A deserted city street at night, shot in monochrome, with the OWASP Noir wordmark lit across it. The same deserted city street in daylight fog, with the OWASP Noir wordmark cast across it in shadow.

Hunt every endpoint in your code.

Noir reads your source and returns the routes, parameters, and headers an attacker can reach.

Built with

What it does

One pass over your source produces the endpoint inventory that reviewers, models, and scanners all need.

Endpoint extraction

Static analysis pulls routes, methods, parameters, headers, and cookies out of the code. Shadow APIs and forgotten handlers surface in the same pass, not a separate mode.

Noir output listing the HTTP methods, paths, headers, and idor tags it extracted from a codebase, beside the source tree it read.

Context for AI reviewers

--ai-context attaches guards, sinks, validators, and signals to each endpoint, so a model reads the handler instead of the whole repository.

Per-endpoint AI context: the route definition, the detected framework, and the signals a reviewer should check.

Every mainstream stack

One binary, no plugins and no per-language setup. Frameworks the static rules miss fall back to an LLM.

23Languages 144Frameworks

Passive scanning

Severity-graded rules run over the same tree and report hardcoded keys, tokens, and credentials. Bring your own rules or use the community set.

Semantic tags

Seventeen taggers annotate endpoints with the properties that decide where you look first.

corsjwtoauthgraphqlpiipaymentfile_uploadwebhookwebsocketsoapcryptodebugadminaccount_recoveryapi_docshunt_parammcp

How it runs

Point it at a codebase

Noir detects the language, the framework, and the routing convention on its own. There is nothing to configure first.

noir scan ./your-project

Read what it found

Every endpoint carries the file and line it came from, so a finding is one click away from the code that produced it.

noir scan ./your-project --include path,techs -f json -o endpoints.json

Hand it to the next tool

Export OpenAPI for a scanner, SARIF for your code-scanning dashboard, or route probes straight through an intercepting proxy.

noir scan ./your-project -f oas3 --probe-via http://127.0.0.1:8080

Output formats

Twenty-two of them. Pick the one your next tool already speaks.

plainjsonjsonlyamltomlmarkdown-tablesarifhtmloas2oas3postman
curlhttpiepowershelladbsimctlmermaidonly-urlonly-paramonly-headeronly-cookieonly-tag

One inventory, three readers

Security reviewers

A focused list of attacker-reachable entrypoints instead of a repository to skim.

AI code auditors

The same list, plus the guards, sinks, and validators around each endpoint.

DAST scanners

Routes a crawler would never reach, handed to ZAP, Burp, or Caido as a proxy target or an OpenAPI import.

The Noir HTML report, listing discovered endpoints with their methods, parameters, and tags.
A film poster of Hak, the OWASP Noir mascot: a crane in a trench coat and goggles, standing in the rain.

Built in the open

Noir is an OWASP Foundation project, MIT licensed, and maintained by the people who use it. Framework support, scan rules, and output formats all arrive as contributions.

Read the contributing guide

Thanks to everyone who has contributed.

Avatars of the people who have contributed to OWASP Noir.