How VulnProScan works

A step-by-step breakdown of how VulnProScan covers your entire application stack — from web app DAST and API security testing through container scanning, Kubernetes workload analysis, dependency SCA, and unified findings remediation.

Covers:IaC ScanningSASTCloud AuditMulti-User TeamsWeb App (DAST)API SecurityContainer CVEsKubernetesDependencies / SCA

Step 01

Web Application Scanning

Connect your web applications and VulnProScan runs DAST scans across 15 security domains. Results appear in your dashboard — no agents, no code changes required.

Connect your web applications

Add the URLs of web applications you own or have authorization to test. VulnProScan records your authorization acknowledgment before any scan traffic is sent.

DAST scanning across 15 security domains

The scanner exercises real pages, forms, and API endpoints — identifying injection flaws (XSS, SQL injection, CSRF), authentication weaknesses, session vulnerabilities, security header gaps, TLS misconfigurations, and more.

Authenticated scanning for deeper coverage

Provide login credentials and VulnProScan scans protected application areas that anonymous scans cannot reach — uncovering IDOR, broken access control, and session management issues hidden behind authentication.

Results in your dashboard

Findings appear in real time as the scan progresses. Each result includes the affected URL, severity, evidence (request/response), and remediation guidance aligned to the detected vulnerability type.

Step 02

API Security Scanning

Import OpenAPI/Swagger specifications or connect GraphQL endpoints. VulnProScan generates and runs targeted security tests against your API surface — finding issues that web scans alone won't catch.

Import OpenAPI specs or connect endpoints

Upload an OpenAPI 3.x or Swagger 2.x specification file, or point VulnProScan at a live GraphQL endpoint. The platform parses your API definition to build a complete test plan automatically.

Automated API security test generation

VulnProScan generates test cases for each discovered endpoint and parameter — including authentication bypass attempts, injection payloads, and excessive data exposure probes — based on the API schema.

Identify authorization bypasses and injection flaws

Tests cover BOLA/IDOR vulnerabilities, missing function-level access controls, injection in query parameters and request bodies, and API misconfigurations like overly permissive CORS or verbose error responses.

GraphQL introspection and schema analysis

For GraphQL endpoints, VulnProScan checks whether introspection is publicly enabled, tests for injection in queries, and analyzes the schema for excessive field exposure and unintended mutation capabilities.

Step 03

Container Scanning

Connect container registries and VulnProScan scans images for CVEs, OS package vulnerabilities, and misconfigurations — before those images reach production.

Connect container registries

VulnProScan integrates with Docker Hub, Amazon ECR, Azure Container Registry (ACR), and Google Container Registry (GCR). Authenticate once and scan any image in your registry.

CVE detection and OS package scanning

Each image layer is analyzed against current CVE databases. OS-level packages (apt, yum, apk) and language runtime packages are inventoried and cross-referenced for known vulnerabilities with CVSS scores.

Misconfiguration analysis

Beyond CVEs, the scanner checks for common container misconfigurations — running as root, exposed sensitive ports, world-writable file systems, and insecure environment variable usage that could be exploited at runtime.

Shift-left: scan before deployment

Integrate container scanning into your CI/CD pipeline or run on-demand scans from the dashboard. Block vulnerable images before they reach staging or production environments.

Step 04

Kubernetes Integration

Deploy a lightweight cluster scanner and VulnProScan discovers your running workloads, analyzes their container images, and continuously monitors your cluster security posture.

Lightweight cluster scanner deployment

The VulnProScan cluster agent deploys as a single pod with read-only cluster permissions. No modification to existing workloads or network policies is required — it observes rather than interferes.

Workload discovery and image inventory

The scanner automatically discovers all running pods, deployments, DaemonSets, and StatefulSets. For each workload, it inventories the container images in use and cross-references them against your container scan findings.

Kubernetes misconfiguration checks

Beyond image vulnerabilities, the scanner evaluates cluster configuration — privileged containers, hostPath mounts, missing resource limits, open network policies, and RBAC misconfigurations that could allow lateral movement.

Continuous monitoring of cluster security posture

As new workloads are deployed or existing ones are updated, the scanner detects changes and triggers re-analysis. Available on Pro and above — findings surface alongside all other scan results in the unified dashboard.

Step 05

Dependency Scanning / SCA

Upload dependency manifests or connect repositories and VulnProScan identifies vulnerable libraries across your JavaScript, Python, and Java projects — generating SBOM output for compliance.

Upload manifests or connect repositories

Support for package.json/package-lock.json (Node.js), requirements.txt/Pipfile (Python), pom.xml/build.gradle (Java/Maven/Gradle), and more. Upload files directly or connect your repository for automatic discovery.

Vulnerable dependency detection

Dependency trees are resolved and each package version is checked against current vulnerability databases. Transitive (indirect) dependencies are included — not just the top-level libraries you explicitly declared.

Remediation guidance with fix versions

Each vulnerability finding includes the affected package, CVE reference, severity score, and — where available — the minimum safe version to upgrade to. Actionable guidance without requiring a dedicated AppSec analyst.

SBOM generation for compliance and audit

VulnProScan produces a Software Bill of Materials (SBOM) cataloging all identified components and their versions. Export in standard formats for compliance evidence, procurement requirements, or third-party security reviews.

Step 06

Findings & Remediation

All findings from every scan type surface in one unified dashboard. Filter, prioritize, remediate, and verify — then export reports for compliance and stakeholder review.

Unified findings dashboard

Web app, API, container, Kubernetes, and dependency findings all appear in a single view. Filter by severity (Critical / High / Medium / Low), asset type, scan type, or date range to focus on what matters most.

Remediation wizards

High-value findings include structured, OWASP-aligned fix steps — specific controls and code patterns relevant to the technology and vulnerability detected. Any developer on your team can act on results without waiting for a specialist.

On-demand rescans to verify fixes

After applying a fix, trigger a targeted rescan from the dashboard to confirm the vulnerability is resolved. This produces a clean verification record without scheduling a full assessment.

Reports, exports, and integrations

Export findings as PDF or JSON for compliance evidence and management review. Route high-severity alerts to Slack or Jira automatically. Business plans add compliance-oriented reporting and team RBAC for larger organizations.

Ready to get started?

Start your 14-day free trial — no credit card required. Full platform access from day one.

Start Free Trial See Pricing Contact Sales

More resources

Coverage details →Whitepapers →Guides →All Resources