actions-marketplace-validations/owasp-noir

Attack surface detector that identifies endpoints by static analysis.

Documentation • Installation • Usage • Contributing

OWASP Noir is an open-source project specializing in identifying attack surfaces for enhanced whitebox security testing and security pipeline. This includes the capability to discover API endpoints, web endpoints, and other potential entry points within source code for thorough security analysis.

Key Features

Extract API endpoints and parameters from source code.
Support multiple languages and frameworks.
Uncover security issues with detailed analysis and rule-based passive scanning.
Integrate seamlessly with DevOps pipelines and tools like curl, ZAP, and Caido.
Deliver clear, actionable results in formats like JSON, YAML, and OAS.
Enhance endpoint discovery with AI for unfamiliar frameworks and hidden APIs.

Usage

noir -h

Example

noir -b <source_dir>

If you use it with Github Action, please refer to this document .

JSON Result

noir -b . -u https://testapp.internal.domains -f json -T

{
  "endpoints": [
    {
      "url": "https://testapp.internal.domains/query",
      "method": "POST",
      "params": [
        {
          "name": "my_auth",
          "value": "",
          "param_type": "cookie",
          "tags": []
        },
        {
          "name": "query",
          "value": "",
          "param_type": "form",
          "tags": [
            {
              "name": "sqli",
              "description": "This parameter may be vulnerable to SQL Injection attacks.",
              "tagger": "Hunt"
            }
          ]
        }
      ],
      "details": {
        "code_paths": [
          {
            "path": "spec/functional_test/fixtures/crystal_kemal/src/testapp.cr",
            "line": 8
          }
        ]
      },
      "protocol": "http",
      "tags": []
    }
  ]
}

For more details, please visit our documentation page.

Roadmap

We plan to expand the range of supported programming languages and frameworks, and to continuously increase accuracy. Furthermore, we will leverage AI and Large Language Models (LLMs) to significantly broaden our analysis capabilities.

Initially conceived as a tool to assist with WhiteBox testing, our immediate goal remains to extract and provide endpoints from the source code within the DevSecOps Pipeline. This enables Dynamic Application Security Testing (DAST) tools to conduct more accurate and stable scans.

Looking ahead, our ambition is for our tool to evolve into a crucial bridge, seamlessly connecting source code with DAST and other security testing tools, thereby facilitating a more integrated and effective security posture.

News & Updates

October 2025: Presented at the OWASP Seoul Meetup.
November 2024: Published a guest blog post "Powering Up DAST with ZAP and Noir" on the ZAP blog.
June 2024: Joined OWASP as OWASP Noir
- Renamed the GitHub organization from noir-cr to owasp-noir
- Transitioned to a co-maintainership model with @ksg97031
November 2023: Moved the Noir repository to the noir-cr GitHub organization.
August 2023: Started as @hahwul's personal project.