DAST + SAST in one PR check
confirmed by both engines
Fendix runs both engines on every scan. Only findings where the runtime probe and the static analysis independently agree make it to your PR — so the queue stays small and every alert means something.
0
Scan modes
0+
Vulnerability categories
0+
Tests passing
v0.7.0
Latest release
Three modes. One tool.
Run any combination of scan modes against any target — no agents to install, no YAML sprawl.
Black-box scanning
Probe live APIs for auth bypass, CORS misconfigs, header issues, rate limiting, and active injection probes (SQLi, CMDi, CRLF) — no source code required.
White-box analysis
Static analysis of your source code to surface hardcoded secrets, insecure patterns, dependency CVEs, and policy violations before they ship.
Correlated findings
Hybrid mode cross-references runtime behaviour with source evidence — every finding includes both HTTP proof and code location.
Your security command center
Track every scan, triage findings by severity, and monitor your API security posture — all from a single dashboard.
Total Scans
14
Findings
47
Critical
6
High
14
Findings by Severity
Latest Findings
Fits your existing workflow
One install. Three workflows. Same wedge: only fails when both engines confirm.
For developers
Pre-merge scan in 30 seconds. Your build only breaks on findings the runtime probe AND the static analyzer both flag — no false-positive flood, no triage queue.
For AppSec teams
Stop triaging maybes. Correlated findings cut the noise ~70%, and every alert comes with both HTTP proof and the source line. Fewer dead-end tickets, more fixes.
For CI/CD pipelines
One PR check. SARIF upload, signed binaries (cosign keyless), zero telemetry — fits a security-conscious gate without an exception list.
How it works
From zero to findings in three steps.
Configure
Choose a scan mode, point Fendix at your API URL and/or source path, optionally add an auth token.
Scan
Fendix runs black-box probes, static analysis, or both in parallel — results stream in as they arrive.
Remediate
Every finding comes with evidence, a fix recommendation, and CWE / OWASP references.
What Fendix detects
Eleven vulnerability categories across your API surface — from authentication flaws and active injection probes to dependency CVEs.
Auth bypass
Missing or broken authentication on API endpoints
CORS misconfig
Wildcard origins, credentials leaks, preflight issues
Security headers
Missing CSP, HSTS, X-Frame-Options, and more
Hardcoded secrets
API keys, tokens, and passwords committed to source
SQL injection
Time-based, error-based, and boolean SQLi probes for major databases (query, header, and body params)
Command & header injection
CMDi canary detection and CRLF header injection probes
IDOR detection
Two-account access control checks for insecure direct object references
Rate limiting
Unthrottled endpoints vulnerable to brute force
Data exposure
Internal IPs, stack traces, and debug info in responses
Dependency CVEs
Known vulnerabilities in PyPI (pip-audit), npm (npm audit), and Go modules (govulncheck) — real OSV/CVE database, with offline fallback
Server disclosure
Leaked server versions, technology fingerprinting
Every finding, fully explained
Fendix doesn't just flag issues — it shows the HTTP response, the source code location, a plain-English fix, and the relevant CWE and OWASP reference.
- Severity-ranked finding list
- Raw HTTP evidence per finding
- Fix recommendation + code location
- CWE and OWASP references
- Export to JSON, HTML, or SARIF
Drop into your tooling
Same single binary, three entry points. Pick the one that matches how your team already runs CI.
# Install via Homebrew (macOS / Linux)
brew tap Abdel-RahmanSaied/fendix
brew install fendix
# Or via curl — short-URL installer, signed binaries (cosign keyless)
curl -fsSL https://get.fendix.dev/install.sh | sh
# Run a hybrid scan — black-box + white-box correlated
fendix scan \
--url https://api.example.com \
--code ./src \
--spec openapi.yaml \
--fail-on HIGH \
--format sarif \
--output results.sarif
# Re-render saved findings without re-scanning
fendix report --input results.json --format html --output report.htmlFrequently asked questions
Everything you need to know about Fendix.
Yes. Fendix is fully open-source under the MIT license. You can run it locally, in CI/CD, or self-host the dashboard — no account or API key required.
Fendix's black-box scanner works with any HTTP API regardless of language. The white-box analyzer currently supports Python, Go, JavaScript, and TypeScript source analysis, plus dependency CVE checking for PyPI (pip-audit), npm (npm audit), and Go modules (govulncheck) — primary paths run against the real OSV/CVE databases when those tools are installed.
Hybrid mode runs both black-box probing and white-box static analysis in parallel, then cross-references the results. When a runtime vulnerability matches a code-level finding, Fendix produces a correlated finding with both HTTP evidence and the exact source code location.
Absolutely. Fendix ships as a single binary, a Docker image, and a GitHub Action. Set --fail-on to any severity level and Fendix will exit with code 1 if findings meet or exceed that threshold — perfect for blocking merges.
Black-box scanning sends live HTTP requests to your API to detect issues like auth bypass, CORS misconfigs, and injection vulnerabilities — no source code needed. White-box scanning analyzes your source code statically to find hardcoded secrets, insecure patterns, and policy violations without making any network requests.
Fendix can export results as JSON (for programmatic use), SARIF 2.1.0 (for GitHub Code Scanning integration), and HTML (a self-contained, single-file report you can share with your team).
Active probes send crafted payloads for SQL injection (time-based blind, error-based, and boolean probes), command injection (safe echo canary), and CRLF header injection. They are OFF by default — pass --enable-active to enable them. A legal disclaimer is shown when active scanning runs. Probe volume is capped per endpoint (default 20; override with --max-probes-per-endpoint).
Yes. Use --save-baseline to snapshot your current findings, then pass --baseline on subsequent scans. Fendix will diff the results and show only new findings, making it easy to track security posture over time and gate CI/CD pipelines on regressions.
Ready to secure your API?
Run your first scan in under a minute. Open source, free forever, no account required.