Professional security analysis tool for Python REST APIs with advanced features
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
ApiPosture Pro
Professional security extension for Python API security scanning
Extends the open-source ApiPosture CLI with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.
🔒 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.
Features
Free Rules (AP001-AP008)
Included automatically — public endpoint detection, missing auth, authorization conflicts, sensitive route keywords, and more.
Pro Rules
| ID | Name | Severity |
|---|---|---|
| AP009 | Broken Authentication | Critical |
| AP010 | Injection Vulnerabilities | High |
| AP011 | Broken Access Control | Critical |
| AP012 | Security Misconfiguration | High |
| AP013 | Vulnerable Components | High |
| AP014 | Hardcoded Secrets (15+ patterns) | Critical |
| AP015 | API Key Exposure | High |
| AP016 | Insecure Dependencies | High |
Additional Pro Features
- Risk Scoring — 0–100 scale (severity 50%, exposure 30%, surface area 20%)
- Diff Mode — compare baseline vs current scan
- History Tracking — SQLite-backed scan history with trends
Installation
# Install Pro CLI (includes all free and Pro rules)
pip install apiposture-pro
# Activate your license
apiposture-pro activate XXXX-XXXX-XXXX-XXXX
# Verify activation
apiposture-pro status
CI/CD: set license via environment variable
export APIPOSTURE_LICENSE_KEY=<your-jwt-token>
Usage
Scan
# Basic scan
apiposture-pro scan /path/to/your/api
# JSON output
apiposture-pro scan /path/to/your/api --output json --file report.json
# HTML output
apiposture-pro scan /path/to/your/api --output html --file report.html
# Save to history
apiposture-pro scan /path/to/your/api --with-history
# Disable risk score
apiposture-pro scan /path/to/your/api --no-risk-score
Diff Mode
apiposture-pro scan /path/to/api -f baseline.json
# ... make changes ...
apiposture-pro scan /path/to/api -f current.json
apiposture-pro diff baseline.json current.json
History
apiposture-pro history list
apiposture-pro history trend -p /path/to/api
apiposture-pro history show <scan-id>
apiposture-pro history cleanup --days 90
License
apiposture-pro status
apiposture-pro deactivate
Enterprise
Enterprise features require an Enterprise license (APIPOSTURE_LICENSE_KEY or apiposture-pro activate).
Compliance Reports
Generate SOC 2 / ISO 27001 compliance reports mapped to your scan findings:
# Generate PDF + HTML report
apiposture-pro compliance report . --framework soc2 --output both
# Specific framework, operator attribution
apiposture-pro compliance report . --framework iso27001 --output pdf --operator "Acme Corp"
# All frameworks
apiposture-pro compliance report . --framework all --output both
Compliance Score in Scan Output
# Show compliance score alongside risk score
apiposture-pro scan . --comp-framework soc2
apiposture-pro scan . --comp-framework iso27001
Starter Kits
Emit a pre-configured policy file, sample report, and GitHub Actions workflows:
apiposture-pro compliance starter-kit soc2 ./compliance/
apiposture-pro compliance starter-kit iso27001 ./compliance/
Generates: .apiposture-policy.json, sample-report.html, github-actions/apiposture-pr-gate.yml, github-actions/apiposture-weekly-report.yml, README.md.
Policy Enforcement
Place .apiposture-policy.json in your project root (generated by starter-kit or written manually). The scanner reads it automatically and exits with code 1 on violations:
{
"zero_tolerance": ["AP014", "AP009"],
"warn": ["AP010", "AP011"]
}
Operator Attribution
apiposture-pro scan . --operator "Security Team"
The operator name is embedded in findings output and scan records.
Audit Trail Export
Export a tamper-evident audit trail from scan history:
# JSON export (stdout)
apiposture-pro history export --format json
# JSON to file
apiposture-pro history export --format json --output-file audit.json
# PDF export
apiposture-pro history export --format pdf --output-file audit-export.pdf
# Specific scan record
apiposture-pro history export --scan-id 42 --format pdf --output-file audit-42.pdf
Integrity Verification
# Verify latest scan record integrity
apiposture-pro verify
# Verify specific scan
apiposture-pro verify --scan-id 42
CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install apiposture-pro
- run: apiposture-pro scan . --output json --file results.json
env:
APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}
- uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: results.json
GitLab CI
security_scan:
image: python:3.12
script:
- pip install apiposture-pro
- apiposture-pro scan . --output json --file results.json
variables:
APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
artifacts:
paths:
- results.json
Azure DevOps
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '3.12'
- script: pip install apiposture-pro
- script: apiposture-pro scan . --output json --file $(Build.ArtifactStagingDirectory)/results.json
env:
APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)
Supported Frameworks
- FastAPI 0.100+
- Flask 2.3+
- Django REST Framework 3.14+
Privacy
All analysis is performed 100% locally. No code, findings, or project data is uploaded to external servers. Only the license key is sent to api.apiposture.com during activation/validation. SQLite history is stored at ~/.apiposture/history.db.
