Apigee for AppSec engineers

This tool provides a black-box API security scan. You submit an API endpoint, receive a risk score from A to F, and get prioritized findings aligned to OWASP API Top 10. The workflow is designed to fit into existing AppSec processes: discover, assess, and track without requiring code access or agents.

The scanner performs read-only interactions using GET and HEAD methods, with text-only POST for LLM probes. It covers 12 security categories, including Authentication bypass, BOLA and IDOR, BFLA and privilege escalation, Property Authorization over-exposure, Input Validation such as CORS wildcard and dangerous HTTP methods, Rate Limiting, Data Exposure including PII and API key patterns, Encryption misconfigurations, SSRF indicators, Inventory Management issues, Unsafe Consumption surfaces, and LLM / AI Security probes across Quick, Standard, and Deep tiers.

OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scans are available from Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie credentials. A domain verification gate ensures only the domain owner can scan with credentials, using DNS TXT records or an HTTP well-known file. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Results are surfaced through a Web Dashboard for scanning, report downloads, and score trend tracking. The CLI supports middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a chosen threshold. The MCP Server enables scanning from AI coding assistants. Pro tier adds scheduled rescans, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the tool helps you prepare for and aligns with security controls described in those regimes, serving as audit evidence where applicable. The scanner does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not provide blind SSRF detection, and does not replace a human pentester for high-stakes audits. It reports findings and remediation guidance but does not fix, patch, block, or remediate.