Getting Started
Install Fendix, run your first scan, and understand the output — all in under five minutes.
Quick Start
Three commands to go from zero to a full HTML security report.
# 1. Install
curl -fsSL https://get.fendix.dev | sh
# 2. Run your first scan
fendix scan --url https://api.example.com --format html --output report.html
# 3. Open the report
open report.htmlFendix scans the API for missing security headers, CORS misconfigurations, authentication bypasses, sensitive data exposure, and rate limiting issues — all without sending any destructive payloads.
Installation
Homebrew (macOS / Linux)
brew tap fendix/tap
brew install fendixcurl (macOS / Linux)
Downloads the latest release binary to /usr/local/bin/fendix.
curl -fsSL https://get.fendix.dev | shDocker
The Docker image includes Python and all static analysis dependencies, so hybrid mode works out of the box.
docker pull ghcr.io/fendix/fendix:latest
docker run --rm ghcr.io/fendix/fendix scan --url https://api.example.comBuild from Source
Requires Go 1.21+ and Python 3.9+.
git clone <your-fendix-repo-url>
cd fendix
make build
./bin/fendix version
# For white-box analysis, install Python dependencies:
pip install -r python/requirements.txtUsage Examples
Black-box scan
Point Fendix at a live API. No source code needed. Runs all passive checks.
fendix scan --url https://api.example.comWhite-box scan
Analyze source code without making any network requests. Runs secrets, Semgrep, AST, spec, and dependency checks.
fendix scan --code ./src --spec openapi.yamlHybrid scan (maximum coverage)
Both engines run and cross-correlate findings for highest confidence. Correlated findings get elevated severity.
fendix scan \
--url https://api.example.com \
--code ./src \
--spec openapi.yaml \
--format html \
--output report.htmlAuthenticated scan
Provide credentials to test endpoints behind authentication. Auth credentials are always masked as [REDACTED] in output.
# Bearer token
fendix scan --url https://api.example.com --auth "Bearer eyJhbG..."
# API key with custom header
fendix scan --url https://api.example.com \
--auth "sk-live-abc123" \
--auth-type apikey \
--auth-header "X-API-Key"
# Basic auth
fendix scan --url https://api.example.com \
--auth "admin:password" \
--auth-type basicActive injection testing (opt-in)
Tests for SQL injection, command injection, and header injection. Off by default — requires explicit consent.
fendix scan --url https://api.example.com --enable-activeOnly use against systems you own or have written authorization to test.
CI/CD gating
Fail the pipeline if critical or high severity findings are detected. Exit code 1 means findings at or above threshold.
fendix scan \
--url https://api.staging.example.com \
--code ./src \
--fail-on HIGH \
--format sarif \
--output results.sarifBaseline diff mode
Only report new findings compared to a previous scan. Ideal for PR workflows.
# Save a baseline
fendix scan --url https://api.example.com --save-baseline baseline.json
# Later, compare against it
fendix scan --url https://api.example.com --baseline baseline.jsonConfiguration
.fendix-ignore
Suppress known findings or exempt endpoints from scanning. Place as .fendix-ignore in your project root or pass via --ignore.
# Suppress by finding ID
ignore:
- id: SEC-014
reason: "Rate limiting handled at API gateway level"
until: 2026-12-01 # optional expiry date
# Suppress entire endpoint
- endpoint: GET /health
reason: "Public health check endpoint by design"
# Suppress by category on specific endpoints
- endpoint: GET /api/public/*
category: auth
reason: "Public endpoints intentionally unauthenticated"Re-render a report
Convert a saved JSON findings file to HTML or SARIF without re-scanning.
fendix report --input findings.json --format html --output report.html