noir
Noir is an OWASP-backed static analysis tool that extracts all API endpoints from your source code, including hidden and deprecated routes. It outputs the discovered endpoints in multiple formats (JSON, OpenAPI, SARIF, cURL, Postman) for use by security teams, AI auditors, and DAST tools like ZAP and Burp Suite.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | owasp-noir/noir |
| Owner | owasp-noir |
| Primary language | Crystal |
| License | MIT — OSI-approved |
| Stars | 1.3k |
| Forks | 141 |
| Open issues | 19 |
| Latest release | v1.1.0 (2026-06-15) |
| Last updated | 2026-07-08 |
| Source | https://github.com/owasp-noir/noir |
What noir is
Written in Crystal, Noir performs SAST across 50+ frameworks to extract endpoint metadata (paths, methods, parameters, headers, cookies, source locations). It supports LLM fallback for unsupported frameworks, integrates with CI/CD pipelines via GitHub Actions, and can feed endpoint inventories directly into DAST scanners or serve as review context for AI-driven security analysis.
Get the noir source
Clone the repository and explore it locally.
git clone https://github.com/owasp-noir/noir.gitcd noir# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Install Crystal language runtime; Noir is written in Crystal and requires the Crystal toolchain or a pre-built binary for your platform.
- Integrate into CI/CD via GitHub Actions for automated endpoint extraction on each commit or PR; consult documentation for workflow examples.
- Configure framework detection rules and language parsers for your tech stack; verify accuracy with per-framework fixtures before relying on output.
- For LLM fallback, set up OpenAI or Ollama credentials and account for API costs and latency if scanning large codebases.
- Choose output format (JSON, OpenAPI, SARIF, cURL, Postman, HTML) based on downstream tooling (DAST, AI auditor, human review).
When to avoid it — and what to weigh
- Runtime Endpoint Discovery Required — Noir is static analysis only. If your application uses highly dynamic routing (reflection, runtime-generated routes) not visible in source, Noir will miss those endpoints. Consider hybrid static+dynamic analysis for such cases.
- Unsupported or Highly Custom Frameworks — While Noir covers 50+ frameworks and has LLM fallback, proprietary or obscure custom routing logic may not be reliably extracted. LLM fallback requires external API access (OpenAI, Ollama), adding cost and latency.
- Standalone Vulnerability Scanning — Noir extracts endpoints; it does not scan for vulnerabilities. Use it as an input stage to DAST or AI auditing tools, not as a vulnerability scanner by itself.
- Offline-Only or Air-Gapped Environments — LLM fallback mode requires internet connectivity to external services (OpenAI / Ollama). Static analyzers work offline, but full feature set requires network access.
License & commercial use
MIT License. Permits commercial use, modification, and distribution with minimal restrictions (requires license and copyright notice in derivative works).
MIT is a permissive OSI-approved license. Commercial use, including within proprietary applications and for-profit services, is explicitly permitted. No license fees or vendor approval required. Verify compliance with MIT terms (retain license and copyright notices); no additional legal review typically needed for MIT-licensed software.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Noir is a static analysis tool that extracts endpoint metadata; it does not introduce vulnerabilities itself. Endpoint extraction accuracy is critical—false negatives (missed endpoints) leave attack surface unmapped; false positives (invented endpoints) waste auditor time. The LLM fallback delegates some analysis to external services, which may have their own security/privacy implications (API traffic, data retention). Verify extraction accuracy in your CI/CD pipeline before relying on completeness for security decisions. Source code is analyzed locally; output may contain sensitive path/parameter names—control access to generated reports.
Alternatives to consider
Swagger/OpenAPI introspection + code-based documentation
If your APIs are already fully documented in OpenAPI specs and you maintain them synchronously, manual/generated specs may suffice. Noir adds value when specs are missing, outdated, or incomplete.
Dynamic crawling (ZAP, Burp Suite, Caido standalone)
Runtime crawling discovers live endpoints but misses unauthenticated or dynamic routes. Noir complements crawling by surfacing routes that crawlers can't reach; use both for complete coverage.
Custom regex/grep-based endpoint extraction
Lightweight for simple patterns but fragile across frameworks and languages. Noir is framework-aware and maintained; custom regex breaks as your codebase evolves.
Build on noir with DEV.co software developers
Use Noir to extract every endpoint in your codebase, uncover shadow APIs, and feed them to your DAST scanner or AI auditor. Free, open-source, OWASP-backed. Get started in minutes.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
noir FAQ
Does Noir find vulnerabilities or only endpoints?
What happens if my framework isn't in the 50+ supported list?
Can Noir integrate directly with our DAST tool?
Is Crystal a blocker for adoption?
Work with a software development agency
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If noir is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Map Your API Attack Surface Automatically
Use Noir to extract every endpoint in your codebase, uncover shadow APIs, and feed them to your DAST scanner or AI auditor. Free, open-source, OWASP-backed. Get started in minutes.