v0.19.0 — scan from an uploaded OpenAPI/Swagger spec file, the FastAPI auth check now scoped to real routes (no more Django/DRF/Celery false positives), and a sharper password-exposure guard

API Security · DAST + SAST · Open Source

DAST+SASTinonePRcheck
confirmedbybothengines

Fendix runs DAST probes on every scan. Only findings where the runtime probe and the static analysis independently agree make it to your PR — so the queue stays small and every alert means something. Run the same engine on every commit: a diff-aware scan of just the staged files finishes in ~18ms, or wire it as a pre-commit hook with one command.

Start scanning free

Try the live demo

Diff-aware / pre-commit scan Proven Path taint chains Auth bypass detection Secret scanning Active injection probes SARIF / JSON / HTML export

AUTH BYPASS·SQL INJECTION·CORS MISCONFIG·CMD INJECTION·CRLF INJECTION·REFLECTED XSS·SSRF·OPEN REDIRECT·HOST-HEADER INJECTION·GRAPHQL INTROSPECTION·METHOD TAMPERING·COOKIE FLAGS·HARDCODED SECRETS·DEPENDENCY CVES·IDOR·RATE LIMITING·SECURITY HEADERS·DATA EXPOSURE·SERVER DISCLOSURE·DIFF SCAN·PRE-COMMIT HOOK·PROVEN PATH·TAINT CHAIN·TRANSITIVE SCA·SARIF·GITHUB ACTIONS·DOCKER·OWASP TOP 10·CWE·AUTH BYPASS·SQL INJECTION·CORS MISCONFIG·CMD INJECTION·CRLF INJECTION·REFLECTED XSS·SSRF·OPEN REDIRECT·HOST-HEADER INJECTION·GRAPHQL INTROSPECTION·METHOD TAMPERING·COOKIE FLAGS·HARDCODED SECRETS·DEPENDENCY CVES·IDOR·RATE LIMITING·SECURITY HEADERS·DATA EXPOSURE·SERVER DISCLOSURE·DIFF SCAN·PRE-COMMIT HOOK·PROVEN PATH·TAINT CHAIN·TRANSITIVE SCA·SARIF·GITHUB ACTIONS·DOCKER·OWASP TOP 10·CWE·

Scan modes

Vulnerability categories

Tests passing

v0.19.0

Latest release

01Scan Modes

Three modes. One tool.

Run any combination of scan modes against any target — no agents to install, no YAML sprawl.

Black-box scanning

Probe live APIs for auth bypass, IDOR, CORS misconfigs, header issues, rate limiting, cookie-flag and data-exposure leaks, plus active probes for injection (SQLi, CMDi, CRLF), reflected XSS, SSRF, open redirect, host-header injection, GraphQL introspection, and HTTP method tampering — no source code required.

White-box analysis

Static analysis that surfaces hardcoded secrets, insecure patterns, and transitive dependency CVEs (poetry.lock / Pipfile.lock resolved closure, not just direct deps) — plus Proven Path taint chains: route → handler → source → sink, exported as SARIF codeFlows.

Correlated findings

Hybrid mode cross-references runtime behaviour with source evidence — every finding includes HTTP proof, the source line, and the proven taint path from request source to dangerous sink.

02Dashboard

Your security command center

Track every scan, triage findings by severity, and monitor your API security posture — all from a single dashboard.

localhost:3000/dashboard

LIVE

Total Scans

Findings

Critical

High

Findings by Severity

CRITICAL

HIGH

MEDIUM

LOW

INFO

Latest Findings

CRITICALMissing authentication on /api/usersGET /api/users

CRITICALSQL injection via time-based delayGET /api/search

HIGHCORS wildcard with credentials allowedOPTIONS /api/auth

HIGHHardcoded AWS access key in sourceconfig/settings.py

MEDIUMMissing Content-Security-Policy headerGET /

03Workflows

Fits your existing workflow

One install. Three workflows. Same wedge: only fails when both engines confirm.

For developers

Scan only what you changed, on every commit. fendix scan --diff --staged --fast finishes in ~18ms on a 200-file monorepo; fendix hook install makes it a pre-commit gate that blocks a leaked secret before it ever lands.

For AppSec teams

Stop triaging maybes. Correlated findings cut the noise ~70%, and every alert comes with both HTTP proof and the source line. Fewer dead-end tickets, more fixes.

For CI/CD pipelines

Runs on every commit locally and as one PR check. SARIF upload, signed binaries (cosign keyless), zero telemetry — fits a security-conscious gate without an exception list.

Explore all use cases

04Process

How it works

From zero to findings in three steps.

Configure

Choose a scan mode, point Fendix at your API URL and/or source path, optionally add an auth token.

Scan

Run black-box probes, static analysis, or both — full repo in CI, or just the diff on every commit (~18ms on a 200-file monorepo). fendix hook install wires it as a pre-commit gate.

Remediate

Every finding comes with evidence, a fix recommendation, and CWE / OWASP references.

05Coverage

What Fendix detects

Eleven vulnerability categories across your API surface — from authentication flaws and active injection probes to dependency CVEs.

Auth bypass

Missing or broken authentication on API endpoints

CORS misconfig

Wildcard origins, credentials leaks, preflight issues

Security headers

Missing CSP, HSTS, X-Frame-Options, and more

Hardcoded secrets

API keys, tokens, and passwords committed to source

SQL injection

Time-based, error-based, and boolean SQLi probes for major databases (query, header, and body params)

Command & header injection

CMDi canary detection and CRLF header injection probes

IDOR detection

Two-account access control checks for insecure direct object references

Rate limiting

Unthrottled endpoints vulnerable to brute force

Data exposure

Internal IPs, stack traces, and debug info in responses

Dependency CVEs

Known vulnerabilities in PyPI (pip-audit), npm (npm audit), and Go modules (govulncheck) — real OSV/CVE database, with offline fallback

Server disclosure

Leaked server versions, technology fingerprinting

06Evidence

Every finding, fully explained

Fendix doesn't just flag issues — it shows the HTTP response, the source code location, a plain-English fix, and the relevant CWE and OWASP reference.

Severity-ranked finding list

Raw HTTP evidence per finding

Fix recommendation + code location

CWE and OWASP references

Export to JSON, HTML, or SARIF

fendix scan https://api.example.com --mode hybrid

Scanning…

CRITICALMissing auth on /api/users

CRITICALSQL injection via time-based delay on /api/search

HIGHCORS wildcard + credentials

HIGHHardcoded AWS key in source

HIGHCRLF header injection on /api/redirect

MEDIUMMissing Content-Security-Policy

LOWServer version disclosed

✓7 findings · 4.5s

07Integrations

Drop into your tooling

Same single binary, three entry points. Pick the one that matches how your team already runs CI.

terminal

# Install via Homebrew (macOS / Linux)
brew tap Abdel-RahmanSaied/fendix
brew install fendix

# Or via curl — short-URL installer, signed binaries (cosign keyless)
curl -fsSL https://get.fendix.dev/install.sh | sh

# Run a hybrid scan — black-box + white-box correlated
fendix scan \
  --url https://api.example.com \
  --code ./src \
  --spec openapi.yaml \
  --fail-on HIGH \
  --format sarif \
  --output results.sarif

# Re-render saved findings without re-scanning
fendix report --input results.json --format html --output report.html

08FAQ

Frequently asked questions

Everything you need to know about Fendix.

09Get Started

Ready to secure your API?

Run your first scan in under a minute. Open source, free forever, no account required.

Start your first scan

Read the docs

DAST+SASTinonePRcheckconfirmedbybothengines