Hunt Endpoints. Expose Shadow APIs. Map the Attack Surface.
Discovers endpoints, parameters, and hidden routes from source code across 50+ frameworks. The inventory goes to reviewers, AI auditors, and DAST scanners that need a real route list.
source → endpoints
ai context
Capabilities
What it does
Endpoint Extraction
Static analysis pulls endpoints, parameters, headers, and cookies out of source. Shadow APIs, deprecated routes, and undocumented handlers come out of the same pass, not a separate mode.
Multi-Language
Crystal, Ruby, Python, Go, Java, Kotlin, JS/TS, PHP, C#, and more. 50+ frameworks in a single binary, no plugins or per-language setup.
LLM Fallback
Frameworks Noir doesn't natively support fall back to an LLM (OpenAI, Ollama, etc.). Point it at the codebase and let the model fill the gap.
CI/CD Friendly
GitHub Action, SARIF output, exit codes. Fits the pipeline you already have.
For Humans, AI, and DAST
The same endpoint inventory serves all three: human reviewers and LLM-based code auditors get a focused list of attacker-reachable entrypoints; DAST scanners (ZAP, Burp, Caido) get routes they wouldn't have crawled.
Flexible Output
JSONJSONLYAMLTOMLOpenAPI 2.0OpenAPI 3.0SARIFHTMLMarkdowncURLHTTPiePowerShellPostmanMermaidOnly-URLOnly-ParamOnly-HeaderOnly-CookieOnly-Tag
Workflow
How it runs
Point it at a codebase
Noir detects language, framework, and routing patterns on its own. No config to write.
Extract endpoints
Static analyzers pull out routes, parameters, and headers. An LLM fallback handles frameworks the static rules don't cover.
Hand off to humans, AI, or DAST
Export JSON, OpenAPI, or SARIF for human reviewers; pipe straight into ZAP, Burp, or Caido as a proxy target; or hand the inventory to an LLM-based code auditor as focused entrypoint context.
Built With
Open Source
Join the Community
OWASP Noir is built by the community. Contribute, report issues, or just star the repo.
Thanks to our contributors
