APIsec as a GitHub Action for API security

Try middleBrick free

What middleBrick covers

  • Seamless GitHub Actions integration for CI/CD gates
  • Black-box scanning with no agents or code access
  • Risk scoring aligned to OWASP API Top 10 (2023)
  • Support for Bearer, API key, Basic auth, and cookies
  • Configurable scan modes from Quick to Deep
  • Remediation guidance included with each finding

APIsec GitHub Action integration overview

The APIsec GitHub Action embeds a black-box scanner into pull requests and CI pipelines. On every push or pull request, it runs a scan against a target API and reports a risk score with prioritized findings. The action fails the build when the score drops below a configured threshold, providing a gate that can block merges without requiring developers to install additional tooling.

How the action works in CI

Once added to a workflow file, the action authenticates to the middleBrick service using an API key stored as a GitHub secret. It submits the target API URL, executes a scan limited to read-only methods, and parses the result. The job outputs a summary, attaches a detailed report, and fails if the score is under the defined policy level. Only standard headers such as Authorization and X-API-Key are forwarded, respecting the defined allowlist.

jobs:
  api-security:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: APIsec scan
        uses: middlebrick/scan-action@v1
        with:
          url: https://api.example.com/openapi.json
          threshold: C
        env:
          MIDDLEBRICK_API_KEY: ${{ secrets.MIDDLEBRICK_API_KEY }}

Mapping to compliance frameworks

The scanner maps findings to OWASP API Top 10 (2023), providing direct mappings to PCI-DSS 4.0 and SOC 2 Type II controls. Each finding includes references to specific requirements, enabling teams to use the output as audit evidence. This alignment supports security reviews without claiming certification or compliance guarantees.

  • Authentication issues map to authentication controls under SOC 2 and requirement 8 of PCI-DSS.
  • Data exposure findings align with data protection controls in SOC 2 and requirement 3 of PCI-DSS.
  • Input validation findings correspond to OWASP API Top 10 categories and support evidence for related controls.

Scan configuration and thresholds

Teams configure the action with a target URL, a minimum acceptable score, and optional scan depth. The default mode is Quick, which completes in under a minute and focuses on authentication, input validation, and basic injection surfaces. Standard and Deep modes increase probe coverage for sensitive data exposure, SSRF indicators, and LLM-specific attack vectors. Scan results are stored in the dashboard and linked from the GitHub run for historical comparison.

steps:
  - name: APIsec scan
    uses: middlebrick/scan-action@v1
    with:
      url: https://api.example.com/openapi.json
      mode: standard
      threshold: B

Limitations and complementary testing

The action does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities or blind SSRF, and it is not a replacement for a human pentester in high-stakes audits. Use it as an early indicator and a continuous monitoring layer rather than a final compliance statement.

  • Findings include remediation guidance to help developers address issues.
  • Authenticated scans require domain verification to ensure credentials are used against authorized endpoints.
  • Sensitive scan data is deletable on demand and is never used for model training.
See how middleBrick compares See all use cases

Frequently Asked Questions

Does the action block deployments when security issues are found?
Yes, the job fails when the APIsec score falls below the configured threshold, preventing merges until issues are addressed or the threshold is adjusted.
Can the scan be run against authenticated APIs?
Yes, authenticated scans are supported with Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required to ensure credentials are used only against intended endpoints.
What happens to scan data after account deletion?
Customer scan data can be deleted on demand and is purged within 30 days of cancellation. It is never sold and is not used for model training.
Does the action perform intrusive testing like SQL injection?
No, the action focuses on detection and reporting using read-only methods. Intrusive payloads for SQL injection or command injection are outside its scope.
How are false positives handled in the reporting?
The scanner provides prioritized findings with contextual metadata. Teams should validate findings in their environment and adjust thresholds or add exceptions as needed.

Related Pages

Best IDE security plugin in 2026What a IDE security plugin actually needs to do, and how to pick one.Best API pentesting tool in 2026What a API pentesting tool actually needs to do, and how to pick one.Best MCP server for API security in 2026What a MCP server for API security actually needs to do, and how to pick one.middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.