Alternatives to Snyk for GraphQL gateway audit

This tool targets API gateways that expose GraphQL endpoints. It performs black-box validation focused on transport security, input handling, authorization enforcement, and schema exposure risks. The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution and cross-references spec definitions against runtime behavior to surface undefined security schemes and deprecated operations.

Findings map to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls. Detection covers authentication bypass and JWT misconfigurations, broken object level authorization (BOLA/IDOR), broken function level authorization (BFLA) and privilege escalation, over-exposed properties and mass assignment surfaces, dangerous input validation such as CORS wildcard usage, rate limiting and resource consumption issues, sensitive data exposure including PII and API key formats, missing encryption and header misconfigurations, SSRF against URL-accepting parameters, and inventory management issues like missing versioning. For LLM-facing gateways, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, testing system prompt extraction, instruction override, jailbreak patterns, data exfiltration, and token smuggling.

Authenticated scans require verified domain ownership via DNS TXT record or HTTP well-known file before credentials are accepted. Supported auth methods include Bearer tokens, API keys, Basic auth, and Cookies. A strict header allowlist is enforced, permitting only Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach limits request surface while still validating protected endpoints.

Scan completion typically occurs in under a minute using read-only methods (GET and HEAD) and text-only POST for LLM probes. The tool does not perform intrusive payloads, so active SQL injection or command injection testing is outside scope. Business logic vulnerabilities and blind SSRF require human expertise and are not detected. The scanner does not fix, patch, block, or remediate findings; it reports results with remediation guidance.

Use the CLI (middlebrick scan <url>) for local runs with JSON or text output. The Web Dashboard centralizes scans, score trends, and branded compliance PDF downloads. The GitHub Action enforces CI/CD gates by failing builds when scores drop below a defined threshold. The MCP Server enables scanning from AI coding assistants. Programmatic access is available via an API client for custom integrations. Pro tier adds scheduled rescans, diff detection, email alerts, HMAC-SHA256 signed webhooks, and compliance reports.