42Crunch for FastAPI

middleBrick is a self-service API security scanner that operates as a black-box tool against FastAPI services. Submit a public URL to receive a risk score from A to F within under a minute, with prioritized findings mapped to the OWASP API Top 10 (2023). The scanner uses only read-only methods (GET and HEAD) and text-only POST for LLM probes, requiring no agents, SDKs, or code access. For FastAPI applications, it follows standard routes and respects OpenAPI specifications to discover endpoints, including those generated dynamically by FastAPI route decorators.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents for FastAPI services, resolving recursive $ref definitions to build a complete interface model. It cross-references the spec against runtime behavior to identify mismatches such as undefined security schemes, sensitive fields exposed in responses, deprecated operations, and missing pagination. This approach helps surface deviations between documented and actual behavior without requiring access to application code or infrastructure internals.

Authenticated scanning is supported at the Starter tier and above for FastAPI APIs that require identity verification. The scanner supports Bearer tokens, API keys, Basic auth, and Cookie-based sessions, enforcing a domain verification gate to ensure only domain owners can scan with credentials. When credentials are provided, the scanner forwards only a strict header allowlist that includes Authorization, X-API-Key, Cookie, and X-Custom-* headers, avoiding unnecessary exposure of sensitive context.

middleBrick maps findings to three specific frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For these frameworks, the scanner validates controls and covers requirements of each through its detection logic. For other regulations and standards, the tool aligns with security controls described in or supports audit evidence for review, without claiming certification or guaranteed compliance with any external regime.

The scanner does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its design scope. It does not detect business logic vulnerabilities that depend on domain-specific workflows, nor does it perform blind SSRF testing using out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits and is intended to complement broader security programs rather than serve as a standalone audit solution.

Results are delivered through the Web Dashboard, where scans can be reviewed, tracked over time, and exported as branded compliance PDFs. The CLI supports on-demand execution with JSON or text output via middlebrick scan <url>, and the GitHub Action can enforce CI/CD gates by failing builds when scores drop below a defined threshold. For each finding, the platform provides remediation guidance to help developers understand and address the underlying issue.