42Crunch as a CLI API security scanner

Try middleBrick free

What middleBrick covers

  • Submit URL via CLI, receive risk score and prioritized findings
  • Black-box scanning without agents or SDK integration
  • Supports any language, framework, or cloud deployment
  • Read-only scan methods to avoid destructive impact
  • OpenAPI spec parsing with recursive $ref resolution
  • CI/CD gating via GitHub Action integration

CLI-first API security scanning approach

A CLI API security scanner is designed for integration into developer workflows and CI/CD pipelines. It accepts a target URL and returns a risk score with prioritized findings using read-only methods. Execution happens locally or in automation environments without requiring code access, SDKs, or agents, and results are delivered to terminal or machine-readable output.

Coverage aligned to OWASP API Top 10

The scanner maps findings to OWASP API Top 10 (2023) and supports audit evidence collection across common controls. It detects issues such as authentication bypasses, JWT misconfigurations including alg=none and expired tokens, IDOR and BOLA via sequential ID probing, PII and sensitive data exposure, CORS misconfigurations, unsafe HTTP methods, and LLM-specific adversarial probes spanning system prompt extraction and token smuggling. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, cross-referenced against runtime behavior to highlight undefined security schemes or deprecated operations.

Authenticated scanning and scope boundaries

Authenticated scanning is available in plans above Starter and supports Bearer, API key, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only domain owners can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce exposure. The tool does not fix, patch, block, or remediate findings; it identifies and provides remediation guidance. It does not perform active SQL injection or command injection testing, detect business logic vulnerabilities, or replace a human pentester for high-stakes audits.

CI/CD integration and monitoring options

The CLI exposes commands suitable for scripting and pipeline gating, with JSON output for downstream processing. Integration options include a GitHub Action that can fail builds when scores drop below a configured threshold. Pro tier adds scheduled rescans, diff detection across runs, email alerts rate-limited to one per hour per API, and signed webhooks with auto-disable after consecutive failures. These features support continuous monitoring without requiring manual oversight on every change.

Safety, data handling, and limitations

Read-only methods are used exclusively, and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training. The tool surfaces findings relevant to compliance activities and helps you prepare for audits aligned with PCI-DSS 4.0 and SOC 2 Type II, while clearly stating it is not an auditor and cannot certify compliance.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can the CLI run in a fully automated CI pipeline?
Yes. The CLI outputs structured results and can be integrated into CI/CD pipelines, with optional gating that fails the build based on score or finding thresholds.
Does authenticated scanning require domain verification?
Yes. Authenticated scans require DNS TXT record or HTTP well-known file verification so that only the domain owner can submit credentials.
How are compliance mappings handled in reporting?
Findings map to OWASP API Top 10 and support audit evidence for SOC 2 Type II and PCI-DSS 4.0. Other frameworks are supported through alignment language, not guarantees.
Is sensitive customer data retained after scanning?
No. Scan data is deletable on demand and removed within 30 days of cancellation, and it is not used for model training or sold to third parties.

Related Pages

Best IDE security plugin in 2026What a IDE security plugin actually needs to do, and how to pick one.Best API pentesting tool in 2026What a API pentesting tool actually needs to do, and how to pick one.Best MCP server for API security in 2026What a MCP server for API security actually needs to do, and how to pick one.middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.