APIsec for GraphQL gateways

APIsec is a self-service API security scanner that accepts a target URL and returns a risk score with prioritized findings. When scanning GraphQL gateways, the scanner treats the gateway endpoint as an API surface and probes operations defined in the schema. Because the approach is black-box, no agents, SDKs, or code access are required, and the method remains consistent regardless of the implementation language or framework.

The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes. It attempts to leverage GraphQL introspection queries to discover types, queries, and mutations when introspection is enabled. If introspection is disabled, findings are limited to what can be inferred from error messages and response behavior. The scanner maps findings to OWASP API Top 10 (2023) and surfaces input validation findings such as malformed queries, argument tampering, and excessive field requests.

GraphQL gateways often implement custom business logic that cannot be fully evaluated through black-box scanning. The tool does not detect business logic vulnerabilities, such as unauthorized data access across relations or flawed authorization rules embedded in resolvers. It also does not perform active SQL injection or command injection tests, which require intrusive payloads outside the scanner scope. These gaps are expected and necessitate human expertise for deeper verification.

Authenticated scanning is available in the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced so that only the domain owner can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 when provided, cross-referencing spec definitions against runtime behavior to highlight undefined security schemes or deprecated operations.

Findings map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Reports include prioritized remediation guidance and can be downloaded as branded compliance PDFs from the web dashboard. The scanner does not certify compliance or guarantee adherence to any regulation, and terms such as certified or compliant with HIPAA, GDPR, ISO 27001, NIST, or similar frameworks are not used.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after five consecutive failures. Integrations include a CLI via the middlebrick npm package, a GitHub Action for CI/CD gating, and an MCP server for use with AI coding assistants.