Checkmarx review

This tool is a self-service API security scanner that accepts a URL and returns a risk score from A to F along with prioritized findings. It performs black-box scanning only, requires no agents, SDKs, or code access, and works across any language, framework, or cloud. Scan duration is under a minute, using read-only methods such as GET and HEAD, with text-only POST for LLM probes. The system does not fix, patch, block, or remediate issues; it detects and reports findings with remediation guidance.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypasses and JWT misconfigurations, Broken Object Level Authorization, Broken Function Level Authorization, Property Authorization over-exposure, Input Validation such as CORS wildcard usage and dangerous HTTP methods, Rate Limiting and Resource Consumption, Data Exposure including PII patterns and API key formats, Encryption weaknesses, SSRF indicators, Inventory Management issues, Unsafe Consumption surfaces, and LLM / AI Security adversarial probes. These findings map directly to OWASP API Top 10 (2023) and support evidence for SOC 2 Type II and PCI-DSS 4.0 controls.

OpenAPI analysis parses versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime results to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. The tool helps you prepare for audits and aligns with security controls described in relevant regulatory frameworks, providing findings relevant to but not certifying compliance with regulations such as HIPAA, GDPR, ISO 27001, NIST, CCPA, or others.

Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced via DNS TXT record or HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety measures include read-only methods only, blocking of private IPs, localhost, and cloud metadata endpoints at multiple layers, and a policy of deletable customer data purged within 30 days of cancellation. The scanner does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits.

The Web Dashboard centralizes scans, reports, score trends, and downloadable branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a set threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. Programmatic access is available through an API client for custom integrations. For ongoing risk management, the Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures.

The Free tier offers 3 scans per month and CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs with additional APIs priced at 7 dollars each, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. The Enterprise tier at 2000 dollars per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. These tiers help you align with security controls described in frameworks such as SOC 2 Type II and PCI-DSS 4.0, depending on the level of coverage and monitoring you select.