APIsec for DevSecOps engineers

This scanner is operated as a self-service tool. You submit an API endpoint URL and receive a risk score on an A–F scale with prioritized findings. The workflow is designed to integrate into existing DevSecOps pipelines without requiring code changes, agents, or SDKs. Because it is a black-box scanner, it works across languages, frameworks, and deployment targets. Scan duration is under one minute using read-only methods (GET and HEAD) and text-only POST for LLM probes.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection includes authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization over-exposure, input validation issues such as CORS wildcard usage, rate limiting and resource consumption indicators, data exposure including PII and API key patterns, encryption misconfigurations, SSRF indicators in URL and body fields, inventory issues like missing versioning, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths. It also parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime behavior.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. The scanner forwards a restricted allowlist of headers including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety posture is read-only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

Findings are presented in a web dashboard where you can view scans, track score trends, and download branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a configured threshold. The MCP Server enables scanning from AI coding assistants. For ongoing risk management, the Pro tier provides scheduled rescans, diff detection between scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

The scanner does not fix, patch, block, or remediate findings; it provides detection and guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, because they require domain context understood by humans. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits. Use it as a continuous indicator rather than a compliance certificate.