원클릭으로
sc-api-security
REST, GraphQL, and gRPC API security audit — authentication, authorization, data exposure, and configuration
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
REST, GraphQL, and gRPC API security audit — authentication, authorization, data exposure, and configuration
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
SOC 직업 분류 기준
| name | sc-api-security |
| description | REST, GraphQL, and gRPC API security audit — authentication, authorization, data exposure, and configuration |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Performs a comprehensive security audit of API endpoints covering broken object-level authorization, broken function-level authorization, excessive data exposure, missing rate limiting, mass assignment, security misconfiguration, and injection via API parameters. Covers REST, GraphQL, and gRPC API patterns, aligned with the OWASP API Security Top 10.
Called by sc-orchestrator during Phase 2 when APIs are detected in the architecture.
# REST
"app.get(", "app.post(", "app.put(", "app.delete(", "app.patch(",
"router.get(", "@GetMapping", "@PostMapping", "@app.route(",
"[HttpGet]", "[HttpPost]", "r.GET(", "r.POST("
# GraphQL
"typeDefs", "resolvers", "Mutation", "Query", "Subscription"
# gRPC
".proto", "service ", "rpc ", "grpc.Server"
# API configuration
"swagger", "openapi", "api-docs", "Swashbuckle"
1. Broken Object Level Authorization (BOLA/IDOR):
2. Broken Authentication:
3. Broken Object Property Level Authorization:
// VULNERABLE: Returning all user fields including sensitive ones
app.get('/api/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user); // Includes passwordHash, internalId, role, etc.
});
// SAFE: Return only needed fields
app.get('/api/users/:id', async (req, res) => {
const user = await User.findById(req.params.id).select('name email avatar');
res.json(user);
});
4. Unrestricted Resource Consumption:
?limit=999999)5. Broken Function Level Authorization:
6. Server-Side Request Forgery:
7. Security Misconfiguration:
// Check for exposed API documentation in production
// /swagger, /api-docs, /graphql (introspection), /openapi.json
// Check for verbose error messages in API responses
// Check for missing security headers
8. Lack of Protection from Automated Threats: