Musha Security Documentation
Musha is an all-in-one security scanner for modern dev teams — SCA, IaC, and Secrets detection in a single platform. Webhook-based, zero-agent, API-first.
What Musha detects
| Scanner | What it finds |
|---|---|
| SCA (Software Composition Analysis) | Vulnerable dependencies in Go, Node.js, Python, Rust, Ruby, PHP, Java, .NET |
| IaC (Infrastructure as Code) | Misconfigurations in Terraform, CloudFormation, and Kubernetes manifests |
| Secrets | Hardcoded credentials, API keys, and tokens committed to source code |
Where to start
⚡ Quickstart
Connect your first repo and run a scan in under 10 minutes.
🔗 Integrations
GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines.
📖 Concepts
Scan types, vulnerability states, SLA, and technical debt explained.
🔌 API Reference
Authenticate and call the Musha API directly from your pipelines.
How it works (short version)
- You push code → your CI pipeline calls
POST /v1/scanswith the changed files. - Musha runs SCA + IaC + Secrets analysis using the secplat engine.
- Findings appear in the Security dashboard and as a PR comment with a pass/fail status.
- Your team triages, assigns, and tracks vulnerabilities until resolved.
For a deeper dive, see How it works.
Need help?
Email support@mushasec.com and include your X-Request-ID from any failed API response — it lets us find the exact request in our logs immediately.