01Overview
APIs are where modern breaches happen — and traditional web scanners largely miss the class of flaws that live at the API layer: broken object-level authorization, mass assignment, unrestricted resource consumption, and shadow endpoints. The API Security Scanner closes that gap with a static-analysis engine that discovers, audits, and reports API security vulnerabilities and misconfigurations across REST, GraphQL, gRPC, OpenAPI/Swagger specs, and API gateway configurations, with every finding mapped to the OWASP API Security Top 10 (2023).
It ships as a single, zero-dependency Python file that runs on pure 3.10+ standard library across Windows, macOS, and Linux — no pip installs, no services, no cloud. Point it at a file or a whole project tree and it fingerprints your API stack (frameworks, protocols, auth methods, gateways, databases), runs 112 regex-backed detection rules across 22 categories, and emits coloured console output, machine-parseable JSON, and an interactive HTML report. A CI-friendly exit code (1 on any CRITICAL/HIGH) makes it a drop-in pull-request gate.
The scanner is deliberately broad in surface: it reads Python, JavaScript/TypeScript, Java, Go, Ruby, and PHP source; GraphQL schemas and Protobuf service definitions; OpenAPI specs, Nginx/Kong/Envoy gateway configs, Dockerfiles, Kubernetes manifests, and .env files — applying the right rule packs per file type. Each finding carries a severity, CWE reference, actionable remediation, and mappings to PCI-DSS v4.0, GDPR, HIPAA, and DORA alongside OWASP.
It's built for AppSec engineers, API platform teams, and security-minded developers who want fast, offline, dependency-free API risk visibility they can wire into a pipeline in minutes rather than standing up a scanning platform.
02Key Capabilities
OWASP API Top 10 (2023) coverage
Dedicated rule packs for all ten categories — BOLA, broken authentication, property-level auth, resource consumption, BFLA, business-flow abuse, SSRF, misconfiguration, inventory management, and unsafe consumption.
112 rules across 22 categories
A curated detection library spanning API auth, injection, secrets, TLS, logging, GraphQL, gRPC, gateways, containers, Kubernetes, OpenAPI specs, and Protobuf.
Automatic API inventory discovery
Fingerprints 20 frameworks, 9 protocols, 12 auth methods, 8 gateways, and 9 databases from your code so you know your API attack surface before you fix it.
Multi-protocol static analysis
Understands REST, GraphQL, gRPC, OpenAPI/Swagger, and Protobuf, applying protocol-specific checks like introspection exposure, query depth limits, and insecure gRPC channels.
Multi-language source scanning
Runs the same rule set over Python, JavaScript/TypeScript, Java, Go, Ruby, and PHP — covering Flask, FastAPI, Django, Express, NestJS, Spring, Gin, Rails, and Laravel.
Infrastructure and secrets checks
Scans Nginx/Kong/Envoy gateway configs, Dockerfiles, Kubernetes manifests, and .env files for missing rate limiting, root containers, open LoadBalancers, and hardcoded credentials.
Five compliance framework mappings
Every finding is tagged against OWASP API Top 10, PCI-DSS v4.0, GDPR, HIPAA, and DORA for audit-ready reporting.
Three output formats
Coloured console output for developers, structured JSON for pipelines, and a self-contained dark-theme HTML report with severity cards and client-side filtering for stakeholders.
CI/CD-native exit codes
Returns exit code 1 when any CRITICAL or HIGH finding is present, turning the scanner into a pass/fail gate with ready-to-paste GitHub Actions and GitLab CI snippets.
Zero-dependency single file
The entire scanner is one portable Python file on pure stdlib — clone or curl it and run, no installs, no lockfiles, fully offline.
Actionable, standards-linked findings
Each result includes a CWE reference (47 distinct CWEs) and a concrete remediation, not just a red flag.
Severity filtering
A --severity threshold trims noise so teams can focus on CRITICAL/HIGH first or surface everything down to LOW/INFO.
03Architecture
The scanner is a single self-contained Python module organized as a bank of module-level rule dictionaries feeding a regex SAST engine. A file dispatcher routes each file by type to the appropriate scanner method, which applies the relevant rule packs line-by-line; matches become Finding dataclasses that are aggregated, severity-sorted, and rendered to console, JSON, or HTML.
04Project Structure
api_security_scanner.pyThe entire scanner — ~1,163 lines: 112 rules, dispatcher, SAST engine, inventory detection, and console/JSON/HTML reporters in one zero-dependency file.README.mdFull documentation — rule category table, compliance mappings, file-type matrix, inventory discovery, CI/CD snippets, and quickstart.CLAUDE.mdProject instructions and architecture notes: rule schema, category counts, conventions, and contribution guidelines.tests/samples/Nine intentionally vulnerable fixtures used to exercise and regression-test the rule set.tests/samples/vulnerable_api.pyInsecure Flask API fixture covering BOLA, auth, SSRF, injection, and secrets.tests/samples/vulnerable_api.jsInsecure Express.js API fixture for the JavaScript/TypeScript rule path.tests/samples/vulnerable_openapi.yamlInsecure OpenAPI 3.x spec triggering the OpenAPI spec rule pack.tests/samples/vulnerable_api.graphqlInsecure GraphQL schema exercising introspection, depth, and mutation-auth checks.tests/samples/vulnerable_api.protoInsecure Protobuf/gRPC definition for Protobuf and gRPC rules.banner.svgProject banner graphic used in the README.LICENSEMIT License..gitignorePython/IDE ignore rules.05Security Controls
06Technology Stack
- Language
- Python 3.10+ (uses union-type syntax and modern typing)
- Dependencies
- Zero external — pure standard library (re, os, argparse, json, datetime, dataclasses, pathlib, textwrap, hashlib, typing)
- Analysis engine
- Custom regex-based SAST over per-file-type rule packs
- Reporting
- ANSI-coloured console, JSON (via json/dataclasses.asdict), and self-contained HTML with inline CSS/JS
- Testing
- Fixture-based — 9 intentionally vulnerable sample files under tests/samples/ run through the scanner (no third-party test framework)
- CI
- Ready-to-use GitHub Actions and GitLab CI snippets documented in README; exit-code gate on CRITICAL/HIGH
- Deployment
- Single-file distribution — git clone or curl the one .py file; runs on Windows, macOS, Linux
- License
- MIT
07Quick Start
$ python api_security_scanner.py --version # verify: API Security Scanner v1.0.0 $ python api_security_scanner.py /path/to/your/api-project # scan a whole project tree $ python api_security_scanner.py ./my-api --json report.json --html report.html # machine + stakeholder reports $ python api_security_scanner.py ./my-api --severity HIGH # only CRITICAL and HIGH findings $ python api_security_scanner.py tests/samples/ --verbose # run against the bundled vulnerable fixtures $ python api_security_scanner.py openapi.yaml # scan a single OpenAPI spec, GraphQL schema, .proto, nginx.conf, or .env
08Compliance & Frameworks
09Integrations & Outputs
Explore API Security Scanner
Full source, documentation, and deployment guides live on GitHub.