ApiPosturePro 1.0.26

dotnet tool install --global ApiPosturePro --version 1.0.26
                    
This package contains a .NET tool you can call from the shell/command line.
dotnet new tool-manifest
                    
if you are setting up this repo
dotnet tool install --local ApiPosturePro --version 1.0.26
                    
This package contains a .NET tool you can call from the shell/command line.
#tool dotnet:?package=ApiPosturePro&version=1.0.26
                    
nuke :add-package ApiPosturePro --version 1.0.26
                    

ApiPosture Pro

Professional security extension for ASP.NET Core API security scanning

Extends the open-source ApiPosture CLI with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.

πŸ”’ 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.

Features

Free Rules (AP001-AP008)

Included automatically β€” public endpoint detection, missing auth, authorization conflicts, sensitive route keywords, and more.

Pro Rules β€” OWASP Top 10 (AP101-AP108)

ID Name Severity What it detects
AP101 Broken Access Control Critical Missing [Authorize], IDOR, database writes without auth, GET→destructive ops
AP102 Cryptographic Failures High Weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging
AP103 Injection Vulnerabilities Critical ExecuteSqlRaw with interpolation, BinaryFormatter, Process.Start, XSS in Razor
AP104 Insecure Design High Missing CSRF tokens, missing ModelState.IsValid, missing rate limiting
AP105 Security Misconfiguration Medium XXE, permissive CORS, UseDeveloperExceptionPage unguarded, missing HTTPS/HSTS, Swagger in prod
AP106 Vulnerable Components Medium Legacy API patterns, deprecated frameworks, .NET below 8.0
AP107 Authentication Failures High Missing audit logging on DELETE, plaintext password comparison
AP108 SSRF Vulnerabilities High HttpClient/WebClient with user input, Uri construction from variables

Pro Rules β€” Secrets & File-Level

ID Name Severity
AP201 Secrets in Code (30+ patterns: AWS, Azure, GCP, GitHub, Stripe, JWT, DB strings) Critical
File Startup.cs / Program.cs misconfiguration High
File Razor views (@Html.Raw() XSS) High
File appsettings.json (AllowedHosts: *) Medium
File .csproj (end-of-life .NET below 8.0) Medium

Additional Pro Features

  • Risk Scoring β€” severity 40%, exposure 25%, sensitivity 25%, density 10%
  • Diff Mode β€” compare baseline vs current scan
  • History Tracking β€” SQLite-backed scan history with trends

Installation

# Install Pro CLI
dotnet tool install --global ApiPosturePro

# Activate your license
apiposture-pro activate XXXX-XXXX-XXXX-XXXX

# Verify activation
apiposture-pro status

CI/CD: set license via environment variable

export APIPOSTURE_LICENSE_KEY=<your-jwt-token>

Usage

Scan

apiposture-pro scan /path/to/your/api
apiposture-pro scan . --output json --output-file report.json
apiposture-pro scan . --output markdown --output-file report.md
apiposture-pro scan . --output html --output-file report.html
apiposture-pro scan . --fail-on high
apiposture-pro scan . --severity medium

Diff Mode

apiposture-pro scan . --output json --output-file baseline.json
# ... make changes ...
apiposture-pro scan . --output json --output-file current.json
apiposture-pro diff baseline.json current.json

History

apiposture-pro history list
apiposture-pro history trend -p /path/to/api
apiposture-pro history show <scan-id>

License

apiposture-pro status
apiposture-pro deactivate
apiposture-pro deactivate --yes

Enterprise

Enterprise features require an Enterprise license.

Compliance Reports

Generate SOC 2 / ISO 27001 compliance reports mapped to your scan findings:

apiposture-pro compliance report . --framework soc2 --output both
apiposture-pro compliance report . --framework iso27001 --output pdf --operator "Acme Corp"
apiposture-pro compliance report . --framework all --output both

Compliance Score in Scan

apiposture-pro scan . --comp-framework soc2
apiposture-pro scan . --comp-framework iso27001

Starter Kits

apiposture-pro compliance starter-kit soc2 ./compliance/
apiposture-pro compliance starter-kit iso27001 ./compliance/

Generates: .apiposture-policy.json, sample-report.html, github-actions/apiposture-pr-gate.yml, github-actions/apiposture-weekly-report.yml, README.md.

