Government Website Security Scanner — Passive, non-intrusive security posture assessment for government websites.
Built for the DIGECAM investigation by Vector Crítico. Used to audit 134 Guatemalan government websites on April 14, 2026.
GovScan checks two dimensions of a website's public-facing security:
- SSL/TLS (45% of score): Certificate validity, HTTPS enforcement, encryption quality
- HTTP Security Headers (55% of score): CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection
Everything measured is publicly visible to any browser. No vulnerability exploitation, no credential testing, no brute forcing.
pip install requests openpyxl
python govscan/scanner.py templates/gt_executive_2024.xlsx -o results/- Fork this repo
- Connect to Railway
- Set environment variable:
GOVSCAN_TOKEN=your-secret-token - Deploy — Railway auto-detects the Procfile
The web interface requires a token to prevent abuse. Share tokens only with trusted journalists and researchers.
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/ |
GET | No | Web interface |
/health |
GET | No | Health check |
/api/scan?url=X&token=Y |
GET | Token | Scan single URL |
/api/batch |
POST | Token | Scan up to 20 URLs |
Rate limit: 10 scans per hour per IP.
See docs/METHODOLOGY.md for complete breakdown.
| Grade | Score | Meaning |
|---|---|---|
| A | 85–100 | Good security posture |
| B | 70–84 | Acceptable, some gaps |
| C | 55–69 | Moderate risk |
| D | 40–54 | Deficient (DIGECAM: 41/100) |
| E | 25–39 | Poor |
| F | 0–24 | Critical |
Do not publish specific IPs, ports, or exploitable details. Focus on systemic patterns.
MIT — Use freely, attribute when publishing.
- Vector Crítico — Investigation and development
- Luis Assardo — Lead investigator
- Scoring: OWASP, Mozilla Observatory, CIS Benchmarks