Skip to content

scan openapi

Load an OpenAPI specification (local file or remote URL) and run security scans against every operation it defines.

Terminal window
vulnapi scan openapi <PATH_OR_URL> [flags]
FlagDefaultDescription
--security-schemes <name=value>Override the token value for a named security scheme (repeatable)

Also accepts all common flags.

A token piped via stdin is used as the default value for all security schemes that accept a bearer token. Named overrides from --security-schemes take precedence.

Terminal window
echo "<token>" | vulnapi scan openapi ./openapi.json

Local spec with a token piped via stdin

Terminal window
echo "<token>" | vulnapi scan openapi ./openapi.json

Remote spec with a token piped via stdin

Terminal window
echo "<token>" | vulnapi scan openapi https://api.example.com/.well-known/openapi.json

Named security scheme override

Terminal window
vulnapi scan openapi ./openapi.json --security-schemes bearerAuth=<token>

Multiple scheme overrides

Terminal window
vulnapi scan openapi ./openapi.json \
--security-schemes bearerAuth=<token> \
--security-schemes apiKey=<key>
CodeMeaning
0Scan completed successfully
1Fatal error (invalid spec, network failure, etc.)

When a finding exceeds --severity-threshold, additional output is written to stderr. See exit behaviour.