API9:2023 Improper Inventory Management

Undocumented / shadow endpoints, deprecated routes still live, OpenAPI spec drift, unprotected admin paths. Inventory the API surface or you cannot secure what you do not know exists.

What Vulkro detects

Vulkro reconciles discovered endpoints with the project's openapi.yaml (if any). Drift is flagged in both directions: endpoint in code but missing from spec, endpoint in spec but missing from code.

Non-compliant code (examples)

FastAPI — undocumented admin route in production

# openapi.yaml lists /users, /orders, /products
# but the admin router is mounted with no spec entry:
app.include_router(admin_router, prefix='/internal/admin', tags=['internal'])
# attackers find it via path-bruteforce; nothing in the spec disclosed it

Compliant code (examples)

FastAPI — every route in the spec, drift caught in CI

# vulkro scan --gate-vs main catches spec drift in CI:
# every router mount must appear in openapi.yaml.
app.include_router(admin_router, prefix='/internal/admin', tags=['internal'])
# openapi.yaml entry:
#   /internal/admin/*: { ... documented with auth requirements }

References

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.

What Vulkro detects​

Non-compliant code (examples)​

Compliant code (examples)​

See also​

References​

What Vulkro detects

Non-compliant code (examples)

Compliant code (examples)

See also

References