UNPKG

@redpillsec/cli

Version:

RedPill Security CLI - OpenAPI security scanner that reveals vulnerabilities in your API specifications

redpillsec.io

redpillsec/cli

194 lines (145 loc) β€’ 5.07 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
<div align="center"> <h1>πŸ”΄ RedPill Security CLI</h1> <p><strong>See how deep the vulnerability hole goes</strong></p> [![npm version](https://badge.fury.io/js/%40redpillsec%2Fcli.svg)](https://badge.fury.io/js/%40redpillsec%2Fcli) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Node.js Version](https://img.shields.io/badge/node-%3E%3D18.18.0-brightgreen.svg)](https://nodejs.org/) </div> ## πŸš€ Quick Start ```bash # Install globally npm install -g @redpillsec/cli # Scan your OpenAPI specification redpill scan openapi api.yaml # Get help redpill --help ``` ## πŸ“– About RedPill Security CLI is a powerful OpenAPI security scanner that reveals vulnerabilities in your API specifications. Take the red pill and see the security issues you didn't know existed. ### 🎯 Features - **OpenAPI Security Scanning**: Comprehensive analysis of OpenAPI/Swagger specifications - **Multiple Output Formats**: Text, JSON, CSV, and Markdown reports - **Configurable Rules**: Customize security rules via configuration files - **CI/CD Ready**: Perfect for automated security testing in pipelines - **Detailed Reports**: Clear explanations of vulnerabilities and recommendations ## πŸ”§ Installation ### Global Installation (Recommended) ```bash npm install -g @redpillsec/cli ``` ### Local Installation ```bash npm install --save-dev @redpillsec/cli ``` ## πŸ“‹ Usage ### Basic Scanning ```bash # Scan a single OpenAPI file redpill scan openapi api.yaml # Scan with JSON output redpill scan openapi api.yaml --format json # Save results to file redpill scan openapi api.yaml --output results.json ``` ### Advanced Options ```bash # Use custom configuration redpill scan openapi api.yaml --config custom-rules.json # Verbose output redpill scan openapi api.yaml --verbose # Quiet mode (errors only) redpill scan openapi api.yaml --quiet ``` ### Configuration Management ```bash # Create default configuration file redpill init-config # Create config with custom path redpill init-config my-config.json ``` ## βš™οΈ Configuration Create a `redpill.config.json` file to customize security rules: ```json { "rules": { "security-definition-required": true, "no-http-basic": true, "security-schemes-defined": true, "no-secrets-in-url": true, "https-required": true }, "output": { "format": "text", "verbose": false } } ``` ## πŸ“Š Output Formats ### Text (Default) Human-readable format perfect for terminal output and quick reviews. ### JSON ```bash redpill scan openapi api.yaml --format json ``` Machine-readable format ideal for CI/CD integration and automated processing. ### CSV ```bash redpill scan openapi api.yaml --format csv ``` Spreadsheet-compatible format for reporting and analysis. ### Markdown ```bash redpill scan openapi api.yaml --format markdown ``` Documentation-friendly format for reports and wikis. ## πŸ” Security Rules RedPill Security CLI checks for various OpenAPI security issues: - **Missing Security Definitions**: APIs without proper security schemes - **Weak Authentication**: HTTP Basic auth and other weak methods - **Insecure Protocols**: HTTP instead of HTTPS - **Exposed Secrets**: API keys and tokens in URLs - **Missing Security Requirements**: Endpoints without security enforcement - **And many more...** ## πŸ› οΈ CI/CD Integration ### GitHub Actions ```yaml - name: Install RedPill Security CLI run: npm install -g @redpillsec/cli - name: Scan OpenAPI Spec run: redpill scan openapi api.yaml --format json --output security-report.json ``` ### Jenkins ```groovy sh 'npm install -g @redpillsec/cli' sh 'redpill scan openapi api.yaml --format json --output security-report.json' ``` ## πŸ“š Examples Check out our [examples directory](https://github.com/redpillsec/cli/tree/main/examples) for: - Sample OpenAPI specifications - Configuration examples - CI/CD pipeline templates - Output format samples ## 🀝 Contributing We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details. 1. Fork the repository 2. Create your feature branch (`git checkout -b feature/amazing-feature`) 3. Commit your changes (`git commit -m 'Add amazing feature'`) 4. Push to the branch (`git push origin feature/amazing-feature`) 5. Open a Pull Request ## πŸ“„ License This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. ## πŸ’¬ Support - πŸ“§ Email: [support@redpillsec.io](mailto:support@redpillsec.io) - 🌐 Website: [redpillsec.io](https://redpillsec.io) - πŸ› Issues: [GitHub Issues](https://github.com/redpillsec/cli/issues) ## πŸ—ΊοΈ Roadmap - πŸ”œ AI-powered vulnerability analysis - πŸ”œ OWASP API Top 10 scanner - πŸ”œ Real-time API monitoring - πŸ”œ Integration with popular API gateways - πŸ”œ Custom rule development framework --- <div align="center"> <p><strong>Take the red pill. See the vulnerabilities. Fix them. πŸ”΄</strong></p> <p>Made with ❀️ by the RedPill Security team</p> </div>