ApiPosturePro 1.0.4

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet tool install --global ApiPosturePro --version 1.0.4
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local ApiPosturePro --version 1.0.4
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=ApiPosturePro&version=1.0.4
                    


                    

                
nuke :add-package ApiPosturePro --version 1.0.4

ApiPosture Pro

Professional security extension for ASP.NET Core API security scanning

Extends the open-source ApiPosture CLI with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.

🔒 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.

Features

🛡️ OWASP Top 10 Security Rules

Advanced detection for common API vulnerabilities:

  • AP101 - Broken Access Control (Critical)
  • AP102 - Cryptographic Failures (High)
  • AP103 - Injection Vulnerabilities (Critical)
  • AP104 - Insecure Design (High)
  • AP105 - Security Misconfiguration (Medium)
  • AP106 - Vulnerable Components (Medium)
  • AP107 - Authentication Failures (High)
  • AP108 - SSRF Vulnerabilities (High)

🔑 Secrets Detection

  • AP201 - Detects 30+ secret patterns (Critical)
  • AWS, Azure, GCP keys
  • GitHub, Slack, Stripe tokens
  • Database connection strings
  • Private keys and certificates
  • JWT secrets and API keys

📊 Diff Mode

Compare scans over time to track security improvements or regressions:

apiposture diff baseline.json current.json

📈 Historical Tracking

Automatic scan history with SQLite storage:

apiposture history list
apiposture history trend -p /path/to/project

🎯 Risk Scoring

Automated risk assessment based on:

  • Severity (40%)
  • Exposure (25%)
  • Sensitivity (25%)
  • Finding density (10%)

Installation

Install the standalone Pro tool - includes everything:

# Install Pro CLI (includes scanning + all rules)
dotnet tool install --global ApiPosturePro

# Activate your license
apiposture-pro activate XXXX-XXXX-XXXX-XXXX

# Verify activation
apiposture-pro status

That's it! Pro tool is fully standalone and includes both free and Pro rules.

For Free Users

If you only need basic rules, install the free CLI:

dotnet tool install --global ApiPosture

CI/CD Alternative

Set license via environment variable (no activation needed):

export APIPOSTURE_LICENSE_KEY=<your-jwt-token>

Usage

Scan Your API

Use the Pro CLI for scanning (includes both free and Pro rules):

# Basic scan
apiposture-pro scan /path/to/your/api

# Scan with JSON output
apiposture-pro scan /path/to/your/api --output json --output-file report.json

# Fail build on high/critical findings
apiposture-pro scan /path/to/your/api --fail-on high

# Filter by severity
apiposture-pro scan /path/to/your/api --severity medium

Manage Your License

# Check license status
apiposture-pro status

# Deactivate license
apiposture-pro deactivate

Example Output

$ apiposture-pro scan .

API Posture Scan Results
========================

Findings:
  [AP001] High: Public endpoint with sensitive route pattern '/api/admin/users'
  [AP101] Critical: Sensitive endpoint '/api/admin/users' lacks authorization
  [AP103] Critical: Endpoint '/api/search' has parameters suggesting SQL injection risk
  [AP108] High: Webhook endpoint '/api/webhooks/register' may accept external URLs
  [AP201] Critical: AWS Access Key detected in appsettings.json

Summary:
  Total Findings: 5
  Critical: 3 | High: 2 | Medium: 0 | Low: 0

Scanned 42 endpoints in 2.3s

Compare Scans (Diff Mode)

Track security improvements over time:

# Save baseline
apiposture scan /path/to/api -o baseline.json -f json

# Make security improvements...

# Scan again
apiposture scan /path/to/api -o current.json -f json

# Compare results
apiposture diff baseline.json current.json

View History

Pro automatically records scan history:

# List recent scans
apiposture history list

# View trends over time
apiposture history trend -p /path/to/api

# Show specific scan
apiposture history show <scan-id>

CI/CD Integration

Use ApiPosture Pro in your CI/CD pipeline:

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install ApiPosture Pro
        run: dotnet tool install --global ApiPosturePro

      - name: Run security scan
        run: apiposture-pro scan . --output json --output-file results.json
        env:
          APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}

      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: security-scan-results
          path: results.json

