ApiPosturePro 1.0.26
dotnet tool install --global ApiPosturePro --version 1.0.26
dotnet new tool-manifest
dotnet tool install --local ApiPosturePro --version 1.0.26
#tool dotnet:?package=ApiPosturePro&version=1.0.26
nuke :add-package ApiPosturePro --version 1.0.26
ApiPosture Pro
Professional security extension for ASP.NET Core API security scanning
Extends the open-source ApiPosture CLI with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.
π 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.
Features
Free Rules (AP001-AP008)
Included automatically β public endpoint detection, missing auth, authorization conflicts, sensitive route keywords, and more.
Pro Rules β OWASP Top 10 (AP101-AP108)
| ID | Name | Severity | What it detects |
|---|---|---|---|
| AP101 | Broken Access Control | Critical | Missing [Authorize], IDOR, database writes without auth, GETβdestructive ops |
| AP102 | Cryptographic Failures | High | Weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging |
| AP103 | Injection Vulnerabilities | Critical | ExecuteSqlRaw with interpolation, BinaryFormatter, Process.Start, XSS in Razor |
| AP104 | Insecure Design | High | Missing CSRF tokens, missing ModelState.IsValid, missing rate limiting |
| AP105 | Security Misconfiguration | Medium | XXE, permissive CORS, UseDeveloperExceptionPage unguarded, missing HTTPS/HSTS, Swagger in prod |
| AP106 | Vulnerable Components | Medium | Legacy API patterns, deprecated frameworks, .NET below 8.0 |
| AP107 | Authentication Failures | High | Missing audit logging on DELETE, plaintext password comparison |
| AP108 | SSRF Vulnerabilities | High | HttpClient/WebClient with user input, Uri construction from variables |
Pro Rules β Secrets & File-Level
| ID | Name | Severity |
|---|---|---|
| AP201 | Secrets in Code (30+ patterns: AWS, Azure, GCP, GitHub, Stripe, JWT, DB strings) | Critical |
| File | Startup.cs / Program.cs misconfiguration | High |
| File | Razor views (@Html.Raw() XSS) |
High |
| File | appsettings.json (AllowedHosts: *) |
Medium |
| File | .csproj (end-of-life .NET below 8.0) | Medium |
Additional Pro Features
- Risk Scoring β severity 40%, exposure 25%, sensitivity 25%, density 10%
- Diff Mode β compare baseline vs current scan
- History Tracking β SQLite-backed scan history with trends
Installation
# Install Pro CLI
dotnet tool install --global ApiPosturePro
# Activate your license
apiposture-pro activate XXXX-XXXX-XXXX-XXXX
# Verify activation
apiposture-pro status
CI/CD: set license via environment variable
export APIPOSTURE_LICENSE_KEY=<your-jwt-token>
Usage
Scan
apiposture-pro scan /path/to/your/api
apiposture-pro scan . --output json --output-file report.json
apiposture-pro scan . --output markdown --output-file report.md
apiposture-pro scan . --output html --output-file report.html
apiposture-pro scan . --fail-on high
apiposture-pro scan . --severity medium
Diff Mode
apiposture-pro scan . --output json --output-file baseline.json
# ... make changes ...
apiposture-pro scan . --output json --output-file current.json
apiposture-pro diff baseline.json current.json
History
apiposture-pro history list
apiposture-pro history trend -p /path/to/api
apiposture-pro history show <scan-id>
License
apiposture-pro status
apiposture-pro deactivate
apiposture-pro deactivate --yes
Enterprise
Enterprise features require an Enterprise license.
Compliance Reports
Generate SOC 2 / ISO 27001 compliance reports mapped to your scan findings:
apiposture-pro compliance report . --framework soc2 --output both
apiposture-pro compliance report . --framework iso27001 --output pdf --operator "Acme Corp"
apiposture-pro compliance report . --framework all --output both
Compliance Score in Scan
apiposture-pro scan . --comp-framework soc2
apiposture-pro scan . --comp-framework iso27001
Starter Kits
apiposture-pro compliance starter-kit soc2 ./compliance/
apiposture-pro compliance starter-kit iso27001 ./compliance/
Generates: .apiposture-policy.json, sample-report.html, github-actions/apiposture-pr-gate.yml, github-actions/apiposture-weekly-report.yml, README.md.
