API Security Scanner

Application Securityv1.0.0

API discovery and vulnerability scanner with 112+ rules across 22 categories, OWASP API Top 10 (2023), and 5 compliance frameworks

112+
rules
22
categories
5
frameworks

01Overview

APIs are where modern breaches happen — and traditional web scanners largely miss the class of flaws that live at the API layer: broken object-level authorization, mass assignment, unrestricted resource consumption, and shadow endpoints. The API Security Scanner closes that gap with a static-analysis engine that discovers, audits, and reports API security vulnerabilities and misconfigurations across REST, GraphQL, gRPC, OpenAPI/Swagger specs, and API gateway configurations, with every finding mapped to the OWASP API Security Top 10 (2023).

It ships as a single, zero-dependency Python file that runs on pure 3.10+ standard library across Windows, macOS, and Linux — no pip installs, no services, no cloud. Point it at a file or a whole project tree and it fingerprints your API stack (frameworks, protocols, auth methods, gateways, databases), runs 112 regex-backed detection rules across 22 categories, and emits coloured console output, machine-parseable JSON, and an interactive HTML report. A CI-friendly exit code (1 on any CRITICAL/HIGH) makes it a drop-in pull-request gate.

The scanner is deliberately broad in surface: it reads Python, JavaScript/TypeScript, Java, Go, Ruby, and PHP source; GraphQL schemas and Protobuf service definitions; OpenAPI specs, Nginx/Kong/Envoy gateway configs, Dockerfiles, Kubernetes manifests, and .env files — applying the right rule packs per file type. Each finding carries a severity, CWE reference, actionable remediation, and mappings to PCI-DSS v4.0, GDPR, HIPAA, and DORA alongside OWASP.

It's built for AppSec engineers, API platform teams, and security-minded developers who want fast, offline, dependency-free API risk visibility they can wire into a pipeline in minutes rather than standing up a scanning platform.

02Key Capabilities

OWASP API Top 10 (2023) coverage

Dedicated rule packs for all ten categories — BOLA, broken authentication, property-level auth, resource consumption, BFLA, business-flow abuse, SSRF, misconfiguration, inventory management, and unsafe consumption.

112 rules across 22 categories

A curated detection library spanning API auth, injection, secrets, TLS, logging, GraphQL, gRPC, gateways, containers, Kubernetes, OpenAPI specs, and Protobuf.

Automatic API inventory discovery

Fingerprints 20 frameworks, 9 protocols, 12 auth methods, 8 gateways, and 9 databases from your code so you know your API attack surface before you fix it.

Multi-protocol static analysis

Understands REST, GraphQL, gRPC, OpenAPI/Swagger, and Protobuf, applying protocol-specific checks like introspection exposure, query depth limits, and insecure gRPC channels.

Multi-language source scanning

Runs the same rule set over Python, JavaScript/TypeScript, Java, Go, Ruby, and PHP — covering Flask, FastAPI, Django, Express, NestJS, Spring, Gin, Rails, and Laravel.

Infrastructure and secrets checks

Scans Nginx/Kong/Envoy gateway configs, Dockerfiles, Kubernetes manifests, and .env files for missing rate limiting, root containers, open LoadBalancers, and hardcoded credentials.

Five compliance framework mappings

Every finding is tagged against OWASP API Top 10, PCI-DSS v4.0, GDPR, HIPAA, and DORA for audit-ready reporting.

Three output formats

Coloured console output for developers, structured JSON for pipelines, and a self-contained dark-theme HTML report with severity cards and client-side filtering for stakeholders.

CI/CD-native exit codes

Returns exit code 1 when any CRITICAL or HIGH finding is present, turning the scanner into a pass/fail gate with ready-to-paste GitHub Actions and GitLab CI snippets.

Zero-dependency single file

The entire scanner is one portable Python file on pure stdlib — clone or curl it and run, no installs, no lockfiles, fully offline.

Actionable, standards-linked findings

Each result includes a CWE reference (47 distinct CWEs) and a concrete remediation, not just a red flag.

