Our great sponsors
-
cherrybomb
Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
After leaving that company, I had the desire to build something like this open source. With some colleagues, we started an open source project that would scan for secrets upon push, attempt to verify if they are valid, and then leave a comment in the code about why they should not do that. It's in a nascent stage, but it works for github access tokens and is close to working for RSA private keys (just need to verify them being valid: TruffleHog has an API for that, which was release in version 3 of their tool). Unfortunately, have not worked on it for several months due to too much chaos in my life at the moment!
We already work alot with Swagger spec files, my colleague found this repo: https://github.com/blst-security/cherrybomb