API-DASTard is a self-hosted continuous API security scanning platform. It imports OpenAPI definitions, executes scheduled and on-demand authenticated scans through Nuclei, tracks findings across runs, and provides an operator UI, reports, and an audit trail.
Warning
Dynamic security testing sends unusual and potentially harmful requests. Only scan APIs that you own or are explicitly authorized to test. Begin with non-production environments and conservative rate limits.
- OpenAPI 3.0 and 3.1 YAML/JSON import, validation, checksum history, operation counts, and security-scheme discovery
- Organization-scoped API inventory with explicit authorization attestation
- Static Bearer, Basic, API-key, and OAuth 2.0 client-credentials authentication
- Encrypted credential storage and temporary, target-scoped Nuclei secret files
- Immediate scans and timezone-aware recurring cron schedules
- Queue-backed, separately deployable workers with cancellation and execution time limits
- Pinned Nuclei engine and community template releases
- Conservative low-aggression DAST profiles, request rate limits, and concurrency limits
- Stable finding fingerprints with new, recurring, resolved, and regressed behavior
- Redacted request/response observations, risk acceptance, and false-positive dispositions
- JSON and standalone HTML reports
- Local users with owner, administrator, operator, analyst, and viewer roles
- Append-only audit events for configuration, scans, credentials, and finding decisions
- Responsive React web interface and documented FastAPI management API
- PostgreSQL migrations, Redis-backed jobs, Docker Compose deployment, and automated tests
Browser
│
▼
React UI ─────► Python Management API ─────► PostgreSQL
│
├── inventory, users, policies
├── encrypted credentials
├── findings, reports, audit
│
▼
Redis queue
▲
Celery scheduler
│
▼
Python scan worker
│
▼
Nuclei CLI ─────► Authorized target API
The management API never performs scanning. The worker converts an immutable scan snapshot into a constrained Nuclei invocation, creates a temporary OpenAPI and secret file, ingests JSONL results, redacts evidence, and destroys its workspace.
Requirements:
- Docker Engine with Docker Compose v2
- At least 4 GB of available memory
- Network access from the worker container to the APIs being scanned
Create the deployment configuration:
cp .env.example .envGenerate a secret key and a separate Fernet encryption key:
python3 -c 'import secrets; print(secrets.token_urlsafe(48))'
python3 -c 'import base64, os; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'Put those values in APIDASTARD_SECRET_KEY and APIDASTARD_ENCRYPTION_KEY. Also change:
POSTGRES_PASSWORDAPIDASTARD_BOOTSTRAP_ADMIN_EMAILAPIDASTARD_BOOTSTRAP_ADMIN_PASSWORD
Set APIDASTARD_ENVIRONMENT=production for every non-local deployment. Production mode refuses to start with development secrets, an invalid encryption key, a weak bootstrap password, or SQLite.
The bootstrap password should be at least 12 characters. Start the platform:
docker compose up --build -d
docker compose psOpen http://localhost:3000 and sign in with the bootstrap administrator. The account is created only when its email does not already exist.
Follow logs with:
docker compose logs -f api worker schedulerStop the services without deleting PostgreSQL data:
docker compose down- Select Targets and register the API's base URL.
- Confirm that your organization is authorized to scan it.
- Import an OpenAPI 3.0 or 3.1 definition.
- Add an authentication profile if protected operations are present.
- Run an immediate scan using the default Safe API scan policy.
- Follow execution on Scans, then triage results under Findings.
- Create a recurring scan under Schedules after validating the policy and credentials.
API-DASTard replaces the OpenAPI document's servers entry with the registered base URL for each scan. This permits the same definition to be scanned in development, staging, and production without editing the uploaded artifact.
Secrets are encrypted before storage and are never returned by the API after creation.
| Profile | Required values | Behavior |
|---|---|---|
| Bearer | Token | Sends an Authorization: Bearer value to the target host |
| Basic | Username, password | Uses Nuclei's scoped Basic authentication |
| API key | Name, value, header/query/cookie location | Injects the value only for the target host |
| OAuth client credentials | Token URL, client ID, client secret, optional scope | Acquires a short-lived token when the scan begins |
OAuth token requests do not follow redirects. A Nuclei secret file is written with mode 0600 in the per-scan workspace and deleted after execution. Infrastructure operators should still treat the database encryption key as a high-value secret and rotate scan credentials after suspected compromise.
The default profile is templates/profiles/safe-api.yaml. OpenAPI request inputs require Nuclei's dedicated DAST templates, so the profile enables low-aggression, in-band fuzzing while excluding denial-of-service, brute-force, credential-stuffing, headless, code, file, network, out-of-band, and other intrusive categories. Template helper files may be read only from the pinned, read-only bundle.
