Cheapest IDE security plugin

This scanner is a self-service API security assessment tool that requires no agents, SDKs, or code access. Submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. The scan is black-box, uses only read-only methods (GET and HEAD) plus text-only POST for LLM probes, and typically completes in under one minute.

The scanner checks 12 categories aligned to the OWASP API Top 10 (2023). Specific detections include authentication bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It also identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, BFLA and privilege escalation through admin endpoint probing and role/permission leakage, and property authorization issues like over-exposure and mass-assignment surface. Input validation checks include CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints. Rate limiting and resource consumption are assessed by inspecting rate-limit headers and oversized responses. Data exposure covers PII patterns, API key formats, and error leakage. Additional categories address encryption misconfigurations, SSRF indicators, inventory and versioning issues, unsafe consumption surfaces, and LLM/AI security through multiple adversarial probe tiers.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, then cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist permits only Authorization, X-API-Key, Cookie, and X-Custom-* headers to be forwarded.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, results help you prepare for audits and align with security controls described in relevant standards. The tool does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not perform blind SSRF detection, and does not replace a human pentester for high-stakes audits. It reports findings and provides remediation guidance but does not fix, patch, block, or remediate issues.

Deliverables include a Web Dashboard for scanning, viewing reports, and tracking score trends, with branded compliance PDFs available. The CLI via the middlebrick npm package supports JSON and text output. A GitHub Action can gate CI/CD and fail builds when scores drop below a threshold. The MCP Server enables scanning from AI coding assistants. Programmatic access is provided through an API client. Continuous monitoring on the Pro tier supports scans every 6 hours, daily, weekly, or monthly, with diff detection and email alerts limited to one per hour per API. HMAC-SHA256 signed webhooks are included, with auto-disable after 5 consecutive failures.

Pricing options are: Free at zero cost for 3 scans per month with CLI access; Starter at 99 dollars per month for 15 APIs, monthly scans, dashboard, email alerts, and MCP Server; Pro at 499 dollars per month for 100 APIs with additional APIs priced at 7 dollars each, plus continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks; Enterprise at 2000 dollars per month for unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.

The scanner uses read-only methods only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is not an auditor and cannot certify compliance.

• What does the scanner map findings to?
• Answer: It maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).
• Does the tool perform active injection tests like SQLi or command injection?
• Answer: No. It focuses on detection of misconfigurations and exposure without sending destructive payloads.
• Can authenticated scans be run against APIs requiring tokens or cookies?
• Answer: Yes. Bearer, API key, Basic auth, and Cookie authentication are supported with domain verification.
• What happens to scan data after account cancellation?
• Answer: Data is deletable on demand and fully purged within 30 days.