playbooks

home / skills / a5c-ai / babysitter / api-inventory-scanner

api-inventory-scanner skill

/plugins/babysitter/skills/babysit/process/specializations/code-migration-modernization/skills/api-inventory-scanner

This skill helps you discover and document API endpoints across code, logs, and traffic for comprehensive inventory and analysis.

npx playbooks add skill a5c-ai/babysitter --skill api-inventory-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.4 KB
---
name: api-inventory-scanner
description: Discover and document existing API endpoints from code, logs, and traffic analysis
allowed-tools: ["Bash", "Read", "Write", "Grep", "Glob", "Edit"]
---

# API Inventory Scanner Skill

Discovers and documents existing API endpoints through code analysis, log inspection, and traffic analysis.

## Purpose

Enable API discovery for:
- Endpoint discovery
- Request/response format extraction
- Authentication method detection
- Rate limit identification
- Consumer mapping

## Capabilities

### 1. Endpoint Discovery
- Parse route definitions
- Analyze controller code
- Inspect API frameworks
- Find undocumented endpoints

### 2. Request/Response Format Extraction
- Extract request schemas
- Document response formats
- Identify query parameters
- Map headers and cookies

### 3. Authentication Method Detection
- Identify auth mechanisms
- Document token formats
- Map permission requirements
- Catalog security schemes

### 4. Rate Limit Identification
- Find rate limit configurations
- Document throttling rules
- Identify quotas
- Map limit tiers

### 5. Consumer Mapping
- Identify API consumers
- Track usage patterns
- Map client dependencies
- Document integrations

### 6. Usage Pattern Analysis
- Analyze access logs
- Identify hot endpoints
- Track response times
- Map error rates

## Tool Integrations

| Tool | Purpose | Integration Method |
|------|---------|-------------------|
| Swagger Inspector | Traffic capture | GUI |
| Postman | Collection building | API |
| Code parsers | Route extraction | CLI |
| Log analyzers | Traffic analysis | CLI |
| APM tools | Usage metrics | API |

## Output Schema

```json
{
  "scanId": "string",
  "timestamp": "ISO8601",
  "endpoints": [
    {
      "path": "string",
      "method": "string",
      "description": "string",
      "parameters": [],
      "requestBody": {},
      "responses": {},
      "authentication": "string",
      "rateLimit": {},
      "consumers": [],
      "metrics": {}
    }
  ],
  "summary": {
    "totalEndpoints": "number",
    "documented": "number",
    "undocumented": "number"
  }
}
```

## Integration with Migration Processes

- **api-modernization**: API inventory
- **integration-migration**: Integration mapping

## Related Skills

- `openapi-generator`: Spec generation
- `api-compatibility-analyzer`: Version analysis

## Related Agents

- `api-modernization-architect`: API design

Overview

This skill discovers and documents existing API endpoints by analyzing source code, inspecting logs, and observing traffic. It produces a structured inventory detailing paths, methods, request/response formats, authentication, rate limits, and consumer relationships. The inventory is designed to feed modernization, migration, and compliance workflows.

How this skill works

The scanner parses route definitions and controller code to locate declared endpoints and detect undocumented paths. It ingests access logs and live traffic captures to validate runtime behavior, extract request/response schemas, and surface usage patterns. It also inspects configuration and code paths to identify authentication schemes, throttling rules, and consumer metadata, then emits a standardized JSON inventory with metrics and documentation hints.

When to use it

  • Before API modernization or refactoring to map all existing endpoints and consumers
  • When onboarding a legacy codebase with sparse or missing API documentation
  • Prior to migration to a gateway or API management platform to import accurate specs
  • During security reviews to identify auth schemes, exposed endpoints, and rate limits
  • To generate initial OpenAPI specs for automated testing and client generation

Best practices

  • Run scans in both static (code) and dynamic (logs/traffic) modes to reduce false negatives
  • Combine framework-specific parsers with generic heuristics to detect custom routing
  • Correlate log timestamps and traffic captures to confirm inferred request/response schemas
  • Annotate discovered endpoints with confidence levels and evidence links to aid review
  • Limit dynamic captures to non-production or sampled traffic when handling sensitive data

Example use cases

  • Produce an inventory for a migration project that maps endpoints to downstream consumers
  • Generate starter OpenAPI files from discovered routes and observed responses
  • Detect undocumented admin or debug endpoints hidden in code but not in docs
  • Identify rate limits and throttling rules to configure API gateway policies
  • Prioritize high-traffic or error-prone endpoints for optimization based on usage metrics

FAQ

What outputs does the scanner produce?

It emits a JSON inventory with endpoints, parameters, request/response schemas, authentication, rate limits, consumers, and usage metrics along with a scan summary.

Can it discover endpoints not declared in code?

Yes—by analyzing logs and traffic captures it can surface runtime endpoints such as dynamically registered routes or proxy-forwarded paths.