Snyk review

The tool is a self-service API security scanner that accepts a target URL and returns a risk grade from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, SDKs, or access to source code, and supports any language, framework, or cloud environment. Scans complete in under a minute, using read-only HTTP methods such as GET and HEAD, with text-only POST support for LLM probes. The analysis begins with an OpenAPI parser that resolves recursive $ref structures across OpenAPI 3.0, 3.1, and Swagger 2.0, then contrasts the specification against runtime behavior to surface inconsistencies.

The scanner evaluates 12 categories mapped to the OWASP API Top 10 (2023). It identifies authentication bypass attempts, JWT misconfigurations including alg=none, weak key selections, expired tokens, and missing claims, as well as security header and WWW-Authenticate compliance issues. It detects BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing, and BFLA via admin endpoint probing and role/permission leakage. Additional coverage includes property authorization over-exposure, input validation issues such as CORS wildcards and dangerous HTTP methods, rate-limiting indicators and oversized responses, and data exposure patterns like email, Luhn-validated card numbers, context-aware SSN formats, and API key structures.

The system also flags encryption weaknesses including missing HTTPS redirects, HSTS misconfigurations, and insecure cookie flags, SSRF indicators in URL-accepting parameters with internal IP detection, and inventory management gaps such as missing versioning and legacy paths. For LLM and AI security, it runs 18 adversarial probes across Quick, Standard, and Deep tiers to assess system prompt extraction, instruction override, jailbreak techniques, data exfiltration, cost exploitation, and token smuggling scenarios. While the tool maps findings to three specific frameworks, it provides remediation guidance rather than asserting compliance for any other regulatory regime.

Authenticated scanning is available starting at the Starter tier, supporting Bearer tokens, API keys, Basic authentication, and cookies. Access requires a domain verification gate, enforced through DNS TXT records or an HTTP well-known file, ensuring that only the domain owner can submit credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety mechanisms include read-only methods only, with destructive payloads never sent, and blocking of private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation, and it is not used for model training.

The Web Dashboard enables scan management, report review, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan with JSON or text output. A GitHub Action is available for CI/CD gating, failing the build when the score drops below a configured threshold. An MCP Server allows scanning from AI coding assistants, and a programmable API supports custom integrations. Continuous monitoring in higher tiers includes scheduled rescans at intervals ranging from every six hours to monthly, diff detection to highlight new or resolved findings, rate-limited email alerts, HMAC-SHA256 signed webhooks, and configurable notification rules.

The tool does not fix, patch, block, or remediate issues; it detects and reports with guidance. It does not execute active SQL injection or command injection tests, which fall outside its read-only design. Business logic vulnerabilities require human expertise aligned to the specific application domain, and blind SSRF detection is not possible without out-of-band infrastructure. The scanner is not intended to replace a human pentester for high-stakes audits. These boundaries help maintain a clear scope while supporting efficient security workflows.