Azure DevOps

steps:
  - task: DotNetCoreCLI@2
    displayName: 'Install ApiPosture Pro'
    inputs:
      command: 'custom'
      custom: 'tool'
      arguments: 'install --global ApiPosturePro'

  - script: apiposture-pro scan . --output json --output-file $(Build.ArtifactStagingDirectory)/results.json
    displayName: 'Security Scan'
    env:
      APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)

GitLab CI

security_scan:
  script:
    - dotnet tool install --global ApiPosturePro
    - apiposture-pro scan . --output json --output-file results.json
  variables:
    APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
  artifacts:
    paths:
      - results.json

Security Rules Reference

AP101: Broken Access Control

Severity: Critical

Detects missing authorization on sensitive operations, IDOR vulnerabilities, mass assignment risks, and privilege escalation endpoints.

Recommendation: Use [Authorize] attributes with appropriate roles/policies. Follow principle of least privilege.

AP102: Cryptographic Failures

Severity: High

Detects sensitive data in URLs, credential endpoints without security, and improper handling of sensitive information.

Recommendation: Never expose sensitive data in URLs. Use HTTPS, encryption, and secure credential storage.

AP103: Injection Vulnerability

Severity: Critical

Detects SQL injection, command injection, LDAP injection, XPath injection, and template injection risks.

Recommendation: Use parameterized queries, ORMs, and input validation. Never construct queries from user input.

AP104: Insecure Design

Severity: High

Detects missing rate limiting, unprotected resource-intensive operations, and bulk operations without limits.

Recommendation: Implement rate limiting, CAPTCHA, and proper business logic controls.

AP105: Security Misconfiguration

Severity: Medium

Detects exposed debug endpoints, internal endpoints without auth, and overly permissive CORS.

Recommendation: Disable debug in production. Configure proper CORS. Secure internal endpoints.

AP106: Vulnerable Components

Severity: Medium

Detects legacy API patterns, deprecated frameworks, and outdated web service endpoints.

Recommendation: Keep components updated. Migrate legacy services to modern patterns.

AP107: Authentication Failures

Severity: High

Detects weak auth patterns, basic auth usage, and improper session/token management.

Recommendation: Use strong authentication with MFA. Implement secure session and token handling.

AP108: SSRF Vulnerability

Severity: High

Detects endpoints accepting URLs, webhooks, proxy functionality, and file fetching from external sources.

Recommendation: Validate URL inputs. Use allowlists. Block internal IP ranges.

AP201: Secrets in Code

Severity: Critical

Detects 30+ hardcoded secret patterns including cloud keys, service tokens, database credentials, and private keys.

Recommendation: Never hardcode secrets. Use environment variables or secure vaults.

Privacy & Security

🔒 Your code stays on your machine

  • All analysis is performed 100% locally
  • No code, findings, or project data is uploaded to external servers
  • No telemetry or usage tracking
  • SQLite history database is stored locally on your machine (~/.apiposture/history.db)

License Tiers

Pro License

  • OWASP Top 10 rules (AP101-AP108)
  • Secrets detection (AP201)
  • Diff mode
  • Historical tracking
  • Risk scoring
  • Standard support

Enterprise License

  • All Pro features
  • Priority support
  • Custom rule development
  • Site licenses available

Changelog

1.0.0 (2025-01-15)

  • Initial release
  • OWASP Top 10 security rules (AP101-AP108)
  • Secrets detection (AP201)
  • Diff mode for comparing scans
  • Historical tracking with SQLite
  • Risk scoring analysis

Copyright © 2025 ApiPosture. All rights reserved. | License Terms

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
1.0.18 77 3/4/2026
1.0.17 82 3/4/2026
1.0.16 91 2/25/2026
1.0.14 102 2/10/2026
1.0.13 89 2/10/2026
1.0.12 92 2/10/2026
1.0.11 90 2/10/2026
1.0.10 91 2/9/2026
1.0.9 90 2/8/2026
1.0.8 96 2/7/2026
1.0.6 109 2/7/2026
1.0.5 103 2/7/2026
1.0.4 101 2/7/2026
1.0.3 107 2/7/2026
1.0.2 108 2/7/2026