APIsec as a MCP server for API security

The MCP server implementation exposes APIsec as a callable scanning capability from AI coding assistants. It accepts a target URL and optional authentication, runs a black-box scan under one minute, and returns a risk grade with prioritized findings. The server only forwards a limited allowlist of headers and supports read-only methods, ensuring the scan remains non-intrusive.

APIsec maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls while detecting 12 security categories. It performs authentication bypass checks, JWT misconfiguration analysis, BOLA and BFLA probing, property over-exposure, input validation issues, rate-limiting characteristics, data exposure patterns including PII and API keys, encryption misconfigurations, SSRF indicators, inventory issues, unsafe consumption surfaces, and LLM/AI security probes across three depth tiers.

OpenAPI 3.0, 3.1, and Swagger 2.0 specifications are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to highlight undefined security schemes, deprecated operations, and missing pagination. The scanner does not perform intrusive payloads such as active SQL injection or command injection, does not test business logic in depth, and does not offer remediation beyond guidance.

Authenticated scans are available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification via DNS TXT record or HTTP well-known file ensures only the domain owner can submit credentials. Header forwarding is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety measures include blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. All scans are read-only; destructive payloads are never sent. Customer data can be deleted on demand and is purged within 30 days of cancellation, and scan data is never used for model training.

The MCP server fits into workflows where AI assistants generate or modify API clients, enabling on-demand security checks during development. Complementary integration options include a web dashboard for report review and trend tracking, a CLI for local scans with JSON or text output, a GitHub Action that can fail CI/CD builds based on score thresholds, and Pro-tier scheduled rescans with diff detection and email alerts. HMAC-SHA256 signed webhooks are supported in Pro, with auto-disable after five consecutive failures.

APIsec does not fix, patch, block, or remediate findings; it detects and reports with guidance. It does not detect blind SSRF requiring out-of-band infrastructure, and it does not replace a human pentester for high-stakes audits. The tool surfaces findings relevant to compliance activities and helps you prepare for audits aligned with security controls described in SOC 2 Type II and PCI-DSS 4.0.

For other frameworks, the scanner supports audit evidence collection and aligns with security controls described in relevant standards. Claims of certification, guarantees, or compliance are not made.