Source code to attack surface in seconds. Static analysis for endpoints, parameters, and hidden routes across 50+ frameworks — ready to feed DAST tools and AI SAST.
Capabilities
Analyzes source code to uncover the complete attack surface — hidden endpoints, shadow APIs, undocumented routes, and security blind spots that manual review misses.
Crystal, Ruby, Python, Go, Java, Kotlin, JS/TS, PHP, C#, and more. One tool for your entire stack.
LLM integration detects endpoints even in unsupported frameworks. Nothing escapes.
CI/CD native. GitHub Actions, JSON/YAML/SARIF output. Plug into ZAP, Burp, Caido.
One endpoint inventory drives ZAP/Burp/Caido on the dynamic side and points LLM-based SAST and code auditors at the entrypoints worth reviewing on the static side.
JSONJSONLYAMLTOMLOpenAPI 2.0OpenAPI 3.0SARIFHTMLMarkdowncURLHTTPiePowerShellPostmanMermaidOnly-URLOnly-ParamOnly-HeaderOnly-CookieOnly-Tag
Workflow
Noir auto-detects the language, framework, and routing patterns. No config needed.
Static analysis maps all routes, parameters, and headers. AI fills in the gaps for unknown frameworks.
Export to JSON, OpenAPI, or SARIF; pipe straight into ZAP/Burp/Caido; or hand the inventory to an LLM-based SAST or code auditor as focused entrypoint context.
Open Source
OWASP Noir is built by the community. Contribute, report issues, or just star the repo.
Thanks to our contributors
