GraphQL API Security Scanners

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentralized, collaborative editorial process. By utilizing a version-controlled, markdown-based workflow, the series ensures that security guidance remains vendor-neutral, peer-reviewed, and universally accessible. This structure allows the community to rapidly evolve and maintain technical documentation, ensuring that defensive strategies keep pace with emerging threats and shifting technology stacks. The project provides extensive coverage of critical security areas, including robust input validation, access control enforcement, and supply chain risk management. It offers detailed implementation guides for securing cloud-native architectures, containerized environments, and various language-specific frameworks. Furthermore, the series addresses advanced topics such as artificial intelligence agent safety, prompt injection prevention, and zero-trust architectural principles. The documentation is maintained as an open-source repository, with content transformed into a navigable web format through automated static site generation.

Hoppscotch is an open-source API development ecosystem designed for building, testing, and debugging REST, GraphQL, and real-time APIs. It provides a unified platform that functions across web browsers, desktop applications, and command-line interfaces, allowing developers to manage the entire API lifecycle from a single environment. The platform distinguishes itself through a highly interactive, command-driven interface that utilizes a global spotlight palette and keyboard shortcuts to streamline complex workflows. It supports advanced request manipulation and validation by executing JavaScript-based scripts and assertions within a sandboxed runtime. Furthermore, it integrates AI-assisted tools to automate the generation of request payloads, test scripts, and documentation, while maintaining compatibility with existing API definitions and collections from other formats. Beyond core testing capabilities, the project offers a collaborative workspace for teams to organize, share, and synchronize API collections and environment variables. It includes robust support for diverse authorization methods, proxy interception for network requests, and enterprise-grade features such as SCIM user provisioning and activity auditing. The software is available for self-hosted deployment via containerized architectures, ensuring consistent behavior across various production and development environments.

Awesome GraphQL is a curated directory and resource collection for the GraphQL ecosystem. It serves as a central index for developers to discover libraries, tools, and specifications required for building, testing, and managing data layer implementations across various programming languages. The repository provides access to a comprehensive range of utilities that support the entire GraphQL lifecycle. This includes resources for server-side API development, client-side integration, and schema management. It also highlights tools for security enforcement, such as rate limiting and input validation, as well as diagnostic utilities for API validation, performance testing, and schema visualization.

This project is a standardized repository of malicious and malformed character sequences designed to stress-test data parsing and sanitization routines. It serves as a security testing corpus and a language-neutral reference for auditing software robustness against injection flaws and unexpected data handling errors across diverse platforms. The dataset functions as a benchmark for input validation, providing a curated collection of edge-case strings that allow developers to identify potential crashes and security vulnerabilities. By decoupling these test vectors from application logic, the repository enables modular security auditing and automated quality assurance without requiring modifications to the underlying system. The collection covers a broad range of testing requirements, including database query hardening, software input fuzzing, and general input validation testing. The data is provided in multiple standard formats to ensure compatibility with various programming languages and automated testing pipelines.

Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detection logic through composite rules and provides mechanisms for baseline management, which enables teams to ignore existing findings and focus exclusively on new security risks. By offering pre-commit hook integration and exit-code-based orchestration, it allows for the enforcement of security policies directly within developer workflows and automated build environments. Beyond core scanning, the project provides a broad set of utilities for managing security findings, including support for decoding obfuscated strings, inspecting compressed archives, and filtering results through allowlisting or path exclusions. It facilitates compliance and reporting by exporting structured data, which can be integrated into external dashboards or tracking systems. The tool is built to handle various input sources, including direct file system traversal and standard input streams, ensuring compatibility with diverse development and deployment environments.

This project is a NestJS testing boilerplate and reference implementation. It provides a structured monorepo workspace designed to demonstrate various architectural and testing patterns for NestJS applications. The project features a dockerized test environment and an integration testing framework. It includes a dedicated GraphQL API test suite to validate graph-based endpoints and schemas for queries and mutations. The suite covers a layered testing hierarchy consisting of unit, integration, and end-to-end tests. These capabilities extend across the application and data layers, including database store verification and the validation of diverse communication patterns. The workspace incorporates build and test result caching and compiler-level file exclusion to optimize development cycles.

Lighthouse is an automated diagnostic tool that evaluates web pages against industry standards for performance, accessibility, and search engine optimization. It functions as a programmatic analysis engine and a command-line utility, allowing developers to integrate comprehensive web quality checks directly into continuous integration pipelines and local development workflows. The project distinguishes itself through a modular architecture that utilizes artifact-based data collection to ensure consistent analysis across different environments. It supports a headless execution mode for automated testing and provides a plugin-driven framework, enabling developers to register custom audit logic and specialized reporting categories to meet unique project requirements. Beyond its core auditing capabilities, the tool detects underlying web frameworks and content management systems to provide tailored optimization recommendations. It generates structured, machine-readable reports and offers multiple interfaces, including a browser-integrated panel and a dedicated extension, to facilitate real-time feedback during the development process.

This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in depth across the entire software lifecycle. The project covers a broad surface of security capabilities, including identity and access management, API security hardening, and software supply chain security. It also provides guidance on secure software development, security compliance auditing, and the integration of threat modeling and code reviews into the development process.