License Tiers
| Feature | Pro | Enterprise |
|---|---|---|
| Free rules (AP001-AP008) | ✓ | ✓ |
| OWASP rules (AP009-AP013) | ✓ | ✓ |
| Secrets detection (AP014-AP015) | ✓ | ✓ |
| Dependency scanning (AP016) | ✓ | ✓ |
| Diff mode | ✓ | ✓ |
| Historical tracking | ✓ | ✓ |
| Risk scoring | ✓ | ✓ |
| Compliance reports (SOC 2 / ISO 27001) | — | ✓ |
| Compliance score + trend | — | ✓ |
| Starter kits | — | ✓ |
| Policy enforcement | — | ✓ |
| Audit trail export | — | ✓ |
| Operator attribution | — | ✓ |
| Integrity verification | — | ✓ |
Links
- Free ApiPosture CLI: GitHub | PyPI
- ApiPosture Pro: PyPI
- Documentation: https://docs.apiposture.com
- Support: support@apiposture.com
Changelog
1.1.0
- Enterprise tier: compliance reports (SOC 2 / ISO 27001), compliance score, starter kits, policy enforcement, audit trail export, operator attribution, integrity verification
1.0.0 (2026-02-09)
- Initial release: OWASP rules (AP009-AP013), secrets detection (AP014-AP015), dependency scanning (AP016), diff mode, history tracking, risk scoring
Copyright © 2026 ApiPosture. All rights reserved. | License Terms
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file apiposture_pro-1.0.23.tar.gz.
File metadata
- Download URL: apiposture_pro-1.0.23.tar.gz
- Upload date:
- Size: 165.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
228ba155e3179758f12ff2c7f9963a9b5c7a789bd39defec1e92f8ee3759f697
|
|
| MD5 |
e002bc5607e41cff73a422823a1f8906
|
|
| BLAKE2b-256 |
37834beb0e87dce920fe8baa5c6fc996ef51841840b28b891b7237175fe0b5f9
|
Provenance
The following attestation bundles were made for apiposture_pro-1.0.23.tar.gz:
Publisher:
publish.yml on ApiPosture/ApiPosturePro.Python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
apiposture_pro-1.0.23.tar.gz -
Subject digest:
228ba155e3179758f12ff2c7f9963a9b5c7a789bd39defec1e92f8ee3759f697 - Sigstore transparency entry: 1630210910
- Sigstore integration time:
-
Permalink:
ApiPosture/ApiPosturePro.Python@20369ff87ff1415450de8081cedd86da26ff93a8 -
Branch / Tag:
refs/tags/v1.0.23 - Owner: https://github.com/ApiPosture
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@20369ff87ff1415450de8081cedd86da26ff93a8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file apiposture_pro-1.0.23-py3-none-any.whl.
File metadata
- Download URL: apiposture_pro-1.0.23-py3-none-any.whl
- Upload date:
- Size: 101.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7960a14f6d837d718f45e69f42b94117e122b89bbc55fd20dc20b7e86e7353f6
|
|
| MD5 |
f4d42c4dc1c7ed8327d23a42b478bff7
|
|
| BLAKE2b-256 |
6e9387604bfe9dd43a9034ae636f9b61aab2d2779cacadaa2edab7d6239d90bd
|
Provenance
The following attestation bundles were made for apiposture_pro-1.0.23-py3-none-any.whl:
Publisher:
publish.yml on ApiPosture/ApiPosturePro.Python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
apiposture_pro-1.0.23-py3-none-any.whl -
Subject digest:
7960a14f6d837d718f45e69f42b94117e122b89bbc55fd20dc20b7e86e7353f6 - Sigstore transparency entry: 1630210948
- Sigstore integration time:
-
Permalink:
ApiPosture/ApiPosturePro.Python@20369ff87ff1415450de8081cedd86da26ff93a8 -
Branch / Tag:
refs/tags/v1.0.23 - Owner: https://github.com/ApiPosture
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@20369ff87ff1415450de8081cedd86da26ff93a8 -
Trigger Event:
push
-
Statement type:
