Cheapest CI security gate

This tool performs automated API security reconnaissance without requiring code access or agents. It focuses on detection and reporting, not remediation. It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and it helps you prepare for other security frameworks through alignment with their documented controls.

It is a black-box scanner that uses read-only methods (GET and HEAD) plus text-only POST for LLM probes. Scan time is under a minute. The tool does not perform active SQL injection or command injection, does not detect business logic vulnerabilities, does not detect blind SSRF, and does not replace a human pentester for high-stakes audits. It will not fix, patch, block, or remediate findings; it reports with remediation guidance.

• No agents, SDKs, or code analysis required.
• Works across any language, framework, or cloud.
• Sensitive endpoints such as localhost, private IP ranges, and cloud metadata addresses are blocked at multiple layers.

The scanner evaluates 12 security categories aligned to OWASP API Top 10 (2023). It checks authentication bypass and JWT misconfigurations, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation indicators, property over-exposure and mass-assignment surfaces, input validation issues like CORS wildcard usage, rate-limiting characteristics, data exposure including PII and API key patterns, encryption misconfigurations, SSRF indicators, inventory issues such as missing versioning, unsafe consumption surfaces, and LLM/AI security through multi-tier adversarial probes.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime findings to identify undefined security schemes or deprecated operations.

Authenticated scans support Bearer tokens, API keys, Basic auth, and cookies, and require domain verification via DNS TXT or HTTP well-known file to ensure only the domain owner can scan with credentials. Only selected headers are forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-*.

Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and never used for model training.

The Web Dashboard centralizes scans, report viewing, score trends, and branded compliance PDF downloads. The CLI offers a single command: middlebrick scan <url>, with JSON or text output. A GitHub Action provides CI/CD gating by failing the build when the score drops below a set threshold. An MCP Server enables scanning from AI coding assistants. An API client supports custom integrations.

Free tier: 3 scans per month with CLI access. Starter: 15 APIs, monthly scans, dashboard, email alerts, MCP Server. Pro: up to 100 APIs with paid overage, continuous monitoring, GitHub Action gates, CI/CD integration, Slack/Teams alerts, compliance reports, signed webhooks. Enterprise: unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.