Skip to content
Fendix logo
02USE CASES

Security that fits your workflow

Fendix is designed for real teams: developers, security engineers, and platform owners who need fast, repeatable API security checks with evidence they can act on.

Start a scan View demo dashboard

Common ways teams use Fendix

Pick the mode that matches what you need today: black-box coverage, white-box analysis, or hybrid confidence.

Pre-release hardening

Catch auth bypasses, misconfigurations, and insecure headers before you ship.

  • Fail fast on Critical/High thresholds
  • Repeatable scan results for releases
  • Actionable evidence + remediation

Hybrid confidence for complex systems

Correlate runtime behavior with code locations to reduce false positives.

  • Cross-check black-box + white-box findings
  • Every issue includes proof and source context
  • Higher-confidence remediation guidance

Black-box API testing

Test live endpoints using real HTTP requests without requiring source access.

  • Auth/access control bypass + IDOR checks
  • Active probes — injection (SQLi, CMDi, CRLF), reflected XSS, SSRF, open redirect
  • Host-header injection, GraphQL introspection, and HTTP method tampering
  • CORS, cookie-flag, and data-exposure detection
  • Rate limiting coverage gaps

White-box secret & policy scanning

Scan your codebase for hardcoded secrets, insecure patterns, and vulnerable dependencies — on every commit, not just in CI.

  • Hardcoded keys/tokens/passwords
  • Injection patterns (SQLi/command/XSS) with Proven Path taint chains
  • Transitive dependency CVEs (poetry.lock / Pipfile.lock closure, PyPI + npm)
  • fendix hook install — pre-commit gate that blocks staged secrets / HIGH+ findings

CI/CD + every-commit security gates

Block merges in CI, and catch issues earlier with a diff-aware scan on every commit.

  • Pass/fail exit codes based on severity
  • Diff-aware scan of staged files (--diff --staged --fast, ~18ms) for the inner loop
  • Baseline diffing with --save-baseline to track regressions over time (distinct from --diff)
  • Suppression rules via .fendix-ignore with expiry dates

Audit-ready reporting

Produce shareable, machine-readable reports for teams and audits.

  • JSON + self-contained HTML output
  • SARIF 2.1.0 for GitHub Code Scanning
  • Credential redaction in reports
  • Consistent severity classification

Scan private & internal APIs

Reach targets the cloud can't — internal services, staging behind a VPN, on-prem APIs — with a self-hosted runner that submits results to your dashboard.

  • Runs inside your network, no inbound access needed
  • Claims jobs, runs the engine, pushes results back
  • Black-box, white-box, or hybrid against private targets
  • Findings land in the shared dashboard like any other scan

Compliance & audit mapping

Turn raw findings into compliance evidence by mapping each one to the frameworks auditors ask for.

  • OWASP Top 10 categorization
  • OWASP ASVS control mapping
  • PCI-DSS requirement references
  • CWE identifiers on every finding

Shift left with a pre-commit hook

Catch secrets and vulnerabilities before they're ever committed — the diff-aware hook scans only staged changes in milliseconds.

  • Installs in one command: fendix hook install
  • Staged-only, diff-aware, fast mode (sub-second)
  • Aborts the commit on a HIGH+ finding
  • Bypass a single commit with --no-verify

Team & org workspaces

Run security as a team: shared workspaces with role-based access, an audit trail, and scoped API keys.

  • Org workspaces with owner / admin / member / viewer roles
  • Shared dashboard across the whole team
  • Append-only audit log of every action
  • Scoped, expiring API keys for automation

From “need answers” to “ship safely”

A simple workflow you can reuse across teams.

01

Configure

Choose black-box, white-box, or hybrid and point Fendix at your target.

02

Scan

Run the scan. Results appear with evidence and severity.

03

Remediate

Review findings and export reports for CI/CD or audits.