GitHub Action
VulnAPI Action
VulnAPI is an Open-Source DAST designed to help you scan your APIs for common security vulnerabilities and weaknesses.
By using this tool, you can detect and mitigate security vulnerabilities in your APIs before they are exploited by attackers.
Use this action to scan your project for vulnerabilities with VulnAPI.
All the vulnerabilities detected by the project are listed at this URL: API Vulnerabilities Detected.
More vulnerabilities and best practices will be added in future releases. If you have any suggestions or requests for additional vulnerabilities or best practices to be included, please feel free to open an issue or submit a pull request.
name: Scan for API vulnerabilities
on: [push]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: VulnAPI
uses: cerberauth/vulnapi-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
openapi: 'openapi.yaml'
name: Scan for API vulnerabilities
on: [push]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: VulnAPI
uses: cerberauth/vulnapi-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
curl:
'curl http://localhost:8080 -H "Authorization: Bearer eyJhbGci..."'
Name | Required | Description | Default |
---|---|---|---|
version | false | The version of the file to scan. | latest |
Name | Required | Description | Default |
---|---|---|---|
curl | false | The curl command to scan. |
Name | Required | Description | Default |
---|---|---|---|
openapi | false | The OpenAPI file location (path or URL) |
Name | Required | Description | Default |
---|---|---|---|
scans | false | The scans performed. | all |
excludeScans | false | The scans to exclude. | |
rateLimit | false | The rate limit used to run API vulnerability scans. | 10/s |
proxy | false | The proxy server used during the scan. | |
severityThreshold | false | The severity threshold to trigger a failure. | 0 |
Scan results are output to the console.
This scanner is provided for informational purposes only. It should not be used for malicious purposes or to attack any system without proper authorization. Always respect the security and privacy of others.
VulnAPI collects fully anonymized usage data to help improve the tool. This data
is not shared with third parties. You can opt-out of telemetry by setting the
telemetry
option to false
.
This repository is licensed under the MIT License @ CerberAuth.