The worker image currently pins:
- Nuclei
v3.8.0 - nuclei-templates
v10.4.3
Template updates never occur during a scan. Review upstream release notes, rebuild the worker, and run the test suite when changing either version. Production deployments should additionally pin upstream images by digest in their internal image registry.
Nuclei is an execution engine, not the product boundary. API-DASTard owns authorization, scheduling, secret handling, execution policy, historical findings, reporting, and auditing. This makes replacing or supplementing Nuclei possible without changing the management API.
Application-level controls include:
- explicit target authorization confirmation
- HTTP/HTTPS URLs only
- rejection of embedded URL credentials, loopback, link-local, and multicast targets
- exact-host scoping for Nuclei authentication material
- immutable OpenAPI checksum and policy snapshots on every run
- one active scan per target
- bounded OpenAPI uploads, scan runtime, request rate, and concurrency
- same-origin behavior unless redirect following is explicitly enabled
- disabled automatic template downloads and dangerous template types
- non-root, read-only worker containers with dropped Linux capabilities
- sensitive header redaction and bounded stored evidence
- organization filters on every management resource lookup
Application validation cannot reliably prevent DNS rebinding or restrict every private network route. Production deployments must enforce worker egress allowlists using firewall rules, Kubernetes NetworkPolicy, a controlled outbound proxy, or an equivalent network boundary. Do not expose the deployment over plaintext HTTP when real credentials are configured.
See SECURITY.md for deployment requirements and vulnerability reporting guidance.
.
├── apps/
│ ├── management-api/ # FastAPI deployment entrypoint
│ ├── scheduler/ # Celery Beat deployment entrypoint
│ ├── worker/ # Celery/Nuclei deployment entrypoint
│ └── web-ui/ # React and TypeScript operator interface
├── src/apidastard/ # Shared Python application and domain package
│ ├── api.py # Management HTTP API
│ ├── models.py # Persistent organization-scoped domain model
│ ├── tasks.py # Scheduled dispatch and scan execution tasks
│ ├── nuclei.py # Constrained Nuclei process adapter
│ └── nuclei_results.py # Result normalization and redaction boundary
├── migrations/ # Alembic database migrations
├── templates/profiles/ # Reviewed Nuclei template selections
├── deploy/containers/ # Backend, worker, UI images and reverse proxy
├── tests/
│ ├── unit/ # Parser, security, and normalization tests
│ └── integration/ # Complete management and scan lifecycle tests
├── compose.yaml
└── pyproject.toml
No /docs directory is required; operational and architecture guidance lives in this README and the root security/contribution files.
Backend requirements are Python 3.13 and a running Redis instance. PostgreSQL is recommended, while SQLite is supported for local tests.
python3 -m venv .venv
.venv/bin/pip install -e '.[dev]'
cp .env.example .env
make devRun the worker and scheduler in separate terminals:
.venv/bin/celery -A apidastard.celery_app:celery_app worker --loglevel=INFO
.venv/bin/celery -A apidastard.celery_app:celery_app beat --loglevel=INFOThe local worker also requires a compatible nuclei binary and a nuclei-templates checkout. Container development is the supported path when those are not installed.
Start the UI development server:
cd apps/web-ui
corepack pnpm install
corepack pnpm devThe Vite server listens on http://localhost:3000 and proxies API traffic to port 8000.
make lint
make test
make ui-buildThe integration suite uses a simulated Nuclei result so it is deterministic and never sends scan traffic. It verifies login, target registration, OpenAPI import, encrypted credential creation, scan queueing, finding ingestion, evidence redaction, report generation, scheduling, and audit events.
FastAPI exposes interactive management API documentation at http://localhost:8000/docs in a direct development deployment. In the Compose deployment the API is reached through the web service at /api/v1/....
This is a usable MVP, not feature parity with commercial DAST platforms:
- OpenAPI 3.0/3.1 is the only input format.
- OpenAPI external references are not fetched or resolved.
- Required operation values absent from the definition may cause Nuclei to skip those operations.
- There is one organization per initial deployment; the schema is organization-scoped but organization administration is not exposed yet.
- Local password authentication is implemented; OIDC/SAML and MFA are not.
- OAuth support is limited to client credentials.
- Policy creation is API-only in this release; the default safe policy is created automatically.
- Email, webhook, ticketing, CI quality gates, PDF/SARIF, retention automation, and external secret managers are not implemented.
- Worker egress allowlisting must be supplied by the deployment environment.
- Authorization and business-logic vulnerabilities often require multiple identities and application-specific state that generic Nuclei templates cannot infer.
The next high-value increments are OIDC login, external secret-manager references, CI/CD scan tokens and quality gates, notifications, worker pools with egress policies, richer policy editing, multiple authentication identities for authorization tests, SARIF/PDF exports, and organization administration.
API-DASTard is licensed under the Apache License 2.0. Nuclei and nuclei-templates are separate upstream projects distributed under their own licenses.