Test your APIs

Instantly detect Broken Authentication Endpoints ranked #2 in OWASP.

By submitting this form you consent to us emailing you occasionally about our products and services. You can unsubscribe from emails at any time, and we will never pass your email onto third parties.

Trusted by Thousands of Scans!
Privacy Policy   Terms & Conditions


Scan APIs locally with APIsec™ CLI

APIsec's CLI helps you scan your APIs locally to find vulnerabilities

I. Installation:

To download and run APIsec-cli, please run the following

git clone https://github.com/intesar/apisec-cli
cd apisec-cli
java -jar apisec-cli.jar

II. Signup with APIsec™:

For the new users, you need to sign-up with APIsec. It creates a new tenant for you in the APIsec SaaS Platform.
Command:  Signup –c <company name> -e <email>

apisec> signup -c mycompany -e john@mycompany.com

It returns the login credentials, i.e., the user name and an auto generated password. Save these in a file called fx.properties at the location specified. Upon next execution, you’ll be automatically logged-in to your tenant.

Alternatively, you can keep the password with you, and when you execute the script next time you need to manually login using the below command.
Command:  login –u <user email> -p <password>

apisec> login –u john@mycompany.com -p DBhk20Al

III. Register APIs:

Register the API that you wish to scan by providing its publicly available Open API Spec URL i.e.,
swagger url for e.g., http://mycompany.com/application/v2/api-docs
Command:  register –n <api name> -o <Open API Spec URL>

apisec> register –n orders -o http://mycompany.com/orders/v2/api-docs

APIsec parses the specs and generates the security playbooks for scanning. This might take a few seconds depending on the number of endpoints in the API.

If your application is hosted internally and the OAS Url is not available publicly, APIsec recommends you to upload the OAS file in json/yaml format to any public location like github and provide its direct url.

Note: You can register multiple APIs in the same tenant by repeating the above step. Use ‘ls’ command to view the list of all the registered APIs with APIsec
Command: ls

apisec> ls

IV. Scan the API:

To scan the API for vulnerabilities, use the scan command as below.
Command: scan –n < api name>

apisec> scan –n orders

It runs all the playbooks generated in the above step, which invokes the endpoints at the application hosted (the host url and the basepath provided in the OAS Specs).

If the application is hosted internally and no public IP is available, you need to scan using your local scanner. The steps to create a local scanner are available in the next section.

V. Create a local scanner:

If the application is hosted internally and no public IP is available, you need to deploy a local scanner to invoke.
Command: scanner create –n <scanner name>

apisec> scanner create –n MyLocalScanner

Command: scan –n <api name> -s <scanner name>

apisec> scan –n orders –s MyLocalScanner

This command returns the docker and kubernetes scripts to deploy the scanner. Run the docker or kubernetes script as per your environment setup on the same machine where the API is hosted or any other machine in the network which can access the APIs. The script It will deploy the scanner in that machine.

Use the below commands to view the list of all local scanners created in your tenant.

Command: scanner ls


apisec> scanner ls

Use the below commands to remove the local scanner in your tenant. Command: scanner rm -n <scanner name>

apisec> scanner rm -n MyLocalScanner

Copyright © apisec.ai Inc.