Source code to attack surface in seconds. Static analysis for endpoints, parameters, and hidden routes across 50+ frameworks.
Capabilities
Analyzes source code to uncover the complete attack surface — hidden endpoints, shadow APIs, undocumented routes, and security blind spots that manual review misses.
Crystal, Ruby, Python, Go, Java, Kotlin, JS/TS, PHP, C#, and more. One tool for your entire stack.
LLM integration detects endpoints even in unsupported frameworks. Nothing escapes.
CI/CD native. GitHub Actions, JSON/YAML/SARIF output. Plug into ZAP, Burp, Caido.
Discovered endpoints feed directly into dynamic testing tools. Static analysis meets dynamic scanning.
JSONJSONLYAMLTOMLOpenAPI 2.0OpenAPI 3.0SARIFHTMLMarkdowncURLHTTPiePowerShellPostmanMermaidOnly-URLOnly-ParamOnly-HeaderOnly-CookieOnly-Tag
Workflow
Noir auto-detects the language, framework, and routing patterns. No config needed.
Static analysis maps all routes, parameters, and headers. AI fills in the gaps for unknown frameworks.
Export to JSON, OpenAPI, SARIF, or send directly to DAST tools. Integrate with CI/CD in one line.
Open Source
OWASP Noir is built by the community. Contribute, report issues, or just star the repo.
Thanks to our contributors
