974 rules. 15 languages. Four scan types.
SAST, IAST, DAST, and WAF assessment with bypass detection. Integrated into your CI/CD pipeline via GitHub Action. Results delivered to your H2 Platform dashboard.
- name: H2 Security Scan
uses: h2security/scanner@v1
with:
target: ${{ github.workspace }}
api-key: ${{ secrets.H2_API_KEY }}CAPABILITIES
Hardcoded API keys, tokens, passwords, and credentials in your source code. Catches what .gitignore misses.
SQL injection, XSS, SSRF, command injection, and hundreds more. Mapped to CWE and OWASP Top 10.
Known CVEs in your dependencies. License compliance. Outdated packages with available fixes.
Test your web application firewall rules. Detect bypasses before attackers do.
Infrastructure-as-code misconfigurations. Terraform, Kubernetes manifests, Docker files.
Findings mapped to SOC2, CIS, and OWASP frameworks. Audit-ready reports.
SCAN TYPES
SAST
Analyze source code without executing it. Finds injection flaws, hardcoded secrets, insecure patterns.
IAST
Runtime instrumentation during testing. Combines the depth of SAST with the context of DAST.
DAST
Test running applications from the outside. Discovers vulnerabilities visible in production.
WAF
Evaluate your WAF rules against real attack payloads. Find gaps in your edge protection.
LANGUAGES
INTEGRATION
Drop the H2 Scanner action into your workflow file. One YAML block.
The scanner runs automatically on every push and pull request. Results posted as PR comments.
Full findings in your H2 Platform dashboard. Prioritized by severity, mapped to frameworks.
PLANS
Part of the H2 Security Platform. Choose the plan that fits your team.
Individual practitioners
$49/mo
$399/year
Security engineers, small teams
$149/mo
$1,299/year
Security teams
$299/mo
$2,899/year
Enterprise
$599/mo
Custom annual
Add the scanner to your pipeline today.