scan openapi
Load an OpenAPI specification (local file or remote URL) and run security scans against every operation it defines.
vulnapi scan openapi <PATH_OR_URL> [flags]| Flag | Default | Description |
|---|---|---|
--security-schemes <name=value> | “ | Override the token value for a named security scheme (repeatable) |
Also accepts all common flags.
Token via stdin
Section titled “Token via stdin”A token piped via stdin is used as the default value for all security schemes that accept a bearer token. Named overrides from --security-schemes take precedence.
echo "<token>" | vulnapi scan openapi ./openapi.jsonExamples
Section titled “Examples”Local spec with a token piped via stdin
echo "<token>" | vulnapi scan openapi ./openapi.jsonRemote spec with a token piped via stdin
echo "<token>" | vulnapi scan openapi https://api.example.com/.well-known/openapi.jsonNamed security scheme override
vulnapi scan openapi ./openapi.json --security-schemes bearerAuth=<token>Multiple scheme overrides
vulnapi scan openapi ./openapi.json \ --security-schemes bearerAuth=<token> \ --security-schemes apiKey=<key>Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | Scan completed successfully |
1 | Fatal error (invalid spec, network failure, etc.) |
When a finding exceeds --severity-threshold, additional output is written to stderr. See exit behaviour.