|
1 | 1 | # SecNode API |
2 | 2 |
|
3 | | -Schema-driven API security testing with LLM-assisted test generation and async execution. |
| 3 | +[](https://github.com/secnode/secnodeapi/actions/workflows/secnode-pentest.yml) |
| 4 | +[](https://www.python.org/downloads/) |
| 5 | +[](./LICENSE) |
4 | 6 |
|
5 | | -## What it does |
| 7 | +AI-augmented, schema-driven API penetration testing from OpenAPI/Swagger specs, with asynchronous execution and structured reporting. |
6 | 8 |
|
7 | | -SecNode API ingests OpenAPI/Swagger specs, builds API context with an LLM, generates adversarial test cases, executes them concurrently, validates likely findings with deterministic retest, and writes reports. |
| 9 | +## Why SecNode API |
8 | 10 |
|
9 | | -It is useful for: |
| 11 | +SecNode API helps security engineers and backend teams run repeatable API risk assessments in staging and CI without writing one-off test scripts for every target. |
10 | 12 |
|
11 | | -- fast staging API risk sweeps |
12 | | -- CI security regression checks |
13 | | -- structured test-case generation for manual review |
| 13 | +- Ingests local or remote OpenAPI/Swagger schema files |
| 14 | +- Uses an LLM to understand API behavior and generate adversarial test cases |
| 15 | +- Executes tests concurrently with optional proxy routing |
| 16 | +- Supports autonomous agent mode with request budgets and iterative replanning |
| 17 | +- Produces both human-readable and machine-readable findings |
14 | 18 |
|
15 | | -## What it does not guarantee |
| 19 | +## What It Is and Is Not |
16 | 20 |
|
17 | | -- no guarantee of zero false positives |
18 | | -- no full replacement for manual penetration testing |
19 | | -- no complete coverage of undocumented endpoints |
| 21 | +SecNode API is a practical automation layer for API security testing. |
20 | 22 |
|
21 | | -## Quick start |
| 23 | +- It is useful for fast risk triage, regression checks, and structured analyst review |
| 24 | +- It does not replace manual penetration testing or threat modeling |
| 25 | +- It can still produce false positives or miss undocumented behavior |
| 26 | + |
| 27 | +## Installation |
| 28 | + |
| 29 | +### Requirements |
| 30 | + |
| 31 | +- Python 3.9+ |
| 32 | +- Access to an LLM provider key (OpenAI or Anthropic) |
| 33 | + |
| 34 | +### Install from source |
22 | 35 |
|
23 | 36 | ```bash |
24 | 37 | python -m venv .venv |
25 | 38 | source .venv/bin/activate |
26 | 39 | pip install -r requirements.txt |
27 | 40 | pip install -e .[dev] |
| 41 | +``` |
| 42 | + |
| 43 | +On Windows (PowerShell): |
| 44 | + |
| 45 | +```powershell |
| 46 | +python -m venv .venv |
| 47 | +.venv\Scripts\Activate.ps1 |
| 48 | +pip install -r requirements.txt |
| 49 | +pip install -e .[dev] |
| 50 | +``` |
| 51 | + |
| 52 | +## Configuration |
| 53 | + |
| 54 | +Set the model and provider credentials before running scans: |
28 | 55 |
|
| 56 | +```bash |
29 | 57 | export SECNODE_LLM="openai/gpt-4o" |
30 | 58 | export OPENAI_API_KEY="your-api-key" |
| 59 | +``` |
31 | 60 |
|
32 | | -secnodeapi --target https://api.example.com/swagger.json |
| 61 | +Or with Anthropic: |
| 62 | + |
| 63 | +```bash |
| 64 | +export SECNODE_LLM="anthropic/claude-3-5-sonnet-20241022" |
| 65 | +export ANTHROPIC_API_KEY="your-anthropic-key" |
33 | 66 | ``` |
34 | 67 |
|
35 | | -Reports are written to `results/<target>_<timestamp>/`. |
| 68 | +Provider keys are model-specific. See [LiteLLM providers](https://docs.litellm.ai/docs/providers). |
| 69 | + |
| 70 | +## Quick Start |
| 71 | + |
| 72 | +Run against a remote schema: |
36 | 73 |
|
37 | | -## CLI usage |
| 74 | +```bash |
| 75 | +secnodeapi --target https://api.example.com/swagger.json |
| 76 | +``` |
| 77 | + |
| 78 | +Run against a local schema file: |
38 | 79 |
|
39 | 80 | ```bash |
40 | 81 | secnodeapi --target ./openapi.yaml |
