shadowaudit scans your source code statically — no agents, no traffic mirrors, no $70K contracts.
$ npm install -g shadowaudit $ shadowaudit --spec openapi.json --dir ./src shadowaudit v0.5.1 — Shadow API Scanner ───────────────────────────────────────── Route Severity Auth ───────────────────────────────────────── GET /api/test CRITICAL None detected POST /debug HIGH JWT present ───────────────────────────────────────── ✖ 1 CRITICAL finding. Pipeline blocked.
Tools like Salt Security and Treblle only detect shadow APIs after they receive live traffic. By then, the endpoint is already in production.
A quick app.get('/api/test') with no auth middleware. Committed Friday, forgotten Monday. Exposed forever — until shadowaudit catches it on the next PR.
shadowaudit is free, open-source, and runs inside your repo. No agents to deploy. No contracts to sign.
Parses your code with Babel/Python AST. No runtime required.
Compares code routes to your spec. Flags anything undocumented.
Detects missing auth middleware. Fails CI on CRITICAL findings.
Native GitHub Security tab integration via SARIF 2.1.0.
Posts a findings table directly on your pull request.
4 frameworks. Auto-detection. Auto-spec generation.
After enabling v0.3.0's AST-based auth detection and object filtering, false positives dropped by 88%. shadowaudit is production-tested on real open-source codebases.
Read the full writeup →