Use case: DevSecOps

Built for DevSecOps

Shift security left without slowing down your team. Scan pull requests, fail builds on severity, and ship patches faster.

Start free, no credit card See pipeline snippet

You know this pain

DevSecOps is mostly being the only security-minded person in a room of engineers who want to ship.

Every tool is a one-off

You have nmap in a cron job, nuclei in a bash script, and a vendor portal for DAST. No single place to see what ran and what it found.

CI pipelines drift

Your scanner image is three majors behind. Builds pass and the findings never change. Nobody notices until a CVE hits the news.

Findings rot in Jira

Vulnerabilities get tickets and then sit there for 120 days. No SLA, no escalation, no visibility for the security team.

What Metric Tower gives you

One platform. The tools you would have glued together yourself, orchestrated for you.

CI/CD-first CLI

A scan:ci Artisan command built for pipelines. Non-zero exit on severity thresholds, structured output, and JSON for machine consumers.

PR-gate scans

Run light-intensity scans against staging URLs on every pull request. Post findings back via webhook or open tickets in GitHub Issues.

SARIF exports

Every scan can be exported as SARIF, so findings show up natively in GitHub Code Scanning and other SARIF-aware tools.

Webhook alerts

Subscribe to scan lifecycle events and finding events. Signed payloads, retry-safe, and compatible with any intake system you run.

Remediation SLAs

Finding workflow tracks 8 statuses from open to closed, with per-team SLA policies. Breach alerts fire through your escalation policy.

Scheduled scans & diffs

Run recurring scans overnight and surface only NEW findings since the last run. Regressed vulnerabilities reopen automatically.

Example workflow

A sketch of how a GitHub Actions job might kick off a scan via the REST API. Adapt it to your own secrets, target, and module selection.

.github/workflows/security.yml

name: Metric Tower Scan
on:
  pull_request:
    branches: [main]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Kick off scan
        run: |
          curl -sSf -X POST https://api.metrictower.example/api/v1/scans \
            -H "Authorization: Bearer {{ secrets.{{ strtoupper(str_replace('-', '_', \App\Support\Brand::slug())) }}_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d '{"target":"staging.example.com","modules":["nmap","nuclei"]}'

Labelled example workflow -- adapt to your org's conventions. Pair with the scan:ci CLI or the full REST API to poll status and fail the build on severity thresholds.

Plugs into your pipeline

Webhooks, REST API, SARIF exports, and 9 ticketing integrations cover the common cases.

GitHub Actions GitLab CI Jenkins Slack Jira Linear GitHub Issues ClickUp Azure DevOps

GitHub Actions, GitLab CI, and Jenkins are supported via the generic REST API and CLI -- not dedicated first-party plugins.

Ship faster with security as a default

Free tier includes the REST API. Spin up a test scan against a staging URL and see what falls out.

Start free trial View integrations