GitGuardian review

This tool is a self-service API security scanner that accepts a URL and returns a risk score on an A–F scale along with prioritized findings. It performs black-box scanning without requiring agents, code access, or SDK integration, and supports any language, framework, or cloud. Scan duration is under one minute, using read-only methods such as GET and HEAD, with optional text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypass and JWT misconfigurations, Broken Object Level Authorization, Broken Function Level Authorization, Property Authorization exposure, Input Validation such as CORS wildcard usage and dangerous HTTP methods, Rate Limiting and Resource Consumption indicators, Data Exposure patterns including PII and API key formats, Encryption and transport security issues, SSRF indicators, Inventory Management concerns, Unsafe Consumption surfaces, and LLM / AI Security probes across tiered scan depths. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes or deprecated operations.

Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a limited allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*, while read-only methods are used and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and retained for no longer than 30 days after cancellation.

The platform provides a Web Dashboard for scanning, report review, score tracking, and downloadable compliance PDFs, along with a CLI via an npm package for direct terminal use. A GitHub Action is available to enforce CI/CD gates based on score thresholds, and an MCP Server enables scanning from AI coding assistants. For ongoing coverage, the Pro tier offers scheduled rescans at intervals from 6 hours to monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after consecutive failures.

findings maps directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for and aligns with security controls described in relevant standards, though it does not certify or guarantee compliance. The tool does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not provide blind SSRF detection, and does not replace a human pentester for high-stakes audits. Remediation guidance is supplied, but fixing, patching, or blocking issues is outside scope.