Wallarm for CI/CD security gate

Try middleBrick free

What middleBrick covers

  • Black-box API scanning with under one minute per API
  • Risk score A–F with prioritized findings
  • OWASP API Top 10 (2023) mapping and coverage
  • Authenticated scanning with header allowlist
  • GitHub Action gating and CI/CD integration
  • Data deletion on demand with 30-day purge

Purpose and scope of scanning in CI/CD

A CI/CD security gate should validate API-facing changes before merge and deployment. middleBrick functions as a scanner that submits a URL and returns a risk score with prioritized findings. It operates as a black-box assessment using read-only methods, which limits the class of issues it can detect while reducing scan impact on production environments.

Detection aligned to compliance frameworks

middleBrick maps findings to OWASP API Top 10 (2023), supports audit evidence for SOC 2 Type II, and aligns with controls defined in PCI-DSS 4.0. Detection coverage includes authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation through role/permission leakage, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate-limiting characteristics, data exposure patterns including PII and API key formats, encryption misconfigurations, SSRF indicators, and inventory issues such as missing versioning. For LLM-facing APIs, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers to surface system prompt extraction, instruction override, jailbreak attempts, data exfiltration risks, and token smuggling.

Scan characteristics and limitations

Scan duration is under a minute per API, with no agents, SDKs, or code access required. The scanner uses read-only methods plus text-only POST for LLM probes and blocks private IPs, localhost, and cloud metadata endpoints. Because it does not execute intrusive payloads, it does not perform active SQL injection or command injection testing, nor does it detect blind SSRF or business logic vulnerabilities that require domain understanding. It also does not replace a human pentester for high-stakes audits. These limitations are explicit trade-offs that reduce noise and integration friction but narrow the set of resolvable issues.

Integration into CI/CD workflows

The GitHub Action can gate merges or block promotion when the score drops below a defined threshold, providing an automated checkpoint without manual steps. CLI access enables scripting in any pipeline, and the MCP Server allows scanning from AI coding assistants. Authenticated scanning requires domain verification via DNS TXT or HTTP well-known file, and only a restricted allowlist of headers is forwarded. Continuous monitoring in higher tiers supports scheduled rescans and diff detection across runs, with email alerts rate-limited to one per hour per API and signed webhooks that auto-disable after repeated failures.

Operational trade-offs and data handling

middleBrick prioritizes low integration friction and repeatable scoring rather than remediation. Customer data is deletable on demand and purged within 30 days of cancellation, with explicit guarantees that data is never sold or used for model training. Pricing tiers range from free for basic CLI use to enterprise with unlimited APIs, custom rules, SSO, and audit logs. If your workflow depends on automated patching or blocking of findings, this tool is not a fit; it surfaces findings and remediation guidance for downstream action by your team.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can this scanner be used as a gate in CI/CD pipelines?
Yes. The GitHub Action and CLI support CI/CD gating based on score thresholds. The gate operates as a read-only check that surfaces findings rather than applying fixes.
Does the scanner test for SQL injection or command injection?
No. It does not perform active SQL injection or command injection tests, as those require intrusive payloads outside the scanner's scope.
What happens to scan data after cancellation?
Customer data can be deleted on demand and is purged within 30 days of cancellation. The service does not sell data or use it for model training.
Does authenticated scanning require domain ownership verification?
Yes. Authenticated scans require domain verification via DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials.
Is business logic vulnerability detection included?
No. Business logic vulnerabilities require human expertise specific to your domain and are not detected by the scanner.

Related Pages

middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.Alternatives to Kong for Trust center artifact generationThe best alternatives to Kong when the actual job is Trust center artifact generation.Alternatives to Noname Security for Customer SOC 2 questionnaire prepThe best alternatives to Noname Security when the actual job is Customer SOC 2 questionnaire prep.Alternatives to Kong for LLM gateway boundary testThe best alternatives to Kong when the actual job is LLM gateway boundary test.