>_ Know your API security posture

Static security analysis for your APIs.

Name: ApiPosture
Author: ApiPosture

Find misconfigurations in seconds, not weeks. Purpose-built detection for API authorization patterns with zero false positives.

# Install as global tool

dotnet tool install -g ApiPosture

# Scan your API project

apiposture scan ./src/YourWebApi

✓ Scanned 47 files

✓ Found 156 endpoints

⚠ 3 critical findings

⚠ 7 high severity findings

# Install via go install

go install github.com/apiposture/apiposture-go@latest

# Scan your API

apiposture scan ./cmd/api

# Install via pip

pip install apiposture

# Scan your FastAPI/Django project

apiposture scan ./app

# Install via Maven

mvn apiposture:scan

# Or Gradle

gradle apipostureScan

# Install via npm

npm install -g @apiposture/cli

# Scan your Express/Fastify API

apiposture scan ./src

Get Started - Free View on GitHub

>_ Security Rules

8 Security Rules. Zero False Positives.

Purpose-built detection for API authorization patterns.

[EXPOSURE] HIGH

AP001

Unintentional Public Access

Detects endpoints accessible without authentication that lack explicit [AllowAnonymous] declaration. Forces intentional decisions about public access.

[EXPOSURE] HIGH

AP002

Anonymous Write Operations

Catches [AllowAnonymous] on POST, PUT, DELETE, and PATCH operations. Prevents unintended anonymous data modifications.

[CONSISTENCY] MEDIUM

AP003

Authorization Conflicts

Detects when action-level [AllowAnonymous] overrides controller-level [Authorize]. Catches conflicting authorization intent.

[CONSISTENCY] CRITICAL

AP004

Missing Auth on Writes

The most critical rule: public write operations without any authorization. Your last line of defense.

[PRIVILEGE] LOW

AP005

Role Sprawl

Flags endpoints with 3+ roles assigned. Encourages policy-based authorization over role accumulation.

[PRIVILEGE] LOW

AP006

Weak Role Names

Detects generic roles: "User", "Admin", "Guest", "Manager". Promotes descriptive naming like "OrderManager" or "ReportViewer".

[SURFACE] MEDIUM

AP007

Sensitive Routes Exposed

Public routes with sensitive keywords: /admin, /debug, /export, /config. Customizable keyword detection.

[SURFACE] HIGH

AP008

Minimal API Gaps

Minimal API endpoints missing .RequireAuthorization() chains. Full support for modern .NET patterns.

>_ How It Works

Three Commands. Complete Visibility.

Install

Install as a global .NET tool with a single command.

dotnet tool install -g ApiPosture

Scan

Point it at your API project directory.

apiposture scan ./src

Review

Get results in Terminal, JSON, or Markdown.

--output json

No compilation required. Works with incomplete code. Syntax-only analysis powered by Roslyn.

>_ Output Formats

Output That Fits Your Workflow

ApiPosture Scan Results

═══════════════════════════════════════════════════

Summary

├─ Files Scanned: 47

├─ Endpoints Found: 156

├─ Findings: 10

└─ Duration: 1.2s

Findings by Severity

├─ Critical: 3 ████████

├─ High: 4 ██████████

├─ Medium: 2 █████

└─ Low: 1 ██

>_ CI/CD Integration

Shift Left. Fail Fast.

Integrate into your pipeline in one line.

# .github/workflows/security.yml

- name: API Security Scan

run: |

dotnet tool install -g ApiPosture

apiposture scan ./src/Api --fail-on high

GitHub Actions Azure DevOps GitLab CI Jenkins CircleCI Any CI system

>_ By The Numbers

Trusted by Security-Conscious Teams

156+

Endpoints per scan (avg)

Security Rules

<2s

Avg Scan Time

MIT

License - Free OSS

>_ Ready to Secure Your API?

Start scanning in under 60 seconds.

dotnet tool install -g ApiPosture && apiposture scan ./src

Get Started - Free Read the Docs