v0.28.0 OWASP Project

Hunt Endpoints. Expose Shadow APIs. Map the Attack Surface.

noir

$ noir -b .

INFO Detected 1 technologies: crystal_kemal

INFO Analysis Started. Code Analyzer: 1 in use

✔ Finally identified 6 endpoints. in 0.0032s

GET /

POST /query

GET /token

GET /socket websocket

POST /admin/config shadow

GET /admin/debug shadow

Get Started GitHub

50+ Languages & Frameworks / 8 Output Formats / AI Powered Analysis / OWASP Official Project / SAST to DAST Bridge / Open Source / 50+ Languages & Frameworks / 8 Output Formats / AI Powered Analysis / OWASP Official Project / SAST to DAST Bridge / Open Source /

What Noir does

Attack Surface Discovery

Analyzes source code to uncover the complete attack surface — hidden endpoints, shadow APIs, undocumented routes, and security blind spots that manual review misses.

Multi-Language

Crystal, Ruby, Python, Go, Java, Kotlin, JS/TS, PHP, C#, and more. One tool for your entire stack.

AI-Powered

LLM integration detects endpoints even in unsupported frameworks. Nothing escapes.

DevSecOps Ready

CI/CD native. GitHub Actions, JSON/YAML/SARIF output. Plug into ZAP, Burp, Caido.

SAST-to-DAST Bridge

Discovered endpoints feed directly into dynamic testing tools. Static analysis meets dynamic scanning for full coverage.

Flexible Output

JSONYAMLOpenAPISARIFcURLHTMLMermaidOAS

Built With

Open Source

Join the Community

OWASP Noir is built by the community. Contribute, report issues, or just star the repo.

Contributing Guide Star on GitHub