Open-source API security scanner

Find API security flaws
before attackers do

Fendix combines live HTTP probing with static analysis to surface auth bypass, CORS misconfigs, exposed secrets, and more — in a single scan.

Start scanning free View demo dashboard

Auth bypass detection Secret scanning Rate limit testing SARIF / JSON / HTML export

Scan modes

Vulnerability categories

< 5s

Average scan time

MIT

Open-source license

Three modes. One tool.

Run any combination of scan modes against any target — no agents to install, no YAML sprawl.

Black-box scanning

Probe live APIs for auth bypass, CORS misconfigs, header issues, injection vectors, and rate limiting — no source code required.

White-box analysis

Static analysis of your source code to surface hardcoded secrets, insecure patterns, and policy violations before they ship.

Correlated findings

Hybrid mode cross-references runtime behaviour with source evidence — every finding includes both HTTP proof and code location.

Your security command center

Track every scan, triage findings by severity, and monitor your API security posture — all from a single dashboard.

localhost:3000/dashboard

LIVE

Total Scans

Findings

Critical

High

Findings by Severity

CRITICAL

HIGH

MEDIUM

LOW

INFO

Latest Findings

CRITICALMissing authentication on /api/usersGET /api/users

HIGHCORS wildcard with credentials allowedOPTIONS /api/auth

HIGHHardcoded AWS access key in sourceconfig/settings.py

MEDIUMMissing Content-Security-Policy headerGET /

Built for real security workflows

Fendix supports day-to-day developer checks, AppSec investigations, and CI/CD security gates.

For Developers

Run fast pre-merge scans and fix issues with code-level evidence.

For AppSec Teams

Correlate runtime and static findings to prioritize high-confidence risk.

For CI/CD Pipelines

Block risky releases by threshold and export artifacts for audit trails.

Explore all use cases

How it works

From zero to findings in three steps.

Configure

Choose a scan mode, point Fendix at your API URL and/or source path, optionally add an auth token.

Scan

Fendix runs black-box probes, static analysis, or both in parallel — results stream in as they arrive.

Remediate

Every finding comes with evidence, a fix recommendation, and CWE / OWASP references.

What Fendix detects

Eight vulnerability categories across your API surface — from authentication flaws to information leakage.

Auth bypass

Missing or broken authentication on API endpoints

CORS misconfig

Wildcard origins, credentials leaks, preflight issues

Security headers

Missing CSP, HSTS, X-Frame-Options, and more

Hardcoded secrets

API keys, tokens, and passwords committed to source

Injection testing

SQLi, command injection, and header injection probes

Rate limiting

Unthrottled endpoints vulnerable to brute force

Data exposure

Internal IPs, stack traces, and debug info in responses

Server disclosure

Leaked server versions, technology fingerprinting

Every finding, fully explained

Fendix doesn't just flag issues — it shows the HTTP response, the source code location, a plain-English fix, and the relevant CWE and OWASP reference.

Severity-ranked finding list
Raw HTTP evidence per finding
Fix recommendation + code location
CWE and OWASP references
Export to JSON, HTML, or SARIF

fendix scan https://api.example.com --mode hybrid

Scanning…

CRITICALMissing auth on /api/users

HIGHCORS wildcard + credentials

HIGHHardcoded AWS key in source

MEDIUMMissing Content-Security-Policy

LOWServer version disclosed

✓5 findings · 4.5s

Fits your workflow

Run Fendix from the command line, plug it into CI/CD, or spin it up in Docker — your choice.

terminal

# Install Fendix
curl -sSL https://get.fendix.dev | sh

# Run a hybrid scan
fendix scan https://api.example.com \
  --mode hybrid \
  --code ./src \
  --fail-on HIGH

# Export results
fendix export --format sarif -o results.sarif

Frequently asked questions

Everything you need to know about Fendix.

Yes. Fendix is fully open-source under the MIT license. You can run it locally, in CI/CD, or self-host the dashboard — no account or API key required.

Fendix's black-box scanner works with any HTTP API regardless of language. The white-box analyzer currently supports Python, Go, JavaScript, and TypeScript with more languages coming soon.

Hybrid mode runs both black-box probing and white-box static analysis in parallel, then cross-references the results. When a runtime vulnerability matches a code-level finding, Fendix produces a correlated finding with both HTTP evidence and the exact source code location.

Absolutely. Fendix ships as a single binary, a Docker image, and a GitHub Action. Set --fail-on to any severity level and Fendix will exit with code 1 if findings meet or exceed that threshold — perfect for blocking merges.

Black-box scanning sends live HTTP requests to your API to detect issues like auth bypass, CORS misconfigs, and injection vulnerabilities — no source code needed. White-box scanning analyzes your source code statically to find hardcoded secrets, insecure patterns, and policy violations without making any network requests.

Fendix can export results as JSON (for programmatic use), SARIF (for GitHub Code Scanning integration), and HTML (for human-readable reports you can share with your team).

Ready to secure your API?

Run your first scan in under a minute. Open source, free forever, no account required.

Start your first scan View on GitHub

Find API security flawsbefore attackers do