Quick Start

GitHub App (zero-config)

Path A — GitHub App

No CI/CD pipelines, no Dockerfiles, no API keys. Install once, every push and pull request gets scanned automatically.

Step 1 — Create an account

Sign up at vouch-secure.com . The Hobby tier is free, no credit card required.

Step 2 — Install the GitHub App

In the dashboard, open Developer Portal and click Install on GitHub. Authorize the app for the repos you want monitored.

Step 3 — Wait for the first scan

Vouch triggers an initial scan automatically after installation. Most repos complete in 3–6 minutes.

Step 4 — Review and embed the badge

You’ll see a 0–100 Vouch Score and a list of findings — each with an AI-generated explanation and, where available, a ready-to-apply fix.

Embed the live badge in your README.md:

[![Vouch Score](https://api.vouch-secure.com/badge/YOUR_INSTALLATION_ID)](https://vouch-secure.com)

Replace YOUR_INSTALLATION_ID with the ID shown in Developer Portal → Vouch Security Badge.

API (programmatic)

Path B — Public API

For CI integrations, custom dashboards, or anyone who wants to trigger scans from their own tooling.

Step 1 — Create an account

Sign up at vouch-secure.com .

Step 2 — Generate an API key

Open the Developer Portal, click Generate API Key, and copy it immediately — you won’t see it again after leaving the page.

Step 3 — Trigger a scan

curl -X POST https://api.vouch-secure.com/scan-repo-url \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $VOUCH_API_KEY" \
  -d '{"repo_url": "https://github.com/owner/repo"}'
# → {"scan_id": "...", "status": "processing", ...}

Step 4 — Poll for results

curl -s "https://api.vouch-secure.com/scans/$SCAN_ID" \
  -H "X-API-Key: $VOUCH_API_KEY" | jq '.status, .score'

Or skip polling and pass callback_url + callback_secret in the trigger request to receive an HMAC-signed webhook the moment the scan completes. Full details in the API Reference.