Severity filtering

A --severity threshold trims noise so teams can focus on CRITICAL/HIGH first or surface everything down to LOW/INFO.

03Architecture

The scanner is a single self-contained Python module organized as a bank of module-level rule dictionaries feeding a regex SAST engine. A file dispatcher routes each file by type to the appropriate scanner method, which applies the relevant rule packs line-by-line; matches become Finding dataclasses that are aggregated, severity-sorted, and rendered to console, JSON, or HTML.

1
Rule definition layer
22 module-level *_RULES lists (BOLA_RULES, AUTH_RULES, INJECTION_RULES, GRAPHQL_RULES, K8S_API_RULES, etc.) — each rule a dict of id, category, severity, regex pattern, description, CWE, recommendation, and compliance tags, plus a COMPLIANCE_MAP.
2
Finding model
A Finding dataclass capturing rule_id, name, category, severity, file path, line number, matched code, description, remediation, CWE/CVE, and compliance list — the single normalized record used across all reports.
3
File dispatcher
APISecurityScanner.scan_path / _scan_directory walk the tree (skipping node_modules, venv, build dirs) and _dispatch_file routes by extension/name to _scan_source, _scan_proto, _scan_graphql, _scan_docker, _scan_gateway, _scan_env, or _scan_config.
4
SAST regex engine
_sast_scan iterates file lines, skips comments/blank lines, and case-insensitively matches each applicable rule's pattern, emitting a Finding via _add on every hit.
5
Inventory detection
_detect_inventory keyword-matches file content against framework, protocol, auth, gateway, and database dictionaries to build a discovered API stack profile alongside the vulnerability findings.
6
Reporting layer
print_report (coloured console), save_json (structured export), and save_html (dark-theme interactive report with severity cards and JS filtering), driven by summary() counts and severity ordering.
7
CLI and exit-code gate
An argparse front end (target, --json, --html, --severity, --verbose, --version) that filters by severity and exits 1 on any CRITICAL/HIGH for CI/CD.

04Project Structure

api_security_scanner.pyThe entire scanner — ~1,163 lines: 112 rules, dispatcher, SAST engine, inventory detection, and console/JSON/HTML reporters in one zero-dependency file.
README.mdFull documentation — rule category table, compliance mappings, file-type matrix, inventory discovery, CI/CD snippets, and quickstart.
CLAUDE.mdProject instructions and architecture notes: rule schema, category counts, conventions, and contribution guidelines.
tests/samples/Nine intentionally vulnerable fixtures used to exercise and regression-test the rule set.
tests/samples/vulnerable_api.pyInsecure Flask API fixture covering BOLA, auth, SSRF, injection, and secrets.
tests/samples/vulnerable_api.jsInsecure Express.js API fixture for the JavaScript/TypeScript rule path.
tests/samples/vulnerable_openapi.yamlInsecure OpenAPI 3.x spec triggering the OpenAPI spec rule pack.
tests/samples/vulnerable_api.graphqlInsecure GraphQL schema exercising introspection, depth, and mutation-auth checks.
tests/samples/vulnerable_api.protoInsecure Protobuf/gRPC definition for Protobuf and gRPC rules.
banner.svgProject banner graphic used in the README.
LICENSEMIT License.
.gitignorePython/IDE ignore rules.

