APIsec for Chi

This scanner operates as a black-box tool. It does not require agents, SDKs, or access to source code. It works with any language, framework, or cloud environment by sending read-only requests such as GET and HEAD, plus text-only POST for LLM probes. Scan completion typically occurs in under one minute.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023). It maps findings to this standard to validate controls related to authentication bypass, broken object level authorization, broken function level authorization, property authorization, input validation, rate limiting, data exposure, encryption issues, SSRF, inventory mismanagement, unsafe consumption, and LLM/AI security. Each category includes checks such as JWT misconfigurations, IDOR patterns, admin endpoint probing, CORS wildcard usage, PII and key pattern detection, and sensitive error leakage.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref entries. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced via DNS TXT record or an HTTP well-known file so that only domain owners can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier features scheduled rescans at intervals of six hours, daily, weekly, or monthly. It provides diff detection across scans to highlight new findings, resolved findings, and score drift. Alerts are delivered via email at a rate-limited pace of one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after five consecutive failures. The platform offers a web dashboard for reporting and score trends, a CLI via an npm package, a GitHub Action for CI/CD gating, an MCP server for AI coding assistants, and a programmatic API for custom integrations.

The scanner does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not perform active SQL injection or command injection tests, detect business logic issues, or perform blind SSRF checks. It is not a substitute for a human pentester in high-stakes assessments. The tool helps you prepare for compliance with frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it aligns with security controls described in relevant standards and supports audit evidence collection without claiming certification or guaranteed compliance.