Find API security flaws
before attackers do
Fendix combines live HTTP probing with static analysis to surface auth bypass, CORS misconfigs, exposed secrets, and more — in a single scan.
0
Scan modes
0+
Vulnerability categories
0
Tests passing
MIT
Open-source license
Three modes. One tool.
Run any combination of scan modes against any target — no agents to install, no YAML sprawl.
Black-box scanning
Probe live APIs for auth bypass, CORS misconfigs, header issues, rate limiting, and active injection probes (SQLi, CMDi, CRLF) — no source code required.
White-box analysis
Static analysis of your source code to surface hardcoded secrets, insecure patterns, dependency CVEs, and policy violations before they ship.
Correlated findings
Hybrid mode cross-references runtime behaviour with source evidence — every finding includes both HTTP proof and code location.
Your security command center
Track every scan, triage findings by severity, and monitor your API security posture — all from a single dashboard.
Total Scans
14
Findings
47
Critical
6
High
14
Findings by Severity
Latest Findings
Built for real security workflows
Fendix supports day-to-day developer checks, AppSec investigations, and CI/CD security gates.
For Developers
Run fast pre-merge scans and fix issues with code-level evidence.
For AppSec Teams
Correlate runtime and static findings to prioritize high-confidence risk.
For CI/CD Pipelines
Block risky releases by threshold and export artifacts for audit trails.
How it works
From zero to findings in three steps.
Configure
Choose a scan mode, point Fendix at your API URL and/or source path, optionally add an auth token.
Scan
Fendix runs black-box probes, static analysis, or both in parallel — results stream in as they arrive.
Remediate
Every finding comes with evidence, a fix recommendation, and CWE / OWASP references.
What Fendix detects
Eleven vulnerability categories across your API surface — from authentication flaws and active injection probes to dependency CVEs.
Auth bypass
Missing or broken authentication on API endpoints
CORS misconfig
Wildcard origins, credentials leaks, preflight issues
Security headers
Missing CSP, HSTS, X-Frame-Options, and more
Hardcoded secrets
API keys, tokens, and passwords committed to source
SQL injection
Time-based blind SQLi detection for MySQL, PostgreSQL, and MSSQL
Command & header injection
CMDi canary detection and CRLF header injection probes
IDOR detection
Two-account access control checks for insecure direct object references
Rate limiting
Unthrottled endpoints vulnerable to brute force
Data exposure
Internal IPs, stack traces, and debug info in responses
Dependency CVEs
Known vulnerabilities in PyPI and npm packages via pip-audit and npm audit
Server disclosure
Leaked server versions, technology fingerprinting
Every finding, fully explained
Fendix doesn't just flag issues — it shows the HTTP response, the source code location, a plain-English fix, and the relevant CWE and OWASP reference.
- Severity-ranked finding list
- Raw HTTP evidence per finding
- Fix recommendation + code location
- CWE and OWASP references
- Export to JSON, HTML, or SARIF
Fits your workflow
Run Fendix from the command line, plug it into CI/CD, or spin it up in Docker — your choice.
# Install Fendix
curl -sSL https://get.fendix.dev | sh
# Run a hybrid scan
fendix scan https://api.example.com \
--mode hybrid \
--code ./src \
--fail-on HIGH
# Export results
fendix export --format sarif -o results.sarifFrequently asked questions
Everything you need to know about Fendix.
Yes. Fendix is fully open-source under the MIT license. You can run it locally, in CI/CD, or self-host the dashboard — no account or API key required.
Fendix's black-box scanner works with any HTTP API regardless of language. The white-box analyzer currently supports Python, Go, JavaScript, and TypeScript source analysis, plus dependency CVE checking for PyPI and npm packages.
Hybrid mode runs both black-box probing and white-box static analysis in parallel, then cross-references the results. When a runtime vulnerability matches a code-level finding, Fendix produces a correlated finding with both HTTP evidence and the exact source code location.
Absolutely. Fendix ships as a single binary, a Docker image, and a GitHub Action. Set --fail-on to any severity level and Fendix will exit with code 1 if findings meet or exceed that threshold — perfect for blocking merges.
Black-box scanning sends live HTTP requests to your API to detect issues like auth bypass, CORS misconfigs, and injection vulnerabilities — no source code needed. White-box scanning analyzes your source code statically to find hardcoded secrets, insecure patterns, and policy violations without making any network requests.
Fendix can export results as JSON (for programmatic use), SARIF 2.1.0 (for GitHub Code Scanning integration), and HTML (a self-contained, single-file report you can share with your team).
Active probes send specially crafted payloads to detect SQL injection (time-based blind SQLi), command injection (safe echo canary), and CRLF header injection. They are always OFF by default — you must explicitly pass --enable-active to use them. A legal disclaimer is shown when enabled, and a per-endpoint rate limiter caps probes at 20 per endpoint to prevent excessive traffic.
Yes. Use --save-baseline to snapshot your current findings, then pass --baseline on subsequent scans. Fendix will diff the results and show only new findings, making it easy to track security posture over time and gate CI/CD pipelines on regressions.
Ready to secure your API?
Run your first scan in under a minute. Open source, free forever, no account required.