The CLI
One command. Full scan.
BrokenApp ships as a command-line tool for developers who want to run scans locally or integrate scanning into their CI/CD pipeline. No configuration file required.
Quick start
Scan any deployed app.
$ brokenapp scan --url https://yourapp.com
A single command kicks off a full crawl. The CLI discovers routes automatically, tests every endpoint it can find, and outputs a structured report.
Commands
Core commands
# Crawl all routes, test endpoints, generate report
$ brokenapp scan --url <target>
Full scan of a deployed app
# Probe for vulnerabilities, misconfigurations, exposed data
$ brokenapp scan --url <target> --mode security
Security-focused scan only
# Core Web Vitals, load times, asset optimization
$ brokenapp scan --url <target> --mode performance
Performance audit only
# Limit how deep the crawler goes into your route tree
$ brokenapp scan --url <target> --depth 3
Control crawl depth
# Pull up any historical scan result
$ brokenapp report <scan-id>
View a previous scan report
# Before/after — see what's fixed, what's new
$ brokenapp diff <scan-id-1> <scan-id-2>
Compare two scans
# Only high + critical findings, YAML frontmatter included
$ brokenapp export --scan-dir <dir> --format md --severity high
Export filtered Markdown report
# Replay User A's requests with User B's auth
$ brokenapp idor-scan --scan-a <dir> --scan-b <dir> --config-b <toml>
Cross-user IDOR/BOLA detection
# Scan each role, test every pair, compliance heatmap
$ brokenapp auth-matrix --config roles.toml --mode full
N×N multi-role authorization matrix
# Passive traffic analysis + active .env/.git probing
$ brokenapp exposure-scan --scan-dir <dir> --active
Secrets & exposed file detection
# Fingerprint findings — mark accepted risk or false positives
$ brokenapp baseline create --scan <dir>
Create a baseline from scan findings
# Only surface new issues, suppress triaged findings
$ brokenapp baseline apply --scan <dir> --baseline baseline.json
Filter known findings from a scan
# Login, session persistence, token refresh, logout invalidation
$ brokenapp auth-test --config target.toml
Auth flow testing (Supabase / Firebase / custom)
# Auto-create/close issues using fingerprint matching
$ brokenapp github sync --repo owner/repo --scan <dir>
Sync findings to GitHub issues
# Upload to Code Scanning with CWE + OWASP mappings
$ brokenapp github sarif --scan <dir>
Export SARIF for GitHub Code Scanning
# Step-skip detection + replay attack detection
$ brokenapp logic-test --scan <dir> --config target.toml
Business logic testing
# Consolidated report with all findings, evidence, CWE mappings
$ brokenapp export --scan-dir <dir> --format pdf
Export branded PDF, Markdown, or CSV report
The diff command
Prove your fixes work.
Run a scan before you push a fix, run another after, and brokenapp diff shows you exactly which bugs were resolved, which are still open, and whether your changes introduced anything new.
This is the verification layer that makes the Clean Code Challenge possible — we can prove, with evidence, that bugs were actually fixed.
$ brokenapp diff scan-a1b2 scan-c3d4
Resolved (4)
+ XSS vector in /search
+ Missing HTTPS redirect
+ 500 on /api/users/me
+ LCP > 4s on /dashboard
Still open (2)
- CORS misconfiguration
- Exposed admin endpoint
New (0)
IDOR / BOLA scanning
Automated authorization testing.
Scan your app with two different user accounts. The idor-scan command replays User A's requests using User B's credentials — detecting every endpoint where authorization is missing or broken.
ID-bearing endpoint extraction
Automatically finds endpoints with object IDs in paths, query params, and request bodies.
Direct HTTP replay
Uses reqwest — 10-100x faster than browser-based testing. Cookie, bearer, and form auth supported.
Automatic classification
Jaccard body similarity analysis classifies each finding as Confirmed, Likely, or No Issue.
$ brokenapp idor-scan \
--scan-a ./admin-scan \
--scan-b ./viewer-scan \
--config-b ./viewer.toml \
--limit 50 --delay-ms 200
# Extracting ID-bearing endpoints...
# Found 31 testable endpoints
# Replaying with viewer credentials...
IDOR Results:
Confirmed: 4 Likely: 2 Clean: 25
CRITICAL GET /api/users/:id/profile
200 OK — body similarity: 0.94
CRITICAL POST /api/orders/:id/refund
200 OK — write endpoint, full access
Multi-role auth matrix
Compliance in one command.
Define every role in a single roles.toml. BrokenApp scans each role independently, then runs IDOR testing across every N×(N-1) pair. Output: a compliance heatmap showing which role pairs have broken authorization.
Full mode
Scans each role from scratch, then tests all pairs.
Replay mode
Use existing scan dirs. Skip the scan step, jump to IDOR testing.
$ brokenapp auth-matrix \
--config roles.toml \
--mode full
# Scanning 4 roles...
# admin ✓ user ✓ viewer ✓ unauth ✓
# Testing 12 pairs...
Auth Matrix Results:
req↓ auth→ admin user view unau
admin -- 0/0 0/0 0/0
user 5/2 -- 0/0 0/0
viewer 8/3 3/1 -- 0/0
unauth 12/5 8/3 2/1 --
3 pairs with confirmed IDOR
Exposure & secrets scanning
Find leaked secrets. Automatically.
