>_ Documentation
Get Started with ApiPosture
Installation, CLI reference, configuration, and CI/CD integration. Free & Pro editions.
Core CLI with AP001-AP008 free rules
Standalone Pro CLI with Free + Pro rules
# Install the free CLI
dotnet tool install -g ApiPosture
# Scan your API project
apiposture scan ./src/YourWebApi
✓ Scanned 47 files
✓ Found 156 endpoints
⚠ 3 critical findings
# Install the standalone Pro CLI
dotnet tool install --global ApiPosturePro
apiposture-pro activate XXXX-XXXX-XXXX-XXXX
# Scan with Free + Pro rules
apiposture-pro scan ./src/YourWebApi --fail-on high
✓ OWASP Top 10 and secrets detection enabled
# Install from source
go install github.com/BlagoCuljak/ApiPosture.Go/cmd/apiposture@latest
# Scan your Go project
apiposture scan .
# Optional JSON output
apiposture scan ./path/to/project --output json
# Install the Pro CLI
brew tap ApiPosture/tap && brew install apiposture-pro
apiposture-pro activate XXXX-XXXX-XXXX-XXXX
# Run the full scan
apiposture-pro scan . --fail-on high
# Install via pip
pip install apiposture
# Scan FastAPI, Flask, or Django
apiposture scan .
# JSON output
apiposture scan ./src --output json
# Install the Pro CLI
pip install apiposture-pro
apiposture-pro activate XXXX-XXXX-XXXX-XXXX
# Run the full scan
apiposture-pro scan . --fail-on high
# Download the latest release
curl -L -o apiposture.jar https://github.com/BlagoCuljak/ApiPosture.Java/releases/latest/download/apiposture.jar
# Scan your Spring Boot project
java -jar apiposture.jar scan /path/to/spring-boot-project
# Fail CI if needed
java -jar apiposture.jar scan /path/to/project --fail-on high
# Download the Pro CLI
curl -L https://github.com/ApiPosture/ApiPosturePro.Java.Releases/releases/latest/download/apiposture-pro.jar -o apiposture-pro.jar
java -jar apiposture-pro.jar license activate YOUR-LICENSE-KEY
# Run the full scan
java -jar apiposture-pro.jar scan . --fail-on high
# Install globally via Composer
composer global require apiposture/apiposture
# Scan your Laravel, Symfony, or Slim app
apiposture scan ./app
# Or run from a project dev dependency
vendor/bin/apiposture scan ./app
# Install the Pro CLI
brew tap ApiPosture/php-tools && brew install apiposture-pro
apiposture-pro activate YOUR-LICENSE-KEY
# Run the full scan
apiposture-pro scan . --fail-on high
# Install via npm
npm install -g @apiposture/cli
# Scan your Express or Fastify API
apiposture scan ./src/YourWebApi
# CI-friendly JSON output
apiposture scan . --output json
# Install the Pro CLI
npm install -g @apiposture/pro
apiposture-pro license activate XXXX-XXXX-XXXX-XXXX
# Run the full scan
apiposture-pro scan . --fail-on high
Install from the hero switcher above
The hero tabs now hold the full install, activation, and first-scan commands for both Free and Pro across every supported runtime. Pick your edition, copy the command, then use the sections below for scan patterns, options, and CI examples.
Quick Start
Install from the hero switcher, then run one of these scan commands.
Scan your ASP.NET Core API project in seconds with the free edition:
# Navigate to your project directory
cd ~/projects/MyWebApi
# Scan the API project (Free)
apiposture scan ./src/MyWebApi
Or use Pro for OWASP Top 10 + secrets detection:
# Scan with Pro (includes free + pro rules)
apiposture-pro scan ./src/MyWebApi
✓ Scanned 47 files
✓ Found 156 endpoints
⚠ 3 critical findings
⚠ 7 high severity findings
ApiPosture uses Roslyn's syntax-only parsing, which means:
- No compilation required - works with incomplete code
- Fast - typical scans complete in under 2 seconds
- No dependencies - doesn't need your NuGet packages
CLI Reference
scan
The main command to analyze your API project.
