Author: Perry Mertens (pamsniffer@gmail.com)
Year: 2026 Perry Mertens
Version: 3.2.1 (Release)
License: GNU Affero General Public License v3.0 (AGPL-v3.0)
APISCAN is an API vulnerability scanner that proactively identifies security risks by testing against the OWASP API Security Top 10 (2023). It uses your OpenAPI/Swagger specification to generate realistic attack payloads and detect issues such as Broken Object Level Authorization (BOLA), Broken Authentication, Excessive Data Exposure, and other critical API vulnerabilities. It understands OpenAPI/Swagger, supports multiple authentication flows, provides a plan/verify workflow, includes a generic sanitizer/rewrites, and writes HTML artifacts.
APISCAN: AI-assisted API security for specialists. APISCAN is not a scanner that guesses; it proves. It tests. It observes. Then models explain the risk with evidence attached. That’s how you make AI useful in security.
APISCAN is licensed under the AGPL-v3.0.
If you modify APISCAN and make it available as a hosted service, you must make the complete corresponding source code available under the same license.
APISCAN focuses on API-specific risks instead of generic web scanning.
It is built for testing APIs against the OWASP API Security Top 10 (2023), with one module per risk area and HTML reporting suitable for auditors and developers.
- Beter scanner and new reporting
- Generic sanitizer
- Universal header overrides
- ID and sample generation
- Improved planning and verification workflow
- Adaptive retry logic
- SQLite evidence database
- Optional AI-assisted analysis (API11)
python -m venv .venv
source .venv/bin/activate # Linux/macOS
# .venv\Scripts\activate # Windows
pip install -r requirements.txt
Before running APISCAN, configure your environment and optional AI tooling.
python setup.py
# Validates Python dependencies and environment
# Creates/updates .env.example and requirements.txt
python llmsetup.py
# Configure Ollama / OpenAI / Anthropic / DeepSeek
# Saves settings and writes apiscan_env.sh / apiscan_env.ps1 helper scripts
python apiscan.py --url https://api.example.com --swagger openapi.json --flow token --token "<ACCESS_TOKEN>" --verify-plan
python apiscan.py --url https://api.example.com --swagger openapi.json --flow token --token "<ACCESS_TOKEN>"
python apiscan.py --url https://api.example.com --swagger openapi.json --flow none --apikey "<KEY>" --apikey-header "X-API-Key"
python apiscan.py --url https://api.example.com --swagger openapi.json --flow client --client-id "<ID>" --client-secret "<SECRET>" --token-url "https://idp/token"
python apiscan.py --url https://api.example.com --swagger openapi.json --flow token --token "<TOKEN>" --proxy 127.0.0.1:8080 --insecure
python apiscan.py --url https://api.example.com --swagger openapi.json --plan-only
--extra-header "x-tenant-id: acc"
--extra-header "x-feature-flag: beta"
--ids-file ids.json
--no-sanitize
--rewrite "/identity/api/v2=>/identity/api/v7/"
--normalize-version
export LLM_PROVIDER=openai_compat
export LLM_MODEL=gpt-4o-mini
export LLM_API_KEY=sk-...
python apiscan.py --url https://api.example.com --swagger openapi.json --api11
- review.html
- combined_report.html
- Per-risk HTML reports
- SQLite database
results.db - Logs
apiscan_*.log
- Only test APIs you are authorized to test.
- Start with
--plan-onlyto avoid accidental traffic. - Use retry options for unstable endpoints.
- Medium article: https://medium.com/@PerryPM/apiscan-a-practical-approach-to-api-security-testing-by-perry-mertens-96b5e676c071
- GitHub: https://github.com/perrym/apiscanner
- Contact: pamsniffer@gmail.com
© 2026 Perry Mertens pamsniffer@gmail.com. Released under the AGPL-v3.0 License.