Policy Enforcement
Place .apiposture-policy.json in your project root β the scanner reads it automatically:
{
"zero_tolerance": ["AP201", "AP101"],
"warn": ["AP103", "AP104"]
}
Operator Attribution
apiposture-pro scan . --operator "Security Team"
Audit Trail Export
apiposture-pro history export --format json
apiposture-pro history export --format pdf --output-file audit-export.pdf
apiposture-pro history export --scan-id 42 --format pdf --output-file audit-42.pdf
Integrity Verification
apiposture-pro verify
apiposture-pro verify --scan-id 42
CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: dotnet tool install --global ApiPosturePro
- run: apiposture-pro scan . --output json --output-file results.json
env:
APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}
- uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: results.json
Azure DevOps
steps:
- task: DotNetCoreCLI@2
displayName: 'Install ApiPosture Pro'
inputs:
command: 'custom'
custom: 'tool'
arguments: 'install --global ApiPosturePro'
- script: apiposture-pro scan . --output json --output-file $(Build.ArtifactStagingDirectory)/results.json
env:
APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)
GitLab CI
security_scan:
script:
- dotnet tool install --global ApiPosturePro
- apiposture-pro scan . --output json --output-file results.json
variables:
APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
artifacts:
paths:
- results.json
Privacy
All analysis is performed 100% locally. No code, findings, or project data is uploaded to external servers. Only the license key is sent to api.apiposture.com during activation/validation. SQLite history is stored at ~/.apiposture/history.db.
License Tiers
| Feature | Pro | Enterprise |
|---|---|---|
| Free rules (AP001-AP008) | β | β |
| OWASP rules (AP101-AP108) | β | β |
| Secrets detection (AP201) | β | β |
| File-level scanning | β | β |
| Diff mode | β | β |
| Historical tracking | β | β |
| Risk scoring | β | β |
| Compliance reports (SOC 2 / ISO 27001) | β | β |
| Compliance score + trend | β | β |
| Starter kits | β | β |
| Policy enforcement | β | β |
| Audit trail export | β | β |
| Operator attribution | β | β |
| Integrity verification | β | β |
Links
- Free ApiPosture CLI: GitHub | NuGet
- ApiPosture Pro: NuGet
- Documentation: https://docs.apiposture.com
- Support: support@apiposture.com
Changelog
1.1.0
- Enterprise tier: compliance reports (SOC 2 / ISO 27001), compliance score, starter kits, policy enforcement, audit trail export, operator attribution, integrity verification
1.0.10 (2025-02-09)
- AP101: detect GET endpoints performing destructive database operations
- AP105: detect Swagger/OpenAPI exposed without environment guard,
AllowedHosts: *,UseAuthorization()withoutAddAuthentication() - AP106: detect end-of-life .NET framework versions (below .NET 8.0)
1.0.7 (2025-02-07)
- Source code analysis engine: rules now inspect method bodies
- File-level scanning for Startup.cs, Program.cs, Razor views, all C# files
1.0.0 (2025-01-15)
- Initial release
Copyright Β© 2025 ApiPosture. All rights reserved. | License Terms
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
This package has no dependencies.
| Version | Downloads | Last Updated |
|---|---|---|
| 1.0.26 | 129 | 5/25/2026 |
| 1.0.25 | 132 | 4/23/2026 |
| 1.0.24 | 148 | 4/2/2026 |
| 1.0.23 | 115 | 4/2/2026 |
| 1.0.21 | 125 | 3/31/2026 |
| 1.0.20 | 140 | 3/13/2026 |
| 1.0.19 | 115 | 3/13/2026 |
| 1.0.18 | 119 | 3/4/2026 |
| 1.0.17 | 127 | 3/4/2026 |
| 1.0.16 | 133 | 2/25/2026 |
| 1.0.14 | 135 | 2/10/2026 |
| 1.0.13 | 130 | 2/10/2026 |
| 1.0.12 | 135 | 2/10/2026 |
| 1.0.11 | 120 | 2/10/2026 |
| 1.0.10 | 127 | 2/9/2026 |
| 1.0.9 | 121 | 2/8/2026 |
| 1.0.8 | 130 | 2/7/2026 |
| 1.0.6 | 144 | 2/7/2026 |
| 1.0.5 | 130 | 2/7/2026 |
| 1.0.4 | 140 | 2/7/2026 |