Passive mode scans captured traffic from any existing scan. Active mode probes ~30 sensitive paths against the live target. Runs automatically on every scan — zero config required.
18 compiled regex patterns
AWS, GCP, GitHub, Stripe, Slack, SendGrid, Twilio, Mailgun, Firebase, Heroku, RSA keys, database URLs.
22 sensitive path probes
/.env, /.git, /actuator, /phpinfo, JS source maps (auto-discovered), swagger docs.
Secrets always masked
AKIA****7X2Q — BrokenApp never stores or transmits full secrets.
$ brokenapp exposure-scan \
--scan-dir ./scan-results --active
# Scanning 847 traffic entries...
# Probing 28 sensitive paths...
Exposure scan complete.
CRITICAL /.env exposed
AWS key: AKIA****7X2Q
CRITICAL /.git/config accessible
HIGH Stripe key in /api/config
sk_live_****mN4x
HIGH Server: nginx/1.19.0
MEDIUM Source map /app.js.map accessible
LOW Internal IP 10.0.4.12 in response
Report → ./exposure-results/exposure-report.json
Baseline & triage management
Stop re-triaging the same findings.
Create a baseline from any scan. Mark findings as accepted risk, false positive, or triaged. Subsequent scans filter out known issues — only new findings surface. Blake3 fingerprinting ensures stable matching across scans.
Stable fingerprinting
Blake3 hash of endpoint + category + location. Same finding = same ID across scans.
Triage statuses
accepted, triaged, false_positive — with optional notes for each.
Diff-aware
brokenapp baseline diff shows new, resolved, and unchanged findings.
# Create baseline from scan
$ brokenapp baseline create --scan ./results
✓ Baseline created: 47 findings fingerprinted
# Re-scan and filter known issues
$ brokenapp baseline apply \
--scan ./new-results --baseline baseline.json
New: 3 findings
Resolved: 12 findings
Unchanged: 32 findings (suppressed)
Auth flow testing
Supabase. Firebase. Custom auth.
Native auth flow testing for modern stacks. Login success/failure, session persistence, token refresh, and logout invalidation — automated. Configure in TOML, run one command.
5 test cases
Login success, login failure, session persistence, token refresh, logout invalidation.
Session health monitoring
Detects dead sessions (3+ consecutive 401/403) during scanning.
Provider support
Supabase (GoTrue), Firebase (Identity Toolkit), cookie, bearer, form-based.
# config.toml
[auth]
type = "supabase"
project_url = "https://xyz.supabase.co"
anon_key = "eyJhbGci..."
email = "admin@app.com"
password = "supersecret"
$ brokenapp auth-test --config config.toml
✓ LoginSuccess — token obtained (3600s expiry)
✓ LoginFailure — 400 rejected correctly
✓ SessionPersist — authenticated request 200
✓ TokenRefresh — new access_token obtained
✗ LogoutInvalid — old token still accepted
GitHub integration
Findings live where your code lives.
Sync scan findings to GitHub issues. Comment on PRs with security results. Export SARIF for GitHub Code Scanning. Issues auto-close when findings resolve. All using fingerprint-based matching.
Issue sync
Auto-create issues for new findings, auto-close when resolved. Fingerprint markers prevent duplicates.
SARIF export
SARIF 2.1.0 format for GitHub Code Scanning. CWE + OWASP rule metadata included.
PR comments
Post scan summary as a PR comment. Reviewers see security findings inline.
# Sync findings to GitHub issues
$ brokenapp github sync \
--repo acme/webapp --scan ./results
Created: #142 — IDOR on /api/users/:id
Created: #143 — .env exposed (AWS key)
Created: #144 — Step-skip on /checkout
Closed: #138 — CORS misconfiguration (resolved)
Closed: #139 — Missing CSP header (resolved)
# Export SARIF for Code Scanning
$ brokenapp github sarif --scan ./results
✓ results.sarif — 47 findings, SARIF 2.1.0
Business logic testing
Skip a step. Replay a charge.
Automated detection of the two most common business logic flaws: multi-step flow bypass (skipping checkout steps) and replay attacks (duplicate charges, duplicate form submissions). Uses view transitions and mutation data from your scan.
Step-skip detection
Builds directed graph from view transitions. Finds linear chains ≥3 steps. Tests direct access to final step.
Replay attack detection
Sends duplicate POST/PUT requests. If both succeed with 2xx, flags as potential replay vulnerability.
$ brokenapp logic-test \
--scan ./results --config target.toml
# Step-skip analysis
Detected 3 multi-step flows:
/signup → /verify → /onboard (3 steps)
/cart → /shipping → /payment → /confirm (4 steps)
/settings → /verify-email → /update (3 steps)
STEP-SKIP /confirm accessible without /payment
STEP-SKIP /onboard accessible without /verify
# Replay analysis
REPLAY POST /api/payments — both requests 200
OK POST /api/orders — 409 on duplicate
CI/CD Integration
Block broken deploys.
Drop this into your deployment pipeline and every push gets scanned automatically. Critical bugs block the deploy.
# GitHub Actions example
- name: BrokenApp Scan
run: |
brokenapp scan --url ${{ env.STAGING_URL }} --export json
brokenapp check --fail-on critical
Your staging environment never ships broken code again.
One command. Full scan. Evidence-backed.