Skip to content

Xerodium/API-DASTard

Repository files navigation

API-DASTard

API-DASTard is a self-hosted continuous API security scanning platform. It imports OpenAPI definitions, executes scheduled and on-demand authenticated scans through Nuclei, tracks findings across runs, and provides an operator UI, reports, and an audit trail.

Warning

Dynamic security testing sends unusual and potentially harmful requests. Only scan APIs that you own or are explicitly authorized to test. Begin with non-production environments and conservative rate limits.

MVP capabilities

  • OpenAPI 3.0 and 3.1 YAML/JSON import, validation, checksum history, operation counts, and security-scheme discovery
  • Organization-scoped API inventory with explicit authorization attestation
  • Static Bearer, Basic, API-key, and OAuth 2.0 client-credentials authentication
  • Encrypted credential storage and temporary, target-scoped Nuclei secret files
  • Immediate scans and timezone-aware recurring cron schedules
  • Queue-backed, separately deployable workers with cancellation and execution time limits
  • Pinned Nuclei engine and community template releases
  • Conservative low-aggression DAST profiles, request rate limits, and concurrency limits
  • Stable finding fingerprints with new, recurring, resolved, and regressed behavior
  • Redacted request/response observations, risk acceptance, and false-positive dispositions
  • JSON and standalone HTML reports
  • Local users with owner, administrator, operator, analyst, and viewer roles
  • Append-only audit events for configuration, scans, credentials, and finding decisions
  • Responsive React web interface and documented FastAPI management API
  • PostgreSQL migrations, Redis-backed jobs, Docker Compose deployment, and automated tests

Architecture

Browser
   │
   ▼
React UI ─────► Python Management API ─────► PostgreSQL
                         │
                         ├── inventory, users, policies
                         ├── encrypted credentials
                         ├── findings, reports, audit
                         │
                         ▼
                      Redis queue
                         ▲
                 Celery scheduler
                         │
                         ▼
                 Python scan worker
                         │
                         ▼
                    Nuclei CLI ─────► Authorized target API

The management API never performs scanning. The worker converts an immutable scan snapshot into a constrained Nuclei invocation, creates a temporary OpenAPI and secret file, ingests JSONL results, redacts evidence, and destroys its workspace.

Quick start

Requirements:

  • Docker Engine with Docker Compose v2
  • At least 4 GB of available memory
  • Network access from the worker container to the APIs being scanned

Create the deployment configuration:

cp .env.example .env

Generate a secret key and a separate Fernet encryption key:

python3 -c 'import secrets; print(secrets.token_urlsafe(48))'
python3 -c 'import base64, os; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

Put those values in APIDASTARD_SECRET_KEY and APIDASTARD_ENCRYPTION_KEY. Also change:

  • POSTGRES_PASSWORD
  • APIDASTARD_BOOTSTRAP_ADMIN_EMAIL
  • APIDASTARD_BOOTSTRAP_ADMIN_PASSWORD

Set APIDASTARD_ENVIRONMENT=production for every non-local deployment. Production mode refuses to start with development secrets, an invalid encryption key, a weak bootstrap password, or SQLite.

The bootstrap password should be at least 12 characters. Start the platform:

docker compose up --build -d
docker compose ps

Open http://localhost:3000 and sign in with the bootstrap administrator. The account is created only when its email does not already exist.

Follow logs with:

docker compose logs -f api worker scheduler

Stop the services without deleting PostgreSQL data:

docker compose down

First scan

  1. Select Targets and register the API's base URL.
  2. Confirm that your organization is authorized to scan it.
  3. Import an OpenAPI 3.0 or 3.1 definition.
  4. Add an authentication profile if protected operations are present.
  5. Run an immediate scan using the default Safe API scan policy.
  6. Follow execution on Scans, then triage results under Findings.
  7. Create a recurring scan under Schedules after validating the policy and credentials.

API-DASTard replaces the OpenAPI document's servers entry with the registered base URL for each scan. This permits the same definition to be scanned in development, staging, and production without editing the uploaded artifact.

Authentication profiles

Secrets are encrypted before storage and are never returned by the API after creation.

Profile Required values Behavior
Bearer Token Sends an Authorization: Bearer value to the target host
Basic Username, password Uses Nuclei's scoped Basic authentication
API key Name, value, header/query/cookie location Injects the value only for the target host
OAuth client credentials Token URL, client ID, client secret, optional scope Acquires a short-lived token when the scan begins

OAuth token requests do not follow redirects. A Nuclei secret file is written with mode 0600 in the per-scan workspace and deleted after execution. Infrastructure operators should still treat the database encryption key as a high-value secret and rotate scan credentials after suspected compromise.

Scan profiles and Nuclei

The default profile is templates/profiles/safe-api.yaml. OpenAPI request inputs require Nuclei's dedicated DAST templates, so the profile enables low-aggression, in-band fuzzing while excluding denial-of-service, brute-force, credential-stuffing, headless, code, file, network, out-of-band, and other intrusive categories. Template helper files may be read only from the pinned, read-only bundle.

