions.
What's the difference between Standard and Deep mode?
Standard ($0.25) runs 9 engines: active scan, CVE scan, server scan, port scan, and tech fingerprint (all sending real traffic), plus 4 passive engines — DNS/email posture, JS-secrets, security headers, and CMS scan. Deep ($0.50) adds 4 more-intrusive engines: content discovery (directory brute-forcing), a dedicated injection test, OSINT recon, and subdomain enumeration.
Do I need authorization to scan a target?
Yes. Several engines send real crawling, fuzzing, injection, and port-scanning traffic. Every run must set permissionConfirmed: true as a representation that you own the target or have explicit permission to test it — the Actor will not start without it, and scanning a system without authorization can be illegal.
Can it do authenticated scanning, behind a login?
Yes — pass requestHeaders and/or cookies in the input and the CVE, content-discovery, injection-test, and native engines scan the authenticated surface as well as the anonymous one.
Can I gate a CI pipeline on scan severity?
Yes — set outputFormat: "sarif" for a SARIF 2.1.0 record you can upload to GitHub/GitLab code scanning, and failOnGrade/failOnSeverity make the run exit non-zero once a scan crosses your threshold.
Does this replace a professional penetration test?
No — it's built for continuous, automated coverage (CI/CD gating, recurring audits), not a substitute for manual, human-led testing. It also doesn't cover dedicated WordPress plugin/theme CVE enumeration (WPScan), full TLS protocol/cipher auditing, or client-side JS-library CVE detection.