Static security analysis for your APIs.
Find misconfigurations in seconds, not weeks. Purpose-built detection for API authorization patterns across multiple languages and frameworks, with zero false positives.
8 Free Rules + 10 Pro Rules. Zero False Positives.
Purpose-built detection for API authorization patterns. View all rules
Unintentional Public Access
Detects endpoints accessible without authentication that lack explicit public access declaration. Forces intentional decisions about what should be publicly accessible.
Anonymous Write Operations
Catches unauthenticated access on POST, PUT, DELETE, and PATCH operations. Prevents unintended anonymous data modifications.
Authorization Conflicts
Detects when action-level anonymous access overrides controller-level or router-level authorization. Catches conflicting authorization intent.
Missing Auth on Writes
The most critical rule: public write operations without any authorization. Your last line of defense.
Role Sprawl
Flags endpoints with 3+ roles assigned. Encourages policy-based authorization over role accumulation.
Weak Role Names
Detects generic roles: "User", "Admin", "Guest", "Manager". Promotes descriptive naming like "OrderManager" or "ReportViewer".
Sensitive Routes Exposed
Public routes with sensitive keywords: /admin, /debug, /export, /config. Customizable keyword detection.
Minimal API Gaps
Route handler endpoints missing explicit authorization chains. Full support for modern lightweight API patterns across frameworks.
Go Beyond Authorization Checks
Pro adds deep source code inspection — OWASP Top 10, secrets detection, diff mode, historical tracking, and risk scoring. Available now for .NET, Node.js, Python, Java, Go and PHP.
OWASP Top 10 Rules
8+ advanced rules covering injection, broken access control, SSRF, cryptographic failures, security misconfiguration, and more — with deep method-body analysis.
Secrets Detection
Detects 30+ secret patterns — AWS, Azure, GCP keys, GitHub tokens, database credentials, JWT secrets — in source files and method bodies.
File-Level Scanning
Scans beyond endpoints: config files, templates, and package manifests — including Razor views, EJS/Handlebars/Pug templates, app entry points, and dependency files for framework-specific vulnerabilities.
Diff Mode
Compare scans over time. Track security improvements or regressions between releases with a single command: apiposture-pro diff baseline.json current.json
Historical Tracking
Every scan auto-saved to a local SQLite database. View trends, spot regressions, and prove your security posture is improving over time.
Risk Scoring
Automated risk score combining severity, exposure, sensitivity, and finding density — giving you a single number to communicate security posture to stakeholders.
Free
Perfect for individual developers exploring API security. Open-source CLI. 100% local analysis. Your code never leaves your machine.
- 8 security rules (AP001–AP008)
- Multi-language & framework support
- Static source analysis (no build needed)
- JSON / Markdown / Terminal output
- CI/CD integration & --fail-on exit codes
- Privacy-first (100% local, no cloud)
- MIT licensed, open source
Open Source Alpha
Pro
Best for growing teams building secure APIs. Advanced OWASP security scanning with secrets detection, diff mode, and history tracking.
- Everything in Community
- OWASP Top 10 rules (AP101–AP108)
- 30+ secrets detection patterns (AP201)
- Deep source code & file-level scanning
- Diff mode — track regressions over time
- Historical scan tracking (SQLite)
- Automated risk scoring
Coming Soon
Three Commands. Complete Visibility.
Choose
Pick Free or Pro in the hero switcher, choose your runtime, and copy the exact command set that matches your stack.
Scan
Point it at your API project directory.
Review
Get results in Terminal, JSON, or Markdown.
No compilation required. Works with incomplete code. Static source analysis across languages and frameworks.
Built for Developers. Fast by Design.
Up in 30 Seconds
One command to install. One command to scan. No config files, no 5GB docker-compose, no project setup, no compilation needed.
Hero-driven quick start
Jump to top of pageSub-2s Scans
Static source analysis — no runtime, no server, no waiting. A typical codebase with 150+ endpoints scans in under 2 seconds.
Output Humans and AI Understand
Terminal output for humans. JSON for automation. Markdown for pull request comments or feeding directly into your AI assistant to fix issues in context.
Output That Fits Your Workflow
Shift Left. Fail Fast.
Integrate into your pipeline in one line.
Trusted by Security-Conscious Teams
Start scanning in under 60 seconds.
Use the hero command switcher at the top of the page when you want the exact install and first-scan command for Free or Pro. This CTA stays focused on where to go next.
Free tier: 8 rules, all languages, MIT licensed. | Pro: OWASP Top 10, secrets detection, diff mode, risk scoring. — view full comparison.