DORA Compliance Auditor for OpenAPI Specs
Project description
PanDoraSpec
The Open DORA Compliance Engine for OpenAPI Specs.
PanDoraSpec is a CLI tool that performs deep technical due diligence on APIs to verify compliance with DORA (Digital Operational Resilience Act) requirements. It compares OpenAPI/Swagger specifications against real-world implementation to detect schema drift, resilience gaps, and security issues.
📦 Installation
pip install pandoraspec
System Requirements
The PDF report generation requires weasyprint, which depends on Pango.
macOS:
brew install pango
Debian / Ubuntu:
sudo apt-get install libpango-1.0-0 libpangoft2-1.0-0
🛠️ Development Setup
To run the CLI locally without reinstalling after every change:
- Clone & CD:
git clone ...
cd pandoraspec
- Create & Activate Virtual Environment: It's recommended to use a virtual environment to keep dependencies isolated.
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
- Editable Install:
pip install -e .
This links the pandoraspec command directly to your source code. Any changes you make will be reflected immediately.
🚀 Usage
Run the audit directly from your terminal.
Basic Scan
pandoraspec https://petstore.swagger.io/v2/swagger.json
With Options
pandoraspec https://api.example.com/spec.json --vendor "Stripe" --key "sk_live_..."
Local File
pandoraspec ./openapi.yaml
🏎️ Zero-Config Testing (DORA Compliance)
For standard DORA compliance, you simply need to verify that your API implementation matches its specification. No configuration is required.
pandoraspec https://petstore.swagger.io/v2/swagger.json
This runs a fuzzing audit where random data is generated based on your schema types (e.g., sending random integers for IDs).
- Value: This is sufficient to prove that your API correctly handles unexpected inputs and adheres to the basic contract (e.g., returning 400 Bad Request instead of 500 Server Error).
- Limitation: Detailed business logic requiring valid IDs (e.g.,
GET /user/{id}where{id}must exist) may return404 Not Found. This is acceptable for a compliance scan but may not fully exercise deeper code paths.
🧠 Advanced Testing with Seed Data
To test specific business workflows (e.g., successfully retrieving a user profile), you can provide "Seed Data". This tells PanDoraSpec to use known, valid values instead of random fuzzing data.
pandoraspec https://petstore.swagger.io/v2/swagger.json --config seed_parameters.yaml
Configuration Hierarchy
You can define seed values at three levels of specificity. The engine resolves values in this order: Endpoints > Verbs > General.
seed_data:
# 1. General: Applies to EVERYTHING (path params, query params, headers)
general:
username: "test_user"
limit: 50
# 2. Verbs: Applies only to specific HTTP methods (Overwrites General)
verbs:
POST:
username: "admin_user" # Creation requests use a different user
# 3. Endpoints: Applies only to specific routes (Overwrites Everything)
endpoints:
/users/me:
GET:
limit: 10
🔗 Dynamic Seed Data (Chaining Requests)
You can even test dependency chains where one endpoint requires data from another (e.g., get a User ID from a search result to query their profile).
Supported Features:
- Dynamic Resolution: Fetch a value from another API call before running the test.
- Extraction: Extract values from JSON responses or plain text.
- Parameter Interpolation: Use
{param}in the dependency URL to chain multiple steps.
endpoints:
/user/{username}:
GET:
username:
# 1. Fetch the user list first
# 2. Extract the 'username' field from the response
from_endpoint: "GET /users/search?role=admin"
extract: "data.items.0.username"
/orders/{orderId}:
GET:
orderId:
# 1. Use the {userId} from our general seeds
# 2. Call /users/{userId}/latest-order
# 3. Extract the ID using Regex from a message string
from_endpoint: "GET /users/{userId}/latest-order"
extract: "message"
regex: "Order ID: ([0-9]+)"
🛡️ What It Checks
Module A: The Integrity Test (Drift)
Checks if your API implementation matches your documentation.
- Why? DORA requires you to monitor if the service effectively supports your critical functions. If the API behaves differently than documented, it's a risk.
Module B: The Resilience Test
Stress tests the API to ensure it handles invalid inputs gracefully (4xx vs 5xx).
- Why? DORA Article 25 calls for "Digital operational resilience testing".
Module C: Security Hygiene
Checks for common security headers and configurations.
Module D: The Report
Generates a PDF report: "DORA ICT Third-Party Technical Risk Assessment".
📄 License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pandoraspec-0.2.0.tar.gz.
File metadata
- Download URL: pandoraspec-0.2.0.tar.gz
- Upload date:
- Size: 14.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d4f88bcf0a41a6fb5ea5a60705a0c2cca62be6b0ee5597a185b953612184c6d
|
|
| MD5 |
76352cff26226db6acb39a4fd289f718
|
|
| BLAKE2b-256 |
26d7913a0392f5023d7e15c1e66ca0daaa431692ff15587430c14f253b41cc16
|
File details
Details for the file pandoraspec-0.2.0-py3-none-any.whl.
File metadata
- Download URL: pandoraspec-0.2.0-py3-none-any.whl
- Upload date:
- Size: 13.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a6557415ffdaca99325505f7dca6ffccd1cf0b1a53ded18ff1da971882f86c0b
|
|
| MD5 |
5a05b9df722775f91b0a153e0c01615e
|
|
| BLAKE2b-256 |
792c9c9d8277f1d28e4af3cd59ca8d8ca8caf13253f0a7ef47bf708f07fade87
|
