APIsec as a CLI API security scanner

The CLI provides a direct way to run security scans without a UI. You supply a target URL and receive a risk score from A to F along with prioritized findings. The scanner performs read-only checks using GET and HEAD methods, with text-only POST used only for LLM probes. Scan completion typically occurs in under a minute, making it suitable for quick checks during development or in pipelines.

The scanner maps findings to three established frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects 12 security categories, including authentication bypass, broken object level authorization, broken function level authorization, property authorization issues, input validation problems, rate limiting and resource consumption concerns, data exposure patterns such as PII and API keys, encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers. Each finding includes remediation guidance to help developers understand and address the issue.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref references. It cross-references specification definitions against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps identify discrepancies between documented behavior and actual implementation without requiring access to source code.

Authenticated scanning is available starting with the Starter tier and supports Bearer tokens, API keys, Basic authentication, and cookies. Before credentials are accepted, the tool verifies domain ownership through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with privileged access. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers to the target.

The CLI can be run with a simple command to output results in JSON or text format, enabling scripting and automation. A GitHub Action is available to enforce security gates in CI/CD, failing the build when the score drops below a defined threshold. The MCP Server allows scanning from AI coding assistants, and a web dashboard supports report review, score trend tracking, and downloadable compliance PDFs. Programmatic access is provided through an API client for custom integrations.

The tool does not fix, patch, block, or remediate findings; it detects and reports with guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they demand domain-specific human review. The scanner avoids destructive payloads, blocks private and localhost targets, and purges customer data on demand within 30 days of cancellation. It does not replace a human pentester for high-stakes audits.