DEV.co
Open-Source Security · owasp-noir

noir

Noir is an OWASP-backed static analysis tool that extracts all API endpoints from your source code, including hidden and deprecated routes. It outputs the discovered endpoints in multiple formats (JSON, OpenAPI, SARIF, cURL, Postman) for use by security teams, AI auditors, and DAST tools like ZAP and Burp Suite.

Source: GitHub — github.com/owasp-noir/noir
1.3k
GitHub stars
141
Forks
Crystal
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryowasp-noir/noir
Ownerowasp-noir
Primary languageCrystal
LicenseMIT — OSI-approved
Stars1.3k
Forks141
Open issues19
Latest releasev1.1.0 (2026-06-15)
Last updated2026-07-08
Sourcehttps://github.com/owasp-noir/noir

What noir is

Written in Crystal, Noir performs SAST across 50+ frameworks to extract endpoint metadata (paths, methods, parameters, headers, cookies, source locations). It supports LLM fallback for unsupported frameworks, integrates with CI/CD pipelines via GitHub Actions, and can feed endpoint inventories directly into DAST scanners or serve as review context for AI-driven security analysis.

Quickstart

Get the noir source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/owasp-noir/noir.gitcd noir# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

API Surface Mapping for DAST Integration

Export endpoint inventories to OpenAPI, cURL, or Postman formats for import into ZAP, Burp Suite, or Caido. Eliminates crawl gaps and surfaces undocumented routes that traditional DAST scanning would miss.

Shadow API & Deprecated Route Discovery

Automatically surface hidden, undocumented, or deprecated API handlers during code review. Provides human security reviewers and auditors with a focused attack-surface inventory without manual endpoint enumeration.

LLM-Assisted Security Auditing

Feed endpoint context (with optional `--ai-context` flags for guards, callees, sinks, validators) to AI auditors. Reduces LLM rediscovery time and improves accuracy of AI-driven SAST by providing structured, endpoint-focused review scope.

Implementation considerations

  • Install Crystal language runtime; Noir is written in Crystal and requires the Crystal toolchain or a pre-built binary for your platform.
  • Integrate into CI/CD via GitHub Actions for automated endpoint extraction on each commit or PR; consult documentation for workflow examples.
  • Configure framework detection rules and language parsers for your tech stack; verify accuracy with per-framework fixtures before relying on output.
  • For LLM fallback, set up OpenAI or Ollama credentials and account for API costs and latency if scanning large codebases.
  • Choose output format (JSON, OpenAPI, SARIF, cURL, Postman, HTML) based on downstream tooling (DAST, AI auditor, human review).

When to avoid it — and what to weigh

  • Runtime Endpoint Discovery Required — Noir is static analysis only. If your application uses highly dynamic routing (reflection, runtime-generated routes) not visible in source, Noir will miss those endpoints. Consider hybrid static+dynamic analysis for such cases.
  • Unsupported or Highly Custom Frameworks — While Noir covers 50+ frameworks and has LLM fallback, proprietary or obscure custom routing logic may not be reliably extracted. LLM fallback requires external API access (OpenAI, Ollama), adding cost and latency.
  • Standalone Vulnerability Scanning — Noir extracts endpoints; it does not scan for vulnerabilities. Use it as an input stage to DAST or AI auditing tools, not as a vulnerability scanner by itself.
  • Offline-Only or Air-Gapped Environments — LLM fallback mode requires internet connectivity to external services (OpenAI / Ollama). Static analyzers work offline, but full feature set requires network access.

License & commercial use

MIT License. Permits commercial use, modification, and distribution with minimal restrictions (requires license and copyright notice in derivative works).

MIT is a permissive OSI-approved license. Commercial use, including within proprietary applications and for-profit services, is explicitly permitted. No license fees or vendor approval required. Verify compliance with MIT terms (retain license and copyright notices); no additional legal review typically needed for MIT-licensed software.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Noir is a static analysis tool that extracts endpoint metadata; it does not introduce vulnerabilities itself. Endpoint extraction accuracy is critical—false negatives (missed endpoints) leave attack surface unmapped; false positives (invented endpoints) waste auditor time. The LLM fallback delegates some analysis to external services, which may have their own security/privacy implications (API traffic, data retention). Verify extraction accuracy in your CI/CD pipeline before relying on completeness for security decisions. Source code is analyzed locally; output may contain sensitive path/parameter names—control access to generated reports.

Alternatives to consider

Swagger/OpenAPI introspection + code-based documentation

If your APIs are already fully documented in OpenAPI specs and you maintain them synchronously, manual/generated specs may suffice. Noir adds value when specs are missing, outdated, or incomplete.

Dynamic crawling (ZAP, Burp Suite, Caido standalone)

Runtime crawling discovers live endpoints but misses unauthenticated or dynamic routes. Noir complements crawling by surfacing routes that crawlers can't reach; use both for complete coverage.

Custom regex/grep-based endpoint extraction

Lightweight for simple patterns but fragile across frameworks and languages. Noir is framework-aware and maintained; custom regex breaks as your codebase evolves.

Software development agency

Build on noir with DEV.co software developers

Use Noir to extract every endpoint in your codebase, uncover shadow APIs, and feed them to your DAST scanner or AI auditor. Free, open-source, OWASP-backed. Get started in minutes.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

noir FAQ

Does Noir find vulnerabilities or only endpoints?
Noir extracts endpoints and metadata (paths, parameters, headers, source files); it does not scan for vulnerabilities. Use its output as input to DAST tools (ZAP, Burp) or AI auditors for vulnerability detection.
What happens if my framework isn't in the 50+ supported list?
Noir has an LLM fallback mode that can hand unsupported frameworks to OpenAI or Ollama. Static extraction will be skipped, but the fallback may identify endpoints. Accuracy depends on the LLM and code clarity.
Can Noir integrate directly with our DAST tool?
Yes. Noir exports OpenAPI, cURL, Postman, and proxy targets. ZAP, Burp Suite, and Caido can import OpenAPI directly or use exported targets. Consult your DAST tool's import docs for format compatibility.
Is Crystal a blocker for adoption?
No. Pre-built binaries are available for common platforms. You don't need the Crystal toolchain installed; the binary is self-contained. If building from source, Crystal installation is required.

Work with a software development agency

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If noir is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Map Your API Attack Surface Automatically

Use Noir to extract every endpoint in your codebase, uncover shadow APIs, and feed them to your DAST scanner or AI auditor. Free, open-source, OWASP-backed. Get started in minutes.