Pre-merge API security check

The pre-merge phase is the narrow window where feedback is cheap and changes are simple. A self-service scanner runs in under a minute, requiring no agents, SDKs, or code access. Submit a URL, receive a risk score from A to F with prioritized findings, and surface issues before code merges. This approach aligns with security controls described in OWASP API Top 10 (2023) and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0.

The scanner performs read-only checks using GET and HEAD methods, with text-only POST for LLM probes. It works across any language, framework, or cloud target without installing components. Sensitive infrastructure such as private IPs, localhost, and cloud metadata endpoints is blocked at multiple layers. The tool does not perform active SQL injection, command injection, or blind SSRF, as those fall outside its non-intrusive scope.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation signals, over-exposed properties and mass-assignment surfaces, and input validation issues like CORS wildcards and dangerous HTTP methods. It also flags rate-limit headers, PII patterns including email and context-aware SSN, API key formats for AWS and GitHub, mixed content and missing HSTS, SSRF indicators involving internal IP probing, inventory issues like missing versioning, unsafe consumption surfaces, and LLM security probes across Quick, Standard, and Deep tiers.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to find undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, Bearer, API key, Basic auth, and Cookie methods are supported after domain verification via DNS TXT or HTTP well-known file. Only a header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* is forwarded, ensuring controlled credential usage.

Findings include remediation guidance rather than fixes, patches, or blocking. The product integrates via a Web Dashboard for report review and score trends, a CLI with JSON or text output, a GitHub Action that can fail the build on low scores, an MCP Server for AI coding assistants, and a programmatic API for custom workflows. Continuous monitoring is available on Pro, with scheduled rescans, diff detection, and HMAC-SHA256 signed webhooks. Customer data is deletable on demand and purged within 30 days of cancellation; it is never sold or used for model training.