Pre-merge pull-request security check

What middleBrick covers

Black-box scanning with read-only methods under one minute
Covers OWASP API Top 10 (2023) and related mapping
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with ref resolution
Authenticated scans with header allowlisting and domain verification
LLM/AI security probes across quick, standard, and deep tiers
CI/CD integration with gating and score trend tracking

Pre-merge pull-request security check

A pre-merge security check analyzes API-facing endpoints before code reaches production. The goal is to identify high-impact risks early, when changes are inexpensive to revert. Teams that skip this step often discover issues only during penetration testing or after an incident, when fixes are costly and disruptive.

What teams get wrong when skipping pre-merge checks

Without a pre-merge security check, teams rely on manual review and post-deployment scanning. This leads to late findings, inconsistent standards, and pressure to ship despite unresolved issues. Security becomes reactive, with developers context-switching to address findings after feature work is complete, increasing the likelihood of overlooked misconfigurations such as exposed internal fields, missing authentication on new endpoints, or permissive CORS rules.

A practical workflow for pre-merge security

Integrate scanning into the pull-request pipeline so that every merge candidate is evaluated. A CLI command runs a black-box scan against a staging or local proxy that exposes the API. Results are surfaced as structured output, with a summary risk score and prioritized findings. Developers address issues before the merge, and the CI gate blocks promotion if the score falls below the team-defined threshold. Example command:

middlebrick scan https://staging.example.com/api

Use the JSON output to integrate with existing tooling and track changes over time.

What middleBrick covers out of the box

middleBrick is a black-box API security scanner that runs in under a minute using only read-only methods. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions and cross-references them with runtime behavior to detect undefined security schemes and unexpected data exposure. The scanner covers the OWASP API Top 10 (2023), validating controls related to authentication bypass, broken object level authorization, excessive property exposure, input validation issues, rate limiting, data exposure risks, injection-related concerns, and unsafe third-party consumption patterns. It also includes LLM/AI security probes across quick, standard, and deep tiers, testing for system prompt extraction, jailbreak techniques, data exfiltration attempts, and token smuggling.

Authentication, authorization, and scanning constraints

Authenticated scans validate Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced so only the domain owner can scan with credentials, using DNS TXT records or an HTTP well-known file. The scanner forwards a limited set of headers and does not execute destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked. Scan data is deletable on demand and retained only as long as needed, with no use for model training.

Frequently Asked Questions

Does this replace a human pentester?

No. The scanner detects misconfigurations and known attack patterns but does not find business logic flaws or perform intrusive testing. A human review is still required for high-stakes audits.

Can it detect SQL injection or command injection?

No. It does not send destructive payloads and does not perform active SQL injection or command injection testing.

How are compliance frameworks referenced?

Findings map to OWASP API Top 10 (2023). The tool helps prepare for security controls described in SOC 2 Type II and PCI-DSS 4.0 using alignment language, but it does not certify compliance.

What happens to scan data after cancellation?

Customer data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training.