Modular async web-application security surface auditor with pluggable checks, MCP support, and CI-friendly reports.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for ugurkontel from gravatar.com ugurkontel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License)
  • Author: Uğur Kontel
  • Tags appsec , cors , csp , hsts , mcp , pentest , posture , sarif , scanner , security , security-headers , surface-audit , vulnerability , web-security
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp
Classifiers
Report project as malware

Project description

surface-audit

CI PyPI Python License: Apache 2.0 Checked with mypy Ruff

A modular, asynchronous web-application security surface auditor.

surface-audit sends a small, configurable set of safe probes at a target URL, mapping findings to the OWASP Top 10 (2021) categories where applicable. It is designed for pre-deployment smoke testing, CI gates, and as an embeddable Python library. The pluggable architecture (surface_audit.checks entry points) keeps the tool catalog-agnostic — third-party checks can target any standard (NIST, CIS, ASVS, internal rules).

⚠️ Authorized use only. This tool sends real HTTP requests to the target. Only run it against systems you own or have explicit written permission to test. See SECURITY.md.

Highlights

  • Async by default — checks run concurrently over a shared httpx.AsyncClient with a semaphore cap and exponential-backoff retries.
  • Plugin architecture — every check is a class registered via Python entry points. Third-party packages add their own without forking.
  • Multiple output formats — rich console, JSON, HTML, Markdown (PR-ready), and SARIF 2.1.0 for GitHub Code Scanning integration.
  • Configurable — TOML config file (surface-audit.toml or [tool.surface-audit]) plus per-invocation CLI flags.
  • CI-friendly--fail-on HIGH gates builds on severity; SARIF uploads integrate natively with GitHub Advanced Security.
  • Typed, tested, safemypy --strict, ruff, bandit, and a pytest suite with respx-mocked HTTP tests.

Built-in checks

Check ID OWASP Summary
security-headers A05 Missing and weakly-configured HSTS / CSP / XFO / Referrer / Permissions
ssl-tls A02 Weak ciphers or obsolete TLS versions
https-redirect A02 Plain HTTP does not redirect to HTTPS
cross-origin-isolation A05 Missing COOP / COEP / CORP isolation headers
xss-reflection A03 Query-string input reflected without output encoding
sql-injection A03 Database error messages leaked on meta-character input
csrf A01 Mutating HTML forms without a recognizable anti-CSRF token
auth-cookies A07 Cookies missing Secure / HttpOnly / SameSite
open-redirect A01 Query parameters that allow off-origin 30x redirects
misconfiguration A05 Well-known exposed paths (.env, .git, admin consoles)
directory-listing A05 Auto-generated directory index pages
cors A05 Permissive CORS reflections and wildcard-with-credentials
security-txt A09 Missing /.well-known/security.txt (RFC 9116)

Run surface-audit list-checks to see what is registered in your environment (including any third-party plugins).

Quick start

pipx install surface-audit
surface-audit scan https://example.com

Detailed per-platform setup: docs/INSTALL.md.

Usage

# Save a JSON report and fail CI on HIGH+ findings
surface-audit scan https://example.com \
    --output reports/example.json --format json --fail-on HIGH

# Emit SARIF for GitHub Advanced Security
surface-audit scan https://example.com \
    --output reports/example.sarif --format sarif

# Run only a subset of checks
surface-audit scan https://example.com \
    --enable security-headers --enable ssl-tls

Full CLI and library reference: docs/USAGE.md.

Library example

import asyncio
from surface_audit import Scanner, ScannerConfig

async def main() -> None:
    report = await Scanner(
        "https://example.com",
        config=ScannerConfig(max_concurrency=4, timeout=5.0),
    ).run()
    for finding in report.findings:
        print(finding.severity.value, finding.check_id, finding.title)

asyncio.run(main())

Extend it

Any package shipping an entry point under surface_audit.checks adds a check:

# your-plugin/pyproject.toml
[project.entry-points."surface_audit.checks"]
cors_wildcard = "my_checks.cors:PermissiveCORSCheck"

See docs/ARCHITECTURE.md for layering, SOLID scorecard, and design patterns.

Documentation

Development

make install   # set up .venv with dev extras
make all       # ruff + mypy + bandit + pytest

CI runs on every push across Python 3.10 – 3.13 — see .github/workflows/ci.yml.

License

Apache License 2.0 — Copyright © 2026 Uğur Kontel. See also NOTICE for attribution requirements that apply to redistributions.

surface-audit is an open-source project from Fillbyte.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for ugurkontel from gravatar.com ugurkontel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License)
  • Author: Uğur Kontel
  • Tags appsec , cors , csp , hsts , mcp , pentest , posture , sarif , scanner , security , security-headers , surface-audit , vulnerability , web-security
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp
Classifiers

Release history Release notifications | RSS feed

1.0.2

This version

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

surface_audit-1.0.1.tar.gz (79.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

surface_audit-1.0.1-py3-none-any.whl (63.5 kB view details)

Uploaded Python 3

File details

Details for the file surface_audit-1.0.1.tar.gz.

File metadata

  • Download URL: surface_audit-1.0.1.tar.gz
  • Upload date:
  • Size: 79.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for surface_audit-1.0.1.tar.gz
Algorithm Hash digest
SHA256 c9bb23e663f11f54066a613905f353cdfcb737d1e42808c23f761f33743c860c
MD5 acc248726d2da0c79b7ec0aa5dcde16c
BLAKE2b-256 5fd93d2284580b69a711189e6a4c79310841503489f3c7c8661ca1c125ae8a5f

See more details on using hashes here.

Provenance

The following attestation bundles were made for surface_audit-1.0.1.tar.gz:

Publisher: release.yml on dev-ugurkontel/surface-audit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file surface_audit-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: surface_audit-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 63.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for surface_audit-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 168b184fa7159edbcc15f6d5d2004642bde1dbd57371bc5064ec6c67d51dd5ae
MD5 d43a57c04dee888f3b1f5b3f0bb48f31
BLAKE2b-256 2ea09931033c59763896a604f98298df3d4c6854b5b5ff147539113abc8ec2e1

See more details on using hashes here.

Provenance

The following attestation bundles were made for surface_audit-1.0.1-py3-none-any.whl:

Publisher: release.yml on dev-ugurkontel/surface-audit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page