apiposture scan <path> [options]
Arguments
<path>- Path to the directory containing your C# source files
Options
| Option | Description | Default |
|---|---|---|
--output, -o |
Output format: terminal, json, markdown |
terminal |
--fail-on |
Exit with non-zero code if severity found: critical, high, medium, low |
- |
--exclude |
Glob patterns to exclude (can be used multiple times) | - |
--config |
Path to configuration file (.json or .yaml) | .apiposture.json / .apiposture.yaml |
--framework |
Filter by framework: fastapi, flask, django_drf |
- |
--no-color |
Disable colored output | false |
--verbose, -v |
Show detailed output | false |
Examples
# Basic scan
apiposture scan ./src/Api
# Output as JSON
apiposture scan ./src/Api --output json
# Fail CI if high severity issues found
apiposture scan ./src/Api --fail-on high
# Exclude test files
apiposture scan ./src --exclude "**/Tests/**"
# Save markdown report
apiposture scan ./src/Api --output markdown > report.md
# Go-specific examples
apiposture scan ./path --severity high
apiposture scan ./path --fail-on high
apiposture scan ./samples/gin_app
# Java / Spring Boot examples
curl -L -o apiposture.jar https://github.com/BlagoCuljak/ApiPosture.Java/releases/latest/download/apiposture.jar
java -jar apiposture.jar scan /path/to/spring-boot-project --output json --output-file apiposture-report.json
java -jar apiposture.jar scan /path/to/project --fail-on high
Configuration
Create a .apiposture.json file in your project root for persistent configuration:
{
"exclude": [
"**/Tests/**",
"**/Migrations/**"
],
"rules": {
"AP005": {
"maxRoles": 4
},
"AP006": {
"allowedGenericRoles": ["Admin"]
},
"AP007": {
"sensitiveKeywords": [
"admin", "debug", "internal", "config", "secret"
]
}
},
"disabledRules": ["AP006"]
}
rules:
disabled:
- AP006 # Disable weak role naming check
exclude:
- "**/tests/**"
- "**/migrations/**"
suppressions:
- rule: AP001
route: "/health"
reason: "Health check is intentionally public"
# Go config example (.apiposture.yaml)
rules:
enabled: [] # Empty = all rules
disabled:
- AP006
include:
- "**/*.go"
exclude:
- "**/vendor/**"
- "**/*_test.go"
- "**/testdata/**"
suppressions:
- rule: AP001
route: "/health.*"
reason: "Health check is intentionally public"
min_severity: info
# Java config example (.apiposture.yaml)
rules:
enabled: [] # Empty = all rules
disabled:
- AP006
include:
- "**/*.java"
exclude:
- "**/build/**"
- "**/target/**"
suppressions:
- rule: AP001
route: "/health.*"
reason: "Health check is intentionally public"
min_severity: info
Configuration Options
exclude- Array of glob patterns to exclude from scanningrules- Per-rule configuration overridesdisabledRules- Array of rule IDs to disable
Output Formats
Terminal (Default)
Human-readable colored output optimized for terminal viewing:
apiposture scan ./src --output terminal
JSON
Machine-readable output for integration with other tools:
apiposture scan ./src --output json > results.json
Markdown
Formatted report suitable for documentation or PR comments:
apiposture scan ./src --output markdown > report.md
CI/CD Integration
Integrate ApiPosture into your CI/CD pipeline to catch security issues before they reach production.
GitHub Actions
# .github/workflows/security.yml
name: API Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- name: Install ApiPosture
run: dotnet tool install -g ApiPosture
- name: Run Security Scan
run: apiposture scan ./src/Api --fail-on high
# .github/workflows/security.yml (Go)
- name: Run ApiPosture (Go)
run: |
go install github.com/BlagoCuljak/ApiPosture.Go/cmd/apiposture@latest
apiposture scan . --fail-on high
# .github/workflows/security.yml (Java)
- name: Download ApiPosture
run: |
curl -L -o apiposture.jar https://github.com/BlagoCuljak/ApiPosture.Java/releases/latest/download/apiposture.jar
java -jar apiposture.jar scan . --fail-on high --output json -f security-report.json
# .github/workflows/security.yml (PHP)
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.2'
- name: Install dependencies
run: composer install
- name: Run ApiPosture (PHP)
run: vendor/bin/apiposture scan ./app --fail-on high
Azure DevOps
# azure-pipelines.yml
- task: DotNetCoreCLI@2
displayName: 'Install ApiPosture'
inputs:
command: 'custom'
custom: 'tool'
arguments: 'install -g ApiPosture'
- script: apiposture scan ./src/Api --fail-on high
displayName: 'API Security Scan'
GitLab CI
# .gitlab-ci.yml
security-scan:
image: mcr.microsoft.com/dotnet/sdk:8.0
script:
- dotnet tool install -g ApiPosture
- export PATH="$PATH:$HOME/.dotnet/tools"
- apiposture scan ./src/Api --fail-on high
# .gitlab-ci.yml (Java)
security-scan:
image: openjdk:21
script:
- curl -L -o apiposture.jar https://github.com/BlagoCuljak/ApiPosture.Java/releases/latest/download/apiposture.jar
- java -jar apiposture.jar scan . --output json --output-file apiposture-report.json
artifacts:
paths:
- apiposture-report.json
# .gitlab-ci.yml (PHP)
security-scan:
image: php:8.2-cli
before_script:
- curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
- composer install
script:
- vendor/bin/apiposture scan ./app --fail-on high
Security Rules
ApiPosture includes 8 purpose-built security rules. See the Features page for detailed explanations of each rule.
| Rule | Category | Severity | Description |
|---|---|---|---|
AP001 |
Exposure | HIGH | Unintentional Public Access |
AP002 |
Exposure | HIGH | Anonymous Write Operations |
AP003 |
Consistency | MEDIUM | Authorization Conflicts |
AP004 |
Consistency | CRITICAL | Missing Auth on Writes |
AP005 |
Privilege | LOW | Role Sprawl |
AP006 |
Privilege | LOW | Weak Role Names |
AP007 |
Surface | MEDIUM | Sensitive Routes Exposed |
AP008 |
Surface | HIGH | Minimal API Gaps |
>_ Need Help?
Questions or Feedback?
Open an issue on GitHub or reach out via our contact page.