What is shadowaudit?
shadowaudit is a static API security scanner that detects undocumented ("shadow") API routes by statically scanning your source code and comparing it against your OpenAPI spec. It catches the routes your runtime scanners can't see — because they haven't received traffic yet.
The problem
Developers spin up quick test endpoints and forget to remove them. These shadow APIs bypass documentation, skip auth middleware, and get deployed to production silently — invisible to network scanners, invisible to your security team.
How it's different from runtime scanners
Runtime API scanners (Salt Security, Treblle, Noname Security) detect shadow APIs by observing live traffic. That means:
- Runtime = reactive. The endpoint must already be deployed and receiving traffic.
- shadowaudit = preventive. It catches the route in the source code before it ships.
shadowaudit runs in your CI pipeline, on every PR, before merge.
How it works
┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ 1. Scan │────▶│ 2. Parse │────▶│ 3. Compare │────▶│ 4. Report │
│ Source code │ │ OpenAPI spec│ │ Route delta │ │ Findings │
└──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘
-
Scan — shadowaudit parses your source code with Babel (JavaScript/TypeScript) or regex-based AST extraction (Python). It finds every route definition:
app.get(),@router.post(),path(), and more. -
Parse spec — It reads your OpenAPI 3.x or Swagger 2.0 spec file (JSON or YAML) and extracts every documented route.
-
Compare — It cross-references scanned routes against documented routes. Any route in code but NOT in the spec is flagged as a shadow route.
-
Report — Findings are scored by severity:
- CRITICAL — undocumented route with no auth middleware detected
- HIGH — undocumented route with auth middleware present
Output as a terminal table, JSON, or SARIF 2.1.0 for GitHub Code Scanning.