{
  "openapi": "3.0.1",
  "info": {
    "title": "NF Vulnerability Scanner — All-in-One Website Security Audit",
    "description": "The most comprehensive all-in-one website vulnerability scanner on Apify. Multi-engine security testing — active scanning, CVE detection, server misconfig checks, plus SPF/DMARC email-spoofing checks and leaked-secret scanning. Structured JSON report with severities and priority grades.",
    "version": "0.1",
    "x-build-id": "u1CeqiookUPuP5hw3"
  },
  "servers": [
    {
      "url": "https://api.apify.com/v2"
    }
  ],
  "paths": {
    "/acts/nativefoundation-inc~vuln-scan-actor/run-sync-get-dataset-items": {
      "post": {
        "operationId": "run-sync-get-dataset-items-nativefoundation-inc-vuln-scan-actor",
        "x-openai-isConsequential": false,
        "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
        "tags": [
          "Run Actor"
        ],
        "requestBody": {
          "required": true,
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/inputSchema"
              }
            }
          }
        },
        "parameters": [
          {
            "name": "token",
            "in": "query",
            "required": true,
            "schema": {
              "type": "string"
            },
            "description": "Enter your Apify token here"
          }
        ],
        "responses": {
          "200": {
            "description": "OK"
          }
        }
      }
    },
    "/acts/nativefoundation-inc~vuln-scan-actor/runs": {
      "post": {
        "operationId": "runs-sync-nativefoundation-inc-vuln-scan-actor",
        "x-openai-isConsequential": false,
        "summary": "Executes an Actor and returns information about the initiated run in response.",
        "tags": [
          "Run Actor"
        ],
        "requestBody": {
          "required": true,
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/inputSchema"
              }
            }
          }
        },
        "parameters": [
          {
            "name": "token",
            "in": "query",
            "required": true,
            "schema": {
              "type": "string"
            },
            "description": "Enter your Apify token here"
          }
        ],
        "responses": {
          "200": {
            "description": "OK",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/runsResponseSchema"
                }
              }
            }
          }
        }
      }
    },
    "/acts/nativefoundation-inc~vuln-scan-actor/run-sync": {
      "post": {
        "operationId": "run-sync-nativefoundation-inc-vuln-scan-actor",
        "x-openai-isConsequential": false,
        "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
        "tags": [
          "Run Actor"
        ],
        "requestBody": {
          "required": true,
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/inputSchema"
              }
            }
          }
        },
        "parameters": [
          {
            "name": "token",
            "in": "query",
            "required": true,
            "schema": {
              "type": "string"
            },
            "description": "Enter your Apify token here"
          }
        ],
        "responses": {
          "200": {
            "description": "OK"
          }
        }
      }
    }
  },
  "components": {
    "schemas": {
      "inputSchema": {
        "type": "object",
        "required": [
          "url",
          "permissionConfirmed"
        ],
        "properties": {
          "url": {
            "title": "Target URL",
            "pattern": "^https?://.+",
            "type": "string",
            "description": "The website URL to scan (e.g. https://example.com). Must be publicly accessible."
          },
          "permissionConfirmed": {
            "title": "I have permission to scan this target",
            "type": "boolean",
            "description": "Required. Check this box to confirm that you own the target website or have explicit permission from its owner to run active security testing against it (crawling, fuzzing, injection, port scanning, and vulnerability probing — plus, in Deep mode, directory brute-forcing and subdomain/email reconnaissance). Scanning a system without authorization may be illegal (e.g. under the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, or similar laws elsewhere) and may violate the target's terms of service. The scan will not run unless this is set to true.",
            "default": false
          },
          "scanMode": {
            "title": "Scan mode",
            "enum": [
              "standard",
              "deep"
            ],
            "type": "string",
            "description": "Standard ($0.25) runs 9 engines: cve-scan (known vulnerabilities & CVEs), server-scan (web server misconfigurations), active-scan (active crawling, fuzzing & injection testing), dns-posture (email spoofing protection, TLS/domain expiry), js-secrets (leaked credentials in client-side JavaScript), security-headers (missing/misconfigured HTTP security headers), port-scan (open TCP ports & exposed services), cms-scan (WordPress, Drupal, Joomla, and Magento fingerprinting & misconfiguration checks), and tech-fingerprint (deeper technology/version fingerprinting). Deep ($0.50) runs everything in Standard plus 4 more-intrusive engines: injection-test (dedicated SQL injection detection), content-discovery (directory/file brute-forcing for exposed paths), subdomain-enum (DNS zone-transfer misconfiguration check), and osint-recon (subdomains & email addresses from public sources).",
            "default": "standard"
          },
          "portScanTiming": {
            "title": "Port scan timing",
            "enum": [
              "polite",
              "normal",
              "aggressive"
            ],
            "type": "string",
            "description": "How fast the port-scan engine probes the target (ignored unless port-scan is selected above). Normal (default) is a moderate-speed balance. Aggressive is fastest, matching this engine's original behavior, but is more likely to trip rate limits or intrusion-detection alerts on the target. Polite spaces probes out even further than normal, trading speed for the lightest footprint. Polite scans take noticeably longer.",
            "default": "normal"
          },
          "proxyConfiguration": {
            "title": "Proxy configuration",
            "type": "object",
            "description": "Route the HTTP-based scan traffic through a proxy. Defaults to Apify's datacenter proxy, which works on all plans. For targets that block datacenter IPs, select the Residential group (requires Residential access on the account running this Actor). Proxy usage is billed to that account. Note: the port-scan engine, the passive native engines (dns-posture, js-secrets, security-headers, cms-scan), and (Deep mode only) osint-recon/subdomain-enum (which never contact the target directly — they query public sources and DNS servers instead) always connect directly, so those probes originate from this Actor's own IP even when a proxy is selected.",
            "default": {
              "useApifyProxy": true
            }
          },
          "requestHeaders": {
            "title": "Custom request headers",
            "type": "object",
            "description": "Extra HTTP headers to send to the target, as a JSON object (e.g. {\"Authorization\": \"Bearer <token>\"}). Use this for authenticated scanning so the engines reach the logged-in surface instead of only public pages. Sent only to the target's own origin — never forwarded to third-party hosts. Applied to the CVE, content-discovery, injection-test, and the passive native engines; active-scan and server-scan run unauthenticated."
          },
          "cookies": {
            "title": "Session cookie",
            "type": "string",
            "description": "A Cookie header value (e.g. \"session=abc123\") sent to the target for authenticated scanning. Same origin scoping and engine coverage as Custom request headers."
          },
          "outputFormat": {
            "title": "Output format",
            "enum": [
              "json",
              "sarif",
              "both"
            ],
            "type": "string",
            "description": "What to write. \"json\" (default) writes the normalized JSON report to the OUTPUT key-value record and the dataset. \"sarif\" also writes a SARIF 2.1.0 record (OUTPUT.sarif) for GitHub/GitLab code scanning. \"both\" is an alias for json + sarif.",
            "default": "json"
          },
          "failOnGrade": {
            "title": "Fail run at grade (CI gate)",
            "enum": [
              "",
              "B",
              "C",
              "D",
              "F"
            ],
            "type": "string",
            "description": "Optional. If set, the run exits with a non-zero code when the risk grade is this letter or worse — so a CI pipeline can block a deploy on it. The report is still written and the run is still charged. Leave unset to always exit 0.",
            "default": ""
          },
          "failOnSeverity": {
            "title": "Fail run at severity (CI gate)",
            "enum": [
              "",
              "low",
              "medium",
              "high",
              "critical"
            ],
            "type": "string",
            "description": "Optional. If set, the run exits with a non-zero code when any finding is at this severity or higher. Independent of Fail run at grade; either condition triggers a failure.",
            "default": ""
          }
        }
      },
      "runsResponseSchema": {
        "type": "object",
        "properties": {
          "data": {
            "type": "object",
            "properties": {
              "id": {
                "type": "string"
              },
              "actId": {
                "type": "string"
              },
              "userId": {
                "type": "string"
              },
              "startedAt": {
                "type": "string",
                "format": "date-time",
                "example": "2025-01-08T00:00:00.000Z"
              },
              "finishedAt": {
                "type": "string",
                "format": "date-time",
                "example": "2025-01-08T00:00:00.000Z"
              },
              "status": {
                "type": "string",
                "example": "READY"
              },
              "meta": {
                "type": "object",
                "properties": {
                  "origin": {
                    "type": "string",
                    "example": "API"
                  },
                  "userAgent": {
                    "type": "string"
                  }
                }
              },
              "stats": {
                "type": "object",
                "properties": {
                  "inputBodyLen": {
                    "type": "integer",
                    "example": 2000
                  },
                  "rebootCount": {
                    "type": "integer",
                    "example": 0
                  },
                  "restartCount": {
                    "type": "integer",
                    "example": 0
                  },
                  "resurrectCount": {
                    "type": "integer",
                    "example": 0
                  },
                  "computeUnits": {
                    "type": "integer",
                    "example": 0
                  }
                }
              },
              "options": {
                "type": "object",
                "properties": {
                  "build": {
                    "type": "string",
                    "example": "latest"
                  },
                  "timeoutSecs": {
                    "type": "integer",
                    "example": 300
                  },
                  "memoryMbytes": {
                    "type": "integer",
                    "example": 1024
                  },
                  "diskMbytes": {
                    "type": "integer",
                    "example": 2048
                  }
                }
              },
              "buildId": {
                "type": "string"
              },
              "defaultKeyValueStoreId": {
                "type": "string"
              },
              "defaultDatasetId": {
                "type": "string"
              },
              "defaultRequestQueueId": {
                "type": "string"
              },
              "buildNumber": {
                "type": "string",
                "example": "1.0.0"
              },
              "containerUrl": {
                "type": "string"
              },
              "usage": {
                "type": "object",
                "properties": {
                  "ACTOR_COMPUTE_UNITS": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATASET_READS": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATASET_WRITES": {
                    "type": "integer",
                    "example": 0
                  },
                  "KEY_VALUE_STORE_READS": {
                    "type": "integer",
                    "example": 0
                  },
                  "KEY_VALUE_STORE_WRITES": {
                    "type": "integer",
                    "example": 1
                  },
                  "KEY_VALUE_STORE_LISTS": {
                    "type": "integer",
                    "example": 0
                  },
                  "REQUEST_QUEUE_READS": {
                    "type": "integer",
                    "example": 0
                  },
                  "REQUEST_QUEUE_WRITES": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATA_TRANSFER_INTERNAL_GBYTES": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATA_TRANSFER_EXTERNAL_GBYTES": {
                    "type": "integer",
                    "example": 0
                  },
                  "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                    "type": "integer",
                    "example": 0
                  },
                  "PROXY_SERPS": {
                    "type": "integer",
                    "example": 0
                  }
                }
              },
              "usageTotalUsd": {
                "type": "number",
                "example": 0.00005
              },
              "usageUsd": {
                "type": "object",
                "properties": {
                  "ACTOR_COMPUTE_UNITS": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATASET_READS": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATASET_WRITES": {
                    "type": "integer",
                    "example": 0
                  },
                  "KEY_VALUE_STORE_READS": {
                    "type": "integer",
                    "example": 0
                  },
                  "KEY_VALUE_STORE_WRITES": {
                    "type": "number",
                    "example": 0.00005
                  },
                  "KEY_VALUE_STORE_LISTS": {
                    "type": "integer",
                    "example": 0
                  },
                  "REQUEST_QUEUE_READS": {
                    "type": "integer",
                    "example": 0
                  },
                  "REQUEST_QUEUE_WRITES": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATA_TRANSFER_INTERNAL_GBYTES": {
                    "type": "integer",
                    "example": 0
                  },
                  "DATA_TRANSFER_EXTERNAL_GBYTES": {
                    "type": "integer",
                    "example": 0
                  },
                  "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                    "type": "integer",
                    "example": 0
                  },
                  "PROXY_SERPS": {
                    "type": "integer",
                    "example": 0
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}