Synopsys Completes Acquisition of WhiteHat Security Learn More

close search bar

Sorry, not available in this language yet

close language selection

Modern application architectures are built on distributed apps and services that communicate through APIs. Synopsys API Scanner™ makes it easy for developers to identify security defects in the APIs they implement.

AppSec testing optimized for the needs of API developers

APIs provide open, flexible interfaces that enable applications and services to talk to each other. But these characteristics can also make it difficult to build secure software—and even more difficult for traditional AppSec tools to test it.

Synopsys API Scanner’s deep analysis and contextually aware fuzzing helps development teams proactively protect their REST and GraphQL APIs and ensure that they are secure, correct, and behave to specification.

Context-aware analysis of RESTful and GraphQL APIs


Using OpenAPI/Swagger or an HTTP Archive (HAR) export, Synopsys API Scanner builds a map of the entire API, including endpoints, parameters, type signatures, and specifications, as well as authentication and other required information to develop a deep understanding of the API and how to interact with it.

GraphQL APIs

When pointed to a GraphQL endpoint, Synopsys API Scanner uses introspection (a GraphQL feature) and patent-pending graph reduction algorithms to build a traversable representation of the entire GraphQL API and a full representative set of queries used for auditing. Synopsys API Scanner is the only tool that can fully audit GraphQL APIs for vulnerabilities and correctness.

Intelligent API security testing

Synopsys API Scanner comprehensively tests your APIs for:

Vulnerabilities and correctness

Automatically test every identified endpoint, fuzzing parameters with values generated through constraint and validation analysis to ensure the implementation doesn’t deviate from the specification.

Business logic flaws

Bypass server-side input validation to test the functionality of your APIs with payloads that are intelligently generated to test the boundaries of your validation.

Authorization and authentication bypasses

Combine and test authentication methods, including OAuth2, JWT, and authorization headers, all within an easily defined workflow.

Testing at the speed of development

fast api scans

Fast scans

Synopsys API Scanner runs in minutes, so your DevOps/CI pipeline isn’t slowed down.

single-play replay attacks

Single-click replay attacks

Reduce fix/test cycle time. Replay attacks easily using built-in cURL commands, which contain the precise request and payload that exploited the vulnerability.

Automated testing integrated with the tools you use today

ci/cd integration

CI/CD integration

Synopsys API Scanner integrates directly with Jenkins and other CI/CD pipeline tools, so you can build API security into your DevOps pipelines.

automation API

Automation API

Tailor and automate any aspect of API scanning and issue reporting using the Synopsys API. If you can do it in the UI, you can do it with the API.

issue tracker integration

Issue tracker integration

Test results are integrated directly into Jira or your issue-tracking tool of choice using simple API calls. And they’re automatically closed when the vulnerabilities are fixed, or reopened as regressions if they reoccur. Never again be inundated with the same vulnerabilities day after day.

Related content