Akto as a GitHub Action for API security

What middleBrick covers

Read-only API scanning with GET and HEAD methods
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
Risk scoring mapped to OWASP API Top 10 (2023)
Authenticated scanning with header allowlist and domain verification
CI/CD integration with configurable build failure thresholds
Programmatic access via dashboard, CLI, and API client

Overview of API security scanning in CI/CD

Integrating an API security scanner into a GitHub Action allows security checks to run on every pull request and merge. The scanner evaluates API definitions and runtime behavior without requiring code access or SDK integration. It focuses on detection and reporting, providing risk scores and prioritized findings that developers can act on before deployment.

How the scanner operates as a GitHub Action

The GitHub Action submits a target URL for a read-only scan, leveraging GET and HEAD methods by default and text-only POST for LLM probes. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 specs with recursive $ref resolution, then compares spec definitions against runtime behavior. The action fails the build when the score drops below a configured threshold, enabling CI/CD gates without requiring direct access to application code.

Detection scope aligned to industry standards

The scanner maps findings to OWASP API Top 10 (2023), supports audit evidence for SOC 2 Type II, and maps findings to PCI-DSS 4.0. It covers authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, property over-exposure, input validation issues like CORS wildcard usage, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption and HTTP security headers, SSRF probes on URL-accepting parameters, inventory management gaps, unsafe consumption surfaces, and LLM security probes across multiple tiers.

Authenticated scanning and safety controls

Authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies, with domain verification via DNS TXT records or HTTP well-known files. Only a limited allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Destructive payloads are never sent, private IPs and localhost are blocked at multiple layers, and customer data can be deleted on demand and is purged within 30 days of cancellation.

Output formats and integration options

Results are available in the web dashboard, where teams can view reports, track score trends, and download branded compliance PDFs. The CLI provides JSON or text output via middlebrick scan <url>, and the GitHub Action reports pass or fail within the workflow. An MCP server enables scanning from AI coding assistants, and a programmatic API supports custom integrations for continuous monitoring and alerting.

Frequently Asked Questions

Does the GitHub Action fix vulnerabilities automatically?

No. The scanner detects and reports with remediation guidance, but it does not patch, block, or remediate issues automatically.

Which API specifications does the scanner parse?

It parses OpenAPI 3.0, OpenAPI 3.1, and Swagger 2.0, resolving recursive $ref definitions and cross-referencing spec definitions against runtime findings.

What happens if a scan fails the configured threshold?

The GitHub Action fails the build, preventing the merge when the score drops below the threshold set for the workflow.

Is sensitive customer data retained after scanning?

Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training.