05Security Controls

Broken Object Level Authorization (API1)
6 rules for direct object-ID access without ownership checks, unguarded path/pk params across Flask/Express/Django/Spring, and sequential/predictable ID enumeration (CWE-639, CWE-330).
Broken Authentication (API2)
10 rules covering missing auth decorators, hardcoded JWT secrets, 'none'/weak algorithms, disabled signature/expiry verification, API keys in query strings, unhashed passwords, and OAuth implicit flow (CWE-798, CWE-306, CWE-327, CWE-345).
Property-level auth & data exposure (API3)
5 rules for mass assignment, request body unpacked into models, sensitive fields returned in responses, and GraphQL field over-exposure.
Unrestricted resource consumption (API4)
6 rules for missing rate limiting, absent pagination, unbounded uploads, missing timeouts, and unlimited GraphQL query depth/complexity.
Broken function-level auth & business flows (API5/API6)
Admin endpoints without RBAC, privilege escalation, method override, unprotected DELETE, plus missing CAPTCHA on login and unprotected payment/reset flows.
SSRF & misconfiguration (API7/API8)
User-controlled URLs in server requests, open redirects, webhook/file-import SSRF, plus CORS wildcards, debug mode, verbose errors, missing security headers, HTTP serving, and disabled TLS verification (10 misconfig rules).
Injection & secrets
7 injection rules (SQL, NoSQL, command, XSS, LDAP, XXE, path traversal) and 6 secrets rules (hardcoded API keys, passwords, private keys, AWS creds, DB connection strings, bearer tokens).
Protocol-specific: GraphQL & gRPC
GraphQL introspection, missing depth limits, batching attacks, unauthenticated mutations, missing field auth; gRPC insecure channels, reflection enabled, missing auth interceptors, and unlimited message size.
Gateway, container & Kubernetes hardening
Nginx/Kong/Envoy/AWS gateways without rate limiting or auth; Dockerfile root user, embedded secrets, unpinned base images; K8s Ingress-without-TLS, open LoadBalancers, missing NetworkPolicy/limits, and secrets mounted as env vars.
Transport, logging, spec & env hygiene
TLS rules (HTTP endpoints, weak versions/ciphers, missing HSTS), logging rules (sensitive data in logs, disabled logging, full-body logging), OpenAPI spec rules (missing security schemes, API key in query, HTTP server URLs), and .env exposure checks.

06Technology Stack

Language
Python 3.10+ (uses union-type syntax and modern typing)
Dependencies
Zero external — pure standard library (re, os, argparse, json, datetime, dataclasses, pathlib, textwrap, hashlib, typing)
Analysis engine
Custom regex-based SAST over per-file-type rule packs
Reporting
ANSI-coloured console, JSON (via json/dataclasses.asdict), and self-contained HTML with inline CSS/JS
Testing
Fixture-based — 9 intentionally vulnerable sample files under tests/samples/ run through the scanner (no third-party test framework)
CI
Ready-to-use GitHub Actions and GitLab CI snippets documented in README; exit-code gate on CRITICAL/HIGH
Deployment
Single-file distribution — git clone or curl the one .py file; runs on Windows, macOS, Linux
License
MIT

07Quick Start

$ python api_security_scanner.py --version   # verify: API Security Scanner v1.0.0
$ python api_security_scanner.py /path/to/your/api-project   # scan a whole project tree
$ python api_security_scanner.py ./my-api --json report.json --html report.html   # machine + stakeholder reports
$ python api_security_scanner.py ./my-api --severity HIGH   # only CRITICAL and HIGH findings
$ python api_security_scanner.py tests/samples/ --verbose   # run against the bundled vulnerable fixtures
$ python api_security_scanner.py openapi.yaml   # scan a single OpenAPI spec, GraphQL schema, .proto, nginx.conf, or .env

08Compliance & Frameworks

OWASP API Security Top 10 (2023)
Primary mapping — dedicated rule packs for API1 through API10, the industry standard for API security.
PCI-DSS v4.0
Payment card data protection controls tagged on auth, BOLA, and secrets findings.
GDPR
EU data-privacy mappings on sensitive-data-exposure and logging findings.
HIPAA
Healthcare data-protection mappings on data-exposure and transport findings.
DORA
Digital operational resilience mappings for financial-sector API risk.

09Integrations & Outputs

Input: Python/JS/TS/Java/Go/Ruby/PHP source, GraphQL schemas, Protobuf, OpenAPI/Swagger specs, Nginx/Kong/Envoy configs, Dockerfiles, K8s manifests, .env filesExport: coloured console, JSON report, interactive HTML reportCI/CD: GitHub Actions and GitLab CI (documented snippets) with artifact upload and exit-code gatingHTML report links CVE references out to nvd.nist.gov

Explore API Security Scanner

Full source, documentation, and deployment guides live on GitHub.