Policy Enforcement

Place .apiposture-policy.json in your project root β€” the scanner reads it automatically:

{
  "zero_tolerance": ["AP201", "AP101"],
  "warn": ["AP103", "AP104"]
}

Operator Attribution

apiposture-pro scan . --operator "Security Team"

Audit Trail Export

apiposture-pro history export --format json
apiposture-pro history export --format pdf --output-file audit-export.pdf
apiposture-pro history export --scan-id 42 --format pdf --output-file audit-42.pdf

Integrity Verification

apiposture-pro verify
apiposture-pro verify --scan-id 42

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: dotnet tool install --global ApiPosturePro
      - run: apiposture-pro scan . --output json --output-file results.json
        env:
          APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}
      - uses: actions/upload-artifact@v4
        with:
          name: security-scan-results
          path: results.json

Azure DevOps

steps:
  - task: DotNetCoreCLI@2
    displayName: 'Install ApiPosture Pro'
    inputs:
      command: 'custom'
      custom: 'tool'
      arguments: 'install --global ApiPosturePro'
  - script: apiposture-pro scan . --output json --output-file $(Build.ArtifactStagingDirectory)/results.json
    env:
      APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)

GitLab CI

security_scan:
  script:
    - dotnet tool install --global ApiPosturePro
    - apiposture-pro scan . --output json --output-file results.json
  variables:
    APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
  artifacts:
    paths:
      - results.json

Privacy

All analysis is performed 100% locally. No code, findings, or project data is uploaded to external servers. Only the license key is sent to api.apiposture.com during activation/validation. SQLite history is stored at ~/.apiposture/history.db.

License Tiers

Feature Pro Enterprise
Free rules (AP001-AP008) βœ“ βœ“
OWASP rules (AP101-AP108) βœ“ βœ“
Secrets detection (AP201) βœ“ βœ“
File-level scanning βœ“ βœ“
Diff mode βœ“ βœ“
Historical tracking βœ“ βœ“
Risk scoring βœ“ βœ“
Compliance reports (SOC 2 / ISO 27001) β€” βœ“
Compliance score + trend β€” βœ“
Starter kits β€” βœ“
Policy enforcement β€” βœ“
Audit trail export β€” βœ“
Operator attribution β€” βœ“
Integrity verification β€” βœ“

Changelog

1.1.0

  • Enterprise tier: compliance reports (SOC 2 / ISO 27001), compliance score, starter kits, policy enforcement, audit trail export, operator attribution, integrity verification

1.0.10 (2025-02-09)

  • AP101: detect GET endpoints performing destructive database operations
  • AP105: detect Swagger/OpenAPI exposed without environment guard, AllowedHosts: *, UseAuthorization() without AddAuthentication()
  • AP106: detect end-of-life .NET framework versions (below .NET 8.0)

1.0.7 (2025-02-07)

  • Source code analysis engine: rules now inspect method bodies
  • File-level scanning for Startup.cs, Program.cs, Razor views, all C# files

1.0.0 (2025-01-15)

  • Initial release

Copyright Β© 2025 ApiPosture. All rights reserved. | License Terms

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
1.0.26 129 5/25/2026
1.0.25 132 4/23/2026
1.0.24 148 4/2/2026
1.0.23 115 4/2/2026
1.0.21 125 3/31/2026
1.0.20 140 3/13/2026
1.0.19 115 3/13/2026
1.0.18 119 3/4/2026
1.0.17 127 3/4/2026
1.0.16 133 2/25/2026
1.0.14 135 2/10/2026
1.0.13 130 2/10/2026
1.0.12 135 2/10/2026
1.0.11 120 2/10/2026
1.0.10 127 2/9/2026
1.0.9 121 2/8/2026
1.0.8 130 2/7/2026
1.0.6 144 2/7/2026
1.0.5 130 2/7/2026
1.0.4 140 2/7/2026
Loading failed