Skip to content

feat(api_discover): hand off discovered OpenAPI specs to nuclei#1269

Merged
Naboot42 merged 1 commit into
workflow-apifrom
api-spec-handoff
Jul 4, 2026
Merged

feat(api_discover): hand off discovered OpenAPI specs to nuclei#1269
Naboot42 merged 1 commit into
workflow-apifrom
api-spec-handoff

Conversation

@Naboot42

@Naboot42 Naboot42 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds the OpenAPI-spec handoff to api_discover: when discovery finds an exposed OpenAPI/Swagger spec, hand it off to nuclei (already integrated) to parse the spec and DAST-fuzz every documented endpoint.

This recovers the contextual API testing that kiterunner used to provide (correct method + parameters per route) — but with a maintained tool already in secator, so no new dependency.

Stacked on #1268 (workflow-api). Base will be retargeted to main once #1268 merges.

What's included

  • secator/tasks/nuclei.py — new dast flag (-dast) to enable nuclei's fuzzing templates (required to fuzz OpenAPI endpoints). Defaults to off; no change to existing behavior.
  • secator/configs/workflows/api_discover.yaml — new --spec option and a nuclei step that targets discovered spec URLs (openapi / swagger / api-docs) with input_mode=openapi + dast. Gated behind --spec (off by default), so pure discovery is unchanged.

How it works

api_discover finds /openapi.json  ──(--spec)──►  nuclei -u <spec-url> -input-mode openapi -dast
(katana / ffuf --fuzz)                            parses the spec, fuzzes every documented endpoint

Typical usage: secator w api_discover <url> --fuzz --spec (fuzz surfaces the spec, --spec scans it).

Design notes

  • Why nuclei and not a new tool? nuclei natively supports OpenAPI/Swagger input (-input-mode openapi, its SpecDownloader fetches a remote spec URL) and DAST fuzzing (-dast). Adding schemathesis/CATS/apifuzzer would either duplicate this or drag in an unmaintained tool / Java runtime — against secator's design principle Fix issue with parsing nmap XML #1.
  • Separation of concerns: the step is optional and flag-gated, consistent with how url_crawl gates its optional trufflehog step.

Testing

  • Command generation verified: nuclei ... -input-mode openapi -dast emitted correctly.
  • api_discover loads and builds with --spec (tasks: katana, ffuf, wafw00f, httpx, nuclei).
  • nuclei unit test passes (no regression from the dast flag).
  • flake8 secator/tasks/nuclei.py clean.

🤖 Generated with Claude Code

When api_discover finds an exposed OpenAPI/Swagger spec, the new --spec option
routes it to nuclei with input-mode=openapi + DAST fuzzing, which parses the
spec and fuzzes every documented endpoint with the correct method/parameters.
This recovers the contextual API testing kiterunner used to provide, using a
maintained tool already integrated in secator (no new dependency).

- nuclei task: add a `dast` flag (-dast) to enable fuzzing templates.
- api_discover.yaml: add --spec option and a nuclei step targeting discovered
  spec URLs (openapi/swagger/api-docs), gated behind --spec.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bad9ae51-d94a-4d29-b7ca-6cf845d1f752

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch api-spec-handoff

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Naboot42 Naboot42 merged commit 77d2b92 into workflow-api Jul 4, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant