Blue/green deployment safety scan

What middleBrick covers

Black-box comparison of blue and green API surfaces
Authentication support for Bearer, API key, Basic, and Cookie
Risk scoring with prioritized findings (A–F)
OWASP API Top 10, PCI-DSS 4.0, SOC 2 Type II alignment
OpenAPI parsing with recursive $ref resolution
CLI and web dashboard with trend tracking

What is a blue/green deployment safety scan

A blue/green deployment safety scan checks the exposed API surface of each environment variant without accessing source code or runtime internals. The scanner submits read-only requests to both the blue and green endpoints, compares security characteristics, and produces a risk score with prioritized findings. Because the scan is black-box, it works regardless of language, framework, or cloud provider.

Common gaps when skipping the scan

Teams that skip a prerelease safety scan risk inconsistent security posture between blue and green environments. Common gaps include one environment allowing unauthenticated administrative endpoints, differences in CORS rules that expose credentials to unauthorized origins, and inconsistent enforcement of HTTPS redirects or HSTS. Such discrepancies can lead to privilege escalation, data exposure, or accidental production access through a misconfigured deployment.

A safe workflow for blue/green checks

Use a repeatable workflow that scans each environment before traffic is switched. Start with the blue environment to establish a baseline risk score, then run the same scan against green. Compare findings side by side and verify that new endpoints do not introduce authentication bypass, sensitive data exposure, or unsafe methods. Only switch traffic when risk scores are within acceptable variance and critical findings are addressed.

Example verification using the CLI:

middlebrick scan https://blue-api.example.com --auth-token "$BLUE_TOKEN" --output json
middlebrick scan https://green-api.example.com --auth-token "$GREEN_TOKEN" --output json

Coverage aligned to frameworks

middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The scanner detects authentication bypass, JWT misconfigurations, IDOR, privilege escalation vectors, CORS misconfigurations, dangerous HTTP methods, and data exposure patterns such as API keys and PII. These results support audit evidence collection and help you prepare for compliance reviews without claiming certification.

What middleBrick covers out of the box

middleBrick performs a read-only check of both environments in under a minute, using GET and HEAD methods plus text-only POST for LLM probes. It supports Bearer, API key, Basic auth, and cookies for authenticated comparisons, with domain verification to ensure credentials are only used by the rightful owner. The scanner respects a strict header allowlist and does not modify, block, or remediate any findings.

Frequently Asked Questions

Can authenticated scans compare blue and green environments?

Yes. Provide separate tokens for each environment. The scanner validates domain ownership per environment and does not share credentials across targets.

Does the scanner detect differences in rate limiting between blue and green?

It identifies the presence or absence of rate-limiting headers and oversized responses, which helps highlight inconsistent resource protections across deployments.

How are LLM security probes handled in blue/green checks?

The scanner runs the same tiered LLM probes against each environment, comparing results for discrepancies in instruction override, jailbreak resilience, and PII extraction behavior.

Can findings be mapped to internal risk policies?

You can use the CLI or API to export structured results and integrate them with internal dashboards or risk-prioritization pipelines.

Does the scanner validate business logic differences between environments?

It does not. Business logic validation requires domain context and human review; the scanner reports observable security differences only.