Skip to main content

Find shadow API routes before they reach production.

shadowaudit scans your source code statically — no agents, no traffic mirrors, no $70K contracts.

✓ Vulnerability 100/100✓ Quality 100/100✓ License 100/100
Audited by Socket.dev
bash — shadowaudit
$ npm install -g shadowaudit
$ shadowaudit --spec openapi.json --dir ./src

  shadowaudit v0.5.1 — Shadow API Scanner
  ─────────────────────────────────────────
  Route              Severity    Auth
  ─────────────────────────────────────────
  GET /api/test      CRITICAL    None detected
  POST /debug        HIGH        JWT present
  ─────────────────────────────────────────

✖ 1 CRITICAL finding. Pipeline blocked.

The Shadow API Problem

Shadow APIs Are Invisible to Runtime Scanners

Tools like Salt Security and Treblle only detect shadow APIs after they receive live traffic. By then, the endpoint is already in production.

Developers Ship Test Routes and Forget Them

A quick app.get('/api/test') with no auth middleware. Committed Friday, forgotten Monday. Exposed forever — until shadowaudit catches it on the next PR.

Enterprise Scanners Cost $70K/Year

shadowaudit is free, open-source, and runs inside your repo. No agents to deploy. No contracts to sign.

Built for CI/CD-native security

Static AST Analysis

Parses your code with Babel/Python AST. No runtime required.

OpenAPI Delta

Compares code routes to your spec. Flags anything undocumented.

CRITICAL / HIGH Severity

Detects missing auth middleware. Fails CI on CRITICAL findings.

SARIF Output

Native GitHub Security tab integration via SARIF 2.1.0.

PR Comment Bot

Posts a findings table directly on your pull request.

Express · FastAPI · Django · Flask

4 frameworks. Auto-detection. Auto-spec generation.

269
Shadow Routes Found in Ghost CMS

After enabling v0.3.0's AST-based auth detection and object filtering, false positives dropped by 88%. shadowaudit is production-tested on real open-source codebases.

Read the full writeup →

One command. No configuration required.

npm install -g shadowaudit
1
Install globally
2
Point at your spec and source
3
Fail your CI pipeline on undocumented, unauthenticated routes