This project is a static analysis tool and linter designed to improve the quality, reliability, and portability of shell scripts. By performing deep structural analysis, it identifies common programming pitfalls, syntax errors, and security vulnerabilities before scripts are executed. It functions as an automated code reviewer that enforces best practices and helps developers maintain consistent, robust code across different operating environments. The tool distinguishes itself through its dialect-aware grammar resolution, which adapts its parsing logic based on the specific shell interpreter detected. It utilizes a sophisticated engine that constructs an abstract syntax tree to evaluate logic, quoting, and portability concerns. Developers can exert granular control over the analysis process by using inline directives to suppress specific warnings or configure how the tool resolves external source files. The project covers a comprehensive surface of diagnostic capabilities, ranging from fundamental syntax validation to complex logic checks. It provides guidance on idiomatic script construction, including safe file handling, efficient arithmetic operations, and proper command substitution. These features collectively ensure that scripts adhere to POSIX standards and remain compatible across various shell implementations. The tool is distributed as a command-line utility, allowing for integration into development workflows to provide immediate feedback on script integrity.

gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptographic implementations, and insecure network or filesystem configurations. The engine also provides mechanisms for vulnerability management, including the ability to define custom security rules, enforce import blocklists, and suppress false positives using inline code annotations. Analysis results can be exported in multiple machine-readable formats to integrate with reporting tools and security workflows.

Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platform distinguishes itself through a privacy-focused architecture that relies on cryptographic fingerprinting to track and deduplicate findings without ever transmitting or storing raw sensitive values. It supports distributed scanning via independent agents that connect to a central dashboard, allowing for localized analysis while maintaining network isolation. Furthermore, the system provides automated incident response capabilities, including secret rotation and revocation, which help organizations minimize the window of vulnerability for compromised credentials. Beyond core detection, the project offers a broad capability surface for enterprise-wide access governance and security compliance. It includes modular detection logic for custom rule definitions, integration with external identity providers for role-based access control, and extensive monitoring across cloud storage, container infrastructure, and collaboration platforms. The system also provides detailed metadata tracing to link findings to specific users, pipelines, or commits, facilitating efficient remediation and auditability across large-scale development environments.

Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform covers a broad range of security domains, including injection flaws, cross-site scripting, weak cryptography, and insecure network configurations. It further includes capabilities for secrets detection and the generation of structured security and privacy compliance reports. Integration is supported via a pipeline scanner that manages process exit codes for CI/CD automation.

This project is a comprehensive web application penetration testing guide and vulnerability research framework. It provides a structured methodology for identifying and exploiting security flaws through a phased approach involving reconnaissance, analysis, and exploitation. The resource is distinguished by its use of a curated methodology framework that links theoretical vulnerability patterns to real-world bug bounty reports and historical exploit examples. It includes a payload-based testing library and a reference system that maps specific vulnerability categories to recommended third-party security tools. The guide covers a broad spectrum of security analysis, including attack surface mapping, authentication and session auditing, and infrastructure configuration reviews. It provides detailed procedures for identifying common vulnerabilities such as injection flaws, broken access control, business logic gaps, and token-based security issues. The project is organized as a collection of manuals and checklists, including a web security audit checklist and a dedicated API security testing manual.

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting. Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide.

Astra is a security analysis system and scanner designed to identify vulnerabilities and security flaws in REST API endpoints. It functions as a security testing tool that automatically detects common API weaknesses during development and deployment cycles. The project provides a graphical interface for triggering and monitoring security scanning processes, removing the requirement for manual command line execution. This management UI allows for the oversight of scanning workflows and the retrieval of vulnerability reports. The system supports the import of collection files to map endpoints and execute targeted security test suites. Its capabilities include automated vulnerability detection and mapping, as well as integration into DevSecOps pipelines.

This project is a static analysis engine designed to identify patterns, enforce coding standards, and automate code quality improvements in software projects. By parsing source code into structured abstract syntax trees, it enables deep programmatic inspection and the automated remediation of identified programming issues. The engine functions as a pluggable linting framework, allowing developers to extend its core capabilities through a modular architecture. Users can inject custom rules, parsers, and processors to support non-standard file formats or domain-specific logic. This extensibility is supported by a multi-stage pipeline that handles everything from initial parsing to the generation of automated code fixes. Configuration is managed through a hierarchical system that resolves settings across project directory structures, allowing for consistent rule enforcement and file exclusion patterns. The tool integrates into development workflows via a command-line interface or a programmatic API, which supports both file-based analysis and raw string processing. Performance is optimized through file-system-aware caching, which ensures that only modified files are re-analyzed during execution.

Payload is a headless content management system and application framework that uses a code-first approach to define data schemas and administrative interfaces. By utilizing a centralized, type-safe configuration object, it automatically generates database schemas, API endpoints, and a fully customizable admin panel. The system is built on a database-agnostic architecture, allowing it to interface with various storage engines while providing a unified, type-safe API for server-side operations, REST, and GraphQL. What distinguishes Payload is its deep extensibility and developer-centric design. It allows for the injection of custom React components, views, and widgets directly into the administrative interface, enabling tailored content-authoring workflows. The platform features a robust hook-based lifecycle system for executing custom logic, a comprehensive access control framework for granular field-level security, and a plugin-based architecture that supports complex features like ecommerce, multi-tenancy, and background job processing. The system provides a broad capability surface, including built-in support for versioned document state management, internationalization, and automated database migrations. It also includes a rich text editor framework that supports custom blocks and markdown conversion, alongside tools for live content previews and media management with various cloud storage adapters. Payload is designed for TypeScript-native development, automatically generating interfaces from the database schema to ensure type safety across the entire project. The system is configured through a single, fully-typed JavaScript object, and it supports deployment in production environments with features like database-less builds and security hardening.