playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / scanning-api-security

scanning-api-security skill

/plugins/api-development/api-security-scanner/skills/scanning-api-security

This skill helps you scan API security vulnerabilities across endpoints, enforcing best practices and rapidly surfacing risks for robust protection.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill scanning-api-security

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
2.4 KB
---
name: scanning-api-security
description: |
  Detect API security vulnerabilities including injection, broken auth, and data exposure.
  Use when scanning APIs for security vulnerabilities.
  Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".
  
allowed-tools: Read, Write, Edit, Grep, Glob, Bash(api:security-*)
version: 1.0.0
author: Jeremy Longshore <[email protected]>
license: MIT
---

# Scanning Api Security

## Overview


This skill provides automated assistance for api security scanner tasks.
This skill provides automated assistance for the described functionality.

## Prerequisites

Before using this skill, ensure you have:
- API design specifications or requirements documented
- Development environment with necessary frameworks installed
- Database or backend services accessible for integration
- Authentication and authorization strategies defined
- Testing tools and environments configured

## Instructions

1. Use Read tool to examine existing API specifications from {baseDir}/api-specs/
2. Define resource models, endpoints, and HTTP methods
3. Document request/response schemas and data types
4. Identify authentication and authorization requirements
5. Plan error handling and validation strategies
1. Generate boilerplate code using Bash(api:security-*) with framework scaffolding
2. Implement endpoint handlers with business logic
3. Add input validation and schema enforcement
4. Integrate authentication and authorization middleware
5. Configure database connections and ORM models
1. Write integration tests covering all endpoints


See `{baseDir}/references/implementation.md` for detailed implementation guide.

## Output

- `{baseDir}/src/routes/` - Endpoint route definitions
- `{baseDir}/src/controllers/` - Business logic handlers
- `{baseDir}/src/models/` - Data models and schemas
- `{baseDir}/src/middleware/` - Authentication, validation, logging
- `{baseDir}/src/config/` - Configuration and environment variables
- OpenAPI 3.0 specification with complete endpoint definitions

## Error Handling

See `{baseDir}/references/errors.md` for comprehensive error handling.

## Examples

See `{baseDir}/references/examples.md` for detailed examples.

## Resources

- Express.js and Fastify for Node.js APIs
- Flask and FastAPI for Python APIs
- Spring Boot for Java APIs
- Gin and Echo for Go APIs
- OpenAPI Specification 3.0+ for API documentation

Overview

This skill automates scanning API surfaces to detect common security vulnerabilities, including injection flaws, broken authentication, and sensitive data exposure. It guides inspection of API specs, endpoint behavior, and authentication flows to produce prioritized findings and remediation suggestions. Use it to accelerate security reviews and produce OpenAPI-consistent reports.

How this skill works

The skill reads API specifications and runtime behaviors, then runs targeted checks against endpoints, input validation, authentication logic, and response schemas. It looks for injection vectors, weak or missing auth checks, insecure data leaks, misconfigured CORS/headers, and unsafe error handling. Results include evidence, severity, and actionable fixes mapped to the API endpoints and schemas.

When to use it

  • During API design reviews to prevent vulnerabilities early
  • Before deployment or release to validate security posture
  • When performing penetration testing or code security audits
  • After major schema or auth changes to regress security
  • As part of CI pipelines to catch regressions automatically

Best practices

  • Start from up-to-date OpenAPI or API design documents to ensure full coverage
  • Include authentication and authorization test cases for each role and endpoint
  • Validate both request inputs and outputs to catch data exposure on responses
  • Run scans in staging with representative data and in CI with mocked endpoints
  • Prioritize findings by exploitability and business impact and track remediation

Example use cases

  • Scan a REST API to find SQL/NoSQL injection and suggest parameterized query fixes
  • Audit OAuth/OpenID flows to detect broken authentication or token leakage
  • Detect endpoints returning sensitive fields and recommend response filtering or masking
  • Integrate API security checks into CI so pull requests fail on high-risk findings
  • Generate an OpenAPI-aligned report that maps vulnerabilities to specific routes and schema elements

FAQ

What prerequisites are needed to run scans?

Provide current API specifications, test environments or endpoints, authentication credentials for testing, and CI access if integrating scans.

Can it scan GraphQL or gRPC APIs?

The skill supports inspecting schema-driven APIs; GraphQL can be scanned by analyzing schema and resolvers, and gRPC can be checked by translating protobufs into endpoint and message tests.

How are findings prioritized?

Findings are ranked by severity based on exploitability, impacted data sensitivity, and authentication gaps, with remediation steps and code examples when applicable.