The worker image currently pins:

  • Nuclei v3.8.0
  • nuclei-templates v10.4.3

Template updates never occur during a scan. Review upstream release notes, rebuild the worker, and run the test suite when changing either version. Production deployments should additionally pin upstream images by digest in their internal image registry.

Nuclei is an execution engine, not the product boundary. API-DASTard owns authorization, scheduling, secret handling, execution policy, historical findings, reporting, and auditing. This makes replacing or supplementing Nuclei possible without changing the management API.

Safety model

Application-level controls include:

  • explicit target authorization confirmation
  • HTTP/HTTPS URLs only
  • rejection of embedded URL credentials, loopback, link-local, and multicast targets
  • exact-host scoping for Nuclei authentication material
  • immutable OpenAPI checksum and policy snapshots on every run
  • one active scan per target
  • bounded OpenAPI uploads, scan runtime, request rate, and concurrency
  • same-origin behavior unless redirect following is explicitly enabled
  • disabled automatic template downloads and dangerous template types
  • non-root, read-only worker containers with dropped Linux capabilities
  • sensitive header redaction and bounded stored evidence
  • organization filters on every management resource lookup

Application validation cannot reliably prevent DNS rebinding or restrict every private network route. Production deployments must enforce worker egress allowlists using firewall rules, Kubernetes NetworkPolicy, a controlled outbound proxy, or an equivalent network boundary. Do not expose the deployment over plaintext HTTP when real credentials are configured.

See SECURITY.md for deployment requirements and vulnerability reporting guidance.

Repository layout

.
├── apps/
│   ├── management-api/       # FastAPI deployment entrypoint
│   ├── scheduler/            # Celery Beat deployment entrypoint
│   ├── worker/               # Celery/Nuclei deployment entrypoint
│   └── web-ui/               # React and TypeScript operator interface
├── src/apidastard/           # Shared Python application and domain package
│   ├── api.py                # Management HTTP API
│   ├── models.py             # Persistent organization-scoped domain model
│   ├── tasks.py              # Scheduled dispatch and scan execution tasks
│   ├── nuclei.py             # Constrained Nuclei process adapter
│   └── nuclei_results.py     # Result normalization and redaction boundary
├── migrations/               # Alembic database migrations
├── templates/profiles/       # Reviewed Nuclei template selections
├── deploy/containers/        # Backend, worker, UI images and reverse proxy
├── tests/
│   ├── unit/                 # Parser, security, and normalization tests
│   └── integration/          # Complete management and scan lifecycle tests
├── compose.yaml
└── pyproject.toml

No /docs directory is required; operational and architecture guidance lives in this README and the root security/contribution files.

Local development

Backend requirements are Python 3.13 and a running Redis instance. PostgreSQL is recommended, while SQLite is supported for local tests.

python3 -m venv .venv
.venv/bin/pip install -e '.[dev]'
cp .env.example .env
make dev

Run the worker and scheduler in separate terminals:

.venv/bin/celery -A apidastard.celery_app:celery_app worker --loglevel=INFO
.venv/bin/celery -A apidastard.celery_app:celery_app beat --loglevel=INFO

The local worker also requires a compatible nuclei binary and a nuclei-templates checkout. Container development is the supported path when those are not installed.

Start the UI development server:

cd apps/web-ui
corepack pnpm install
corepack pnpm dev

The Vite server listens on http://localhost:3000 and proxies API traffic to port 8000.

Verification

make lint
make test
make ui-build

The integration suite uses a simulated Nuclei result so it is deterministic and never sends scan traffic. It verifies login, target registration, OpenAPI import, encrypted credential creation, scan queueing, finding ingestion, evidence redaction, report generation, scheduling, and audit events.

FastAPI exposes interactive management API documentation at http://localhost:8000/docs in a direct development deployment. In the Compose deployment the API is reached through the web service at /api/v1/....

Current limitations

This is a usable MVP, not feature parity with commercial DAST platforms:

  • OpenAPI 3.0/3.1 is the only input format.
  • OpenAPI external references are not fetched or resolved.
  • Required operation values absent from the definition may cause Nuclei to skip those operations.
  • There is one organization per initial deployment; the schema is organization-scoped but organization administration is not exposed yet.
  • Local password authentication is implemented; OIDC/SAML and MFA are not.
  • OAuth support is limited to client credentials.
  • Policy creation is API-only in this release; the default safe policy is created automatically.
  • Email, webhook, ticketing, CI quality gates, PDF/SARIF, retention automation, and external secret managers are not implemented.
  • Worker egress allowlisting must be supplied by the deployment environment.
  • Authorization and business-logic vulnerabilities often require multiple identities and application-specific state that generic Nuclei templates cannot infer.

Roadmap

The next high-value increments are OIDC login, external secret-manager references, CI/CD scan tokens and quality gates, notifications, worker pools with egress policies, richer policy editing, multiple authentication identities for authorization tests, SARIF/PDF exports, and organization administration.

License

API-DASTard is licensed under the Apache License 2.0. Nuclei and nuclei-templates are separate upstream projects distributed under their own licenses.

About

A Continuous API Security Scanning and Reporting Application that's Containerized

Resources

License

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors