Skip to content
Fendix logo
Back to Docs
15GETTING STARTED

Getting Started

Install Fendix, run your first scan, and understand the output — all in under five minutes.

Quick Start

Three commands to go from zero to a full HTML security report.

terminal
# 1. Install
curl -fsSL https://get.fendix.dev/install.sh | sh

# 2. Run your first scan
fendix scan --url https://api.example.com --format html --output report.html

# 3. Open the report
open report.html

Fendix scans the API for missing security headers, CORS misconfigurations, insecure cookie flags, authentication bypasses, sensitive data exposure, and rate limiting issues — all without sending any destructive payloads.

Installation

Homebrew (macOS / Linux)

terminal
brew tap Abdel-RahmanSaied/fendix
brew install fendix

curl (macOS / Linux)

Downloads the latest release binary to /usr/local/bin/fendix.

terminal
curl -fsSL https://get.fendix.dev/install.sh | sh

Docker

The Docker image works out of the box — secrets, Semgrep (if present), and dep-CVE checks all run natively in Go. The Python whitebox engine is opt-in via --python-engine if you also want auth / injection / AST checks.

terminal
docker pull ghcr.io/abdel-rahmansaied/fendix:latest
docker run --rm ghcr.io/abdel-rahmansaied/fendix scan --url https://api.example.com

Build from Source

Requires Go 1.22+. Python is no longer required for the default scan path as of v0.9 — it's only needed if you opt into the Python whitebox engine via --python-engine, in which case install Python 3.9+ and the deps in python/requirements.txt.

terminal
git clone https://github.com/Abdel-RahmanSaied/Fendix.git
cd Fendix
make build
./bin/fendix version

# Default scan path needs no Python — secrets, semgrep (if installed),
# and dep-CVE checks all run as native Go (Phase 17b / v0.9). For the
# opt-in --python-engine path (auth / injection / AST checks), install
# Python deps:
#   pip install -r python/requirements.txt

v0.9–v0.16 note: the embedded Python distribution was dropped in v0.9. Default cold start is ~6.1 ms p50. As of v0.12 the engine includes a unified Go/JS/IaC textscan SAST engine; v0.13 adds PDF reports and Arabic HTML; v0.13.1 adds Jira, Slack and Teams integrations. v0.16 (the 90-Day Cut) adds diff-aware scans that run on every commit (fendix scan --code . --diff --staged --fast, ~18ms on a 200-file monorepo), a fendix hook install pre-commit gate, Proven Path v1 taint chains exported as SARIF codeFlows, and transitive Python SCA over poetry.lock / Pipfile.lock. On the labeled synthetic accuracy corpus, fendix scores F1 = 1.000 across all detection categories. See /performance for the cold-start benchmark and /accuracy for the precision/recall scorecard.

Usage Examples

Black-box scan

Point Fendix at a live API. No source code needed. Runs all passive checks.

terminal
fendix scan --url https://api.example.com

White-box scan

Analyze source code without making any network requests. The default v0.9 path runs the native-Go secrets scanner, dep-CVE scanners (Go via govulncheck, PyPI/npm via OSV.dev), and shells out to Semgrep if it's on PATH. AST analysis (auth/injection patterns) and spec-derived auth checks live in the Python engine — opt in with --python-engine when you want them. --spec always feeds endpoint discovery, even without --python-engine.

terminal
# Default v0.9 — runs Go-native scanners
fendix scan --code ./src

# Add --spec for endpoint-discovery from an OpenAPI doc
fendix scan --code ./src --spec openapi.yaml

# Opt into the Python engine for AST + spec-derived auth checks
fendix scan --code ./src --spec openapi.yaml --python-engine

Hybrid scan (maximum coverage)

Black-box plus white-box, with the correlator cross-referencing both sides. Correlated findings get elevated severity, and proven-reachable correlated findings get a second bump (the "wedge" — DAST + SAST agreed AND we can prove the exploit path). The Go-native white-box scanners produce source: whitebox findings on their own; correlation works in the default path. Add --python-engine for the legacy AST + spec auth checks.

terminal
fendix scan \
  --url https://api.example.com \
  --code ./src \
  --spec openapi.yaml \
  --format html \
  --output report.html

# Add --python-engine if you want the legacy AST/spec auth checks
# alongside the native Go secrets + Semgrep + dep-CVE pipeline.

Authenticated scan

Provide credentials to test endpoints behind authentication. Auth credentials are always masked as [REDACTED] in output.

terminal
# Bearer token
fendix scan --url https://api.example.com --auth "Bearer eyJhbG..."

# API key with custom header
fendix scan --url https://api.example.com \
  --auth "sk-live-abc123" \
  --auth-type apikey \
  --auth-header "X-API-Key"

# Basic auth
fendix scan --url https://api.example.com \
  --auth "admin:password" \
  --auth-type basic

Active injection testing (opt-in)

Tests for injection (SQL/command), reflected XSS, in-band SSRF, open redirect, host-header injection, GraphQL introspection, and HTTP method tampering. Off by default — requires explicit consent.

terminal
fendix scan --url https://api.example.com --enable-active

Only use against systems you own or have written authorization to test.

CI/CD gating

Fail the pipeline if critical or high severity findings are detected. Exit code 1 means findings at or above threshold.

terminal
fendix scan \
  --url https://api.staging.example.com \
  --code ./src \
  --fail-on HIGH \
  --format sarif \
  --output results.sarif

Baseline diff mode

Only report new findings compared to a previous scan. Ideal for PR workflows.

terminal
# Save a baseline
fendix scan --url https://api.example.com --save-baseline baseline.json

# Later, compare against it
fendix scan --url https://api.example.com --baseline baseline.json

Configuration

.fendix-ignore

Suppress known findings or exempt endpoints from scanning. Place as .fendix-ignore in your project root or pass via --ignore.

.fendix-ignore
# Suppress by finding ID
ignore:
  - id: SEC-014
    reason: "Rate limiting handled at API gateway level"
    until: 2026-12-01  # optional expiry date

  # Suppress entire endpoint
  - endpoint: GET /health
    reason: "Public health check endpoint by design"

  # Suppress by category on specific endpoints
  - endpoint: GET /api/public/*
    category: auth
    reason: "Public endpoints intentionally unauthenticated"

Re-render a report

Convert a saved JSON findings file to HTML or SARIF without re-scanning.

terminal
fendix report --input findings.json --format html --output report.html

Scan from the SaaS API & dashboard

Beyond the CLI, the Fendix SaaS API launches scans programmatically and aggregates them in a dashboard. Authenticate with an X-API-Key (Pro plan and up). See Integrations for pipeline-ready recipes.

terminal
# Launch a scan via the API — X-API-Key (fx_ prefix, Pro plan and up)
curl -X POST https://api.fendix.dev/api/scans \
  -H "X-API-Key: $FENDIX_API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{ "mode": "blackbox", "url": "https://api.example.com", "fail_on": "high" }'

# Workspace overview: totals, severity + category breakdowns, 8-week trend
curl "https://api.fendix.dev/api/dashboard?organization=$ORG_ID" \
  -H "X-API-Key: $FENDIX_API_KEY"

Self-hosted runners

A runner is an agent you host inside your network: it claims queued jobs, runs the engine against private or internal targets, and submits the report back to the dashboard. Requires the Enterprise plan's self_hosted_runners feature.

terminal
# Self-hosted runner (Enterprise): scan private/internal targets in-network
# and push results to the dashboard. Register once (org admin) → fxr_ token.
curl -X POST https://api.fendix.dev/api/runners/claim -H "X-Runner-Token: $TOKEN"

fendix scan --code /repo --format json --output report.json
curl -X POST "https://api.fendix.dev/api/runners/jobs/$SCAN_ID/result" \
  -H "X-Runner-Token: $TOKEN" -H 'Content-Type: application/json' \
  --data-binary @report.json
Back to docsCLI Reference