API security for DevSecOps engineers

This tool is a black-box API security scanner for DevSecOps workflows. You submit an API endpoint URL and receive a risk score from A to F with prioritized findings. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, completing most scans in under a minute. It does not modify, patch, or block anything; it surfaces weaknesses and provides remediation guidance.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection categories include authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation through admin endpoint exposure, over-exposed properties and mass assignment surfaces, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption and transport misconfigurations, SSRF via URL-accepting parameters, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to find undefined security schemes, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only domain owners can scan with credentials. The scanner forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved items, and score drift. Alerts are rate-limited to one email per hour per API and support HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Integration options include a web dashboard for reports and score trends, a CLI via the middlebrick npm package, a GitHub Action that fails builds below a score threshold, an MCP server for AI coding assistants, and a programmable API for custom workflows.

The scanner does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking destructive payloads, filtering private IPs, localhost, and cloud metadata endpoints at multiple layers, and providing on-demand data deletion within 30 days of cancellation. Customer data is never sold or used for model training.