feat: complete APISecurityEngine implementation with MIT License

Author: GlitchOrb

.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  test-and-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v2
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: uv sync --all-extras --dev
+
+      - name: Run Ruff Linter
+        run: uv run ruff check .
+
+      - name: Run Ruff Formatter
+        run: uv run ruff format --check .
+
+      - name: Run Mypy
+        run: uv run mypy apisecurityengine/ tests/
+
+      - name: Run Pytest
+        run: uv run pytest tests/ --cov=apisecurityengine

.gitignore

@@ -0,0 +1,58 @@
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# uv
+uv.lock
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+
+# Distribution / packaging
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Pytest / Coverage
+.coverage
+.tox/
+.nox/
+.pytest_cache/
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+
+# IDEs
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Output reports
+reports/
+*.json
+*.sarif
+*.html

.pre-commit-config.yaml

@@ -0,0 +1,21 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.3.4
+    hooks:
+      - id: ruff
+        args: [ --fix ]
+      - id: ruff-format
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.9.0
+    hooks:
+      - id: mypy
+        additional_dependencies: ["click", "rich"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 GlitchOrb
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,80 @@
+# APISecurityEngine
+> Built and Maintained by @GlitchOrb
+
+An API security testing automation tool that ingests OpenAPI/GraphQL/gRPC definitions, generates automated test plans, executes them with safety controls, and produces evidence-based reports mapped to OWASP API Top 10:2023.
+
+## Requirements
+- Python 3.12+
+- [uv](https://github.com/astral-sh/uv) (recommended) or pip
+
+## Installation & Setup
+
+Using `uv`:
+
+```bash
+# Clone the repository
+git clone https://github.com/GlitchOrb/APISecurityEngine.git
+cd APISecurityEngine
+
+# Install dependencies and sync environment
+uv sync
+
+# Run the CLI
+uv run ase --help
+```
+
+## Development
+
+```bash
+# Install pre-commit hooks
+uv run pre-commit install
+
+# Run tests
+uv run pytest
+
+# Type checking
+uv run mypy apisecurityengine/ tests/
+
+# Linting & Formatting
+uv run ruff check .
+uv run ruff format .
+```
+
+## CLI Usage
+
+```bash
+# Get help
+ase --help
+
+# Scan a target
+ase scan --target https://api.example.com --dry-run
+```
+
+[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/GlitchOrb/APISecurityEngine.git&cloudshell_tutorial=cloudshell/tutorial.md&show=ide%2Cterminal&cloudshell_workspace=.)
+
+
+## Security Posture & Incident Patterns
+
+APISecurityEngine includes checks and guidance for common real-world API incident patterns, such as:
+- Authorization bypass patterns (BOLA/IDOR) and role boundary violations
+- Weak authentication and token handling pitfalls
+- Unrestricted resource consumption (rate limiting / cost amplification)
+- SSRF-style URL fetch misuse
+- Security misconfiguration signals (CORS/headers/debug endpoints)
+- Improper API inventory exposure and forgotten endpoints
+- Secrets hygiene: preventing API keys/tokens from leaking into source control
+
+> **Note:** APISecurityEngine is a testing and validation tool. It does not “patch” CVEs automatically; it helps identify risky patterns and provides recommended defenses.
+
+| OWASP API Top 10:2023 | Heuristic / Execution Check | CWE Relevance | Defense Snippet Guide |
+| --- | --- | --- | --- |
+| **API1: BOLA** | Cross-profile parameter swapping (`/users/{id}` vs Profile B) | [CWE-284](https://cwe.mitre.org/data/definitions/284.html) | [Object-Level Auth Defenses](docs/defenses/object_level_auth.md) |
+| **API2: Broken Auth** | Unauthenticated execution on routes mapping `requires_auth=True` | [CWE-306](https://cwe.mitre.org/data/definitions/306.html) | [Secrets Hygiene Scanners](docs/defenses/secrets_hygiene.md) |
+| **API3: BOPLA** | Permissive payload insertions (`"is_admin": true`) | [CWE-915](https://cwe.mitre.org/data/definitions/915.html) | Explicit DTO Serialization Models |
+| **API4: Resource Consumption** | Enumerating missing limits/page schemas on collections | [CWE-770](https://cwe.mitre.org/data/definitions/770.html) | Implement Upper bounds pagination |
+| **API5: BFLA** | Profile A executions against isolated admin/dashboard domains | [CWE-285](https://cwe.mitre.org/data/definitions/285.html) | [Function-Level Auth Guards](docs/defenses/function_level_auth.md) |
+| **API6: Sensitive Flows** | Tracing business heuristics (`checkout`, `transfer`) | [CWE-799](https://cwe.mitre.org/data/definitions/799.html) | [Rate Limits & Bot Defenses](docs/defenses/rate_limiting.md) |
+| **API7: SSRF** | Metadata IPs/Localhost pinging injected via URL query parameters | [CWE-918](https://cwe.mitre.org/data/definitions/918.html) | [SSRF & Rebinding Protections](docs/defenses/ssrf_protection.md) |
+| **API8: Misconfigurations** | Trace/OPTIONS header evaluations and CORS misalignments | [CWE-16](https://cwe.mitre.org/data/definitions/16.html) | Enforce Global Proxies Security Headers |
+| **API9: Improper Inventory** | Routing bypass attempts natively against version shifting (e.g. `/v2/`) | [CWE-1059](https://cwe.mitre.org/data/definitions/1059.html) | Deprecate and 404 old environments |
+| **API10: Unsafe Consumption** | Unprotected webhook validations mapping omitted signature parameters | [CWE-300](https://cwe.mitre.org/data/definitions/300.html) | Always demand HMAC Webhook Signatures |

apisecurityengine/__init__.py

@@ -0,0 +1,5 @@
+"""
+APISecurityEngine - Safe DAST automation for APIs.
+"""
+
+__version__ = "0.1.0"

apisecurityengine/ai/__init__.py

@@ -0,0 +1,3 @@
+"""
+AI modules for generating dynamic security scenarios.
+"""

apisecurityengine/ai/scenario_agent.py

@@ -0,0 +1,119 @@
+import json
+
+from apisecurityengine.models.scenario import ScenarioPlan
+from apisecurityengine.spec.endpoint_graph import EndpointGraph
+
+
+class ScenarioAgent:
+    """
+    Module for building and validating multi-step API security test scenarios.
+    Maintained by @GlitchOrb
+    """
+
+    PROMPT_TEMPLATE = """
+You are a senior API Security Engineer.
+Based on the following endpoint graph, generate a multi-step attack scenario to test for complex vulnerabilities (e.g., IDOR across different endpoints, state manipulation).
+
+GRAPH SUMMARY:
+{graph_summary}
+
+RULES:
+1. Return ONLY valid JSON matching the exact schema below.
+2. DO NOT include explanations outside the JSON (no markdown fences, just pure JSON).
+3. Steps modifying state (POST, PUT, PATCH, DELETE) MUST have "is_destructive": true.
+4. Paths must be relative and MUST strictly start with "/".
+5. Use recognizable HTTP methods (e.g., GET, POST, DELETE).
+
+REQUIRED JSON SCHEMA:
+{{
+  "name": "string",
+  "description": "string",
+  "steps": [
+    {{
+      "id": "string",
+      "description": "string",
+      "request": {{
+        "method": "string",
+        "path": "string",
+        "headers": {{"string": "string"}},
+        "body": "string | null"
+      }},
+      "is_destructive": boolean
+    }}
+  ],
+  "expected_signals": ["string"],
+  "stop_conditions": ["string"]
+}}
+"""
+
+    @staticmethod
+    def build_prompt(graph: EndpointGraph) -> str:
+        """Create the prompt injected with the endpoint graph context."""
+        summary_lines = []
+        for e in graph.endpoints:
+            params = [p.get("name") for p in e.parameters if p.get("name")]
+            summary_lines.append(f"- {e.method} {e.path} (params: {', '.join(params)})")  # type: ignore
+        graph_summary = "\n".join(summary_lines)
+        return ScenarioAgent.PROMPT_TEMPLATE.format(graph_summary=graph_summary)
+
+    @staticmethod
+    def parse_and_validate(json_str: str) -> ScenarioPlan:
+        """Parses the generator output and executes a deterministic safety validation sequence."""
+        data = json.loads(json_str.strip())
+        plan = ScenarioPlan(**data)
+
+        # Safety Validations
+        for step in plan.steps:
+            method = step.request.method.upper()
+
+            # Method Check
+            if method not in ["GET", "OPTIONS", "HEAD", "TRACE", "POST", "PUT", "PATCH", "DELETE"]:
+                raise ValueError(f"Step '{step.id}' uses an unrecognized method: {method}")
+
+            # Safety Flag Check (Mutative actions must be marked)
+            is_mutative = method in ["POST", "PUT", "PATCH", "DELETE"]
+            if is_mutative and not step.is_destructive:
+                raise ValueError(
+                    f"Step '{step.id}' uses mutative method {method} but 'is_destructive' is False. "
+                    "All mutative operations must explicitly be marked destructive."
+                )
+
+            # Routing Check (Ensure relative routing bounding)
+            if not step.request.path.startswith("/"):
+                raise ValueError(
+                    f"Step '{step.id}' has an invalid path '{step.request.path}'. "
+                    "Paths must be absolute relative to the target base_url (starting with '/')."
+                )
+
+        return plan
+
+    @staticmethod
+    def generate_mock_response(graph: EndpointGraph) -> str:
+        """A deterministic mock payload mimicking a generator output matching the constraints."""
+        return json.dumps(
+            {
+                "name": "BOLA Sequence Test",
+                "description": "Creates an object with Profile A, attempts to fetch it with Profile B.",
+                "steps": [
+                    {
+                        "id": "step_1",
+                        "description": "Create object",
+                        "request": {
+                            "method": "POST",
+                            "path": "/users",
+                            "headers": {"Content-Type": "application/json"},
+                            "body": '{"name": "test"}',
+                        },
+                        "is_destructive": True,
+                    },
+                    {
+                        "id": "step_2",
+                        "description": "Fetch object",
+                        "request": {"method": "GET", "path": "/users/123", "headers": {}},
+                        "is_destructive": False,
+                    },
+                ],
+                "expected_signals": ["201 Created on step_1", "403 Forbidden on step_2"],
+                "stop_conditions": ["Failed to create object in step_1"],
+            }
+        )

apisecurityengine/checks/__init__.py

@@ -0,0 +1,26 @@
+"""
+Security checks mapped to OWASP API Security Top 10:2023.
+"""
+
+from abc import ABC, abstractmethod
+from collections.abc import AsyncGenerator
+
+from apisecurityengine.models.schemas import Finding, TargetConfig
+from apisecurityengine.runtime.http_runtime import HTTPRuntime
+from apisecurityengine.spec.endpoint_graph import EndpointGraph, EndpointNode
+
+
+class BaseCheck(ABC):
+    """Abstract base class for all vulnerability checks."""
+
+    @abstractmethod
+    async def execute(
+        self,
+        target_config: TargetConfig,
+        runtime: HTTPRuntime,
+        graph: EndpointGraph,
+        auth_profiles: dict[str, dict[str, str]],
+    ) -> AsyncGenerator[Finding, None]:
+        """Execute the check and yield findings."""
+        if False:
+            yield NotImplemented