41 | | -secnodeapi --target https://api.example.com/swagger.json --dry-run --dry-run-output results/tests.json |
42 | | -secnodeapi --target https://api.example.com/swagger.json --auth-header "Authorization: Bearer token" |
| 82 | +``` |
| 83 | + |
| 84 | +Reports are written to `results/<target_or_local_schema>_<timestamp>/`. |
| 85 | + |
| 86 | +## CLI Usage |
| 87 | + |
| 88 | +```bash |
| 89 | +secnodeapi --target ./openapi.yaml --schema-only |
| 90 | +secnodeapi --target https://api.example.com/swagger.json --dry-run --dry-run-output ./results/tests.json |
| 91 | +secnodeapi --target https://api.example.com/swagger.json --auth-header "Authorization: Bearer <token>" |
43 | 92 | secnodeapi --target https://api.example.com/swagger.json --proxy http://127.0.0.1:8080 --insecure |
| 93 | +secnodeapi --target https://api.example.com/swagger.json --mode agent --request-budget 500 --max-iterations 6 |
44 | 94 | ``` |
45 | 95 |
|
46 | | -### Key flags |
| 96 | +### Key options |
| 97 | + |
| 98 | +- `--target` URL or local path to OpenAPI schema (required) |
| 99 | +- `--mode` `agent` (default) or `legacy` execution pipeline |
| 100 | +- `--concurrency` concurrent request workers |
| 101 | +- `--auth-header` single inline auth header |
| 102 | +- `--auth-file` JSON file of auth headers |
| 103 | +- `--identities-file` JSON identities for differential auth testing |
| 104 | +- `--schema-only` output normalized API structure and exit |
| 105 | +- `--dry-run` generate tests without executing |
| 106 | +- `--dry-run-output` write generated tests to JSON (requires `--dry-run`) |
| 107 | +- `--request-budget` max request count in agent mode |
| 108 | +- `--per-endpoint-budget` max attempts per endpoint in agent mode |
| 109 | +- `--max-iterations` max plan/execute loops in agent mode |
| 110 | +- `--proxy` route traffic via proxy |
| 111 | +- `--insecure` disable TLS verification for controlled environments |
47 | 112 |
|
48 | | -- `--schema-only`: parse schema and output normalized structure |
49 | | -- `--dry-run`: generate tests without executing |
50 | | -- `--dry-run-output`: save generated tests to JSON |
51 | | -- `--insecure`: disable TLS verification (controlled environments only) |
| 113 | +## Output |
| 114 | + |
| 115 | +Each run generates an output directory containing: |
| 116 | + |
| 117 | +- `report.md` with executive summary, severity overview, and evidence sections |
| 118 | +- `findings.json` for machine processing and pipeline integration |
52 | 119 |
|
53 | 120 | ## Development |
54 | 121 |
|
55 | | -- `make install-dev` |
56 | | -- `make lint` |
57 | | -- `make test` |
58 | | -- `make build` |
| 122 | +```bash |
| 123 | +make install-dev |
| 124 | +make lint |
| 125 | +make test |
| 126 | +make test-cov |
| 127 | +make build |
| 128 | +``` |
| 129 | + |
| 130 | +## CI |
| 131 | + |
| 132 | +GitHub Actions workflow runs: |
| 133 | + |
| 134 | +- lint checks |
| 135 | +- test suite with coverage thresholds |
| 136 | +- package build |
| 137 | +- scan job template for staging targets |
| 138 | + |
| 139 | +## Security and Responsible Use |
| 140 | + |
| 141 | +Only test systems you own or are explicitly authorized to assess. |
| 142 | + |
| 143 | +- Read the disclosure process in [SECURITY.md](./SECURITY.md) |
| 144 | +- Follow community expectations in [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md) |
59 | 145 |
|
60 | | -See: |
| 146 | +## Contributing |
61 | 147 |
|
62 | | -- `docs/ARCHITECTURE.md` |
63 | | -- `docs/DEVELOPMENT.md` |
64 | | -- `docs/API_REFERENCE.md` |
65 | | -- `docs/SECURITY.md` |
| 148 | +Contributions are welcome. For setup and PR expectations, see [CONTRIBUTING.md](./CONTRIBUTING.md). |
66 | 149 |
|
67 | 150 | ## License |
68 | 151 |
|
69 | | -Apache 2.0. See `LICENSE`. |
| 152 | +Apache 2.0. See [LICENSE](./LICENSE). |
0 commit comments