Generate OpenAPI specs from source code in under 20 seconds.
70–90% of REST APIs are undocumented. API eNVy™, NightVision's API discovery engine, reads your source code and emits a complete OpenAPI/Swagger spec covering every endpoint: documented, undocumented, and shadow. No running app. No traffic capture. No code changes.
You can't secure APIs you don't know exist.
Every API security program starts with inventory, and inventory is where most programs silently fail.
How everyone else discovers APIs
Traffic-based tools watch production requests, so endpoints are only "discovered" after they're deployed and exposed, sometimes by the attacker who found them first. Spec-driven scanners test exactly what your OpenAPI file says exists, which means the endpoint your team shipped last sprint without updating Swagger gets zero coverage. Both approaches share the same blind spot: the APIs nobody wrote down.
How NightVision discovers APIs
API eNVy™ reads the source of truth, your source code. Every route, parameter, and response shape in the codebase becomes part of a complete OpenAPI spec, generated in under 20 seconds, before the code ships. Shadow endpoints, legacy routes, framework-implicit APIs: if it's in the code, it's in the spec, and everything in the spec gets dynamically tested. For more on the shadow and undocumented endpoints attackers target, see our API security testing guide.
| Source-based NightVision API eNVy™ | Traffic-based Salt, Traceable | Spec-driven scanners | |
|---|---|---|---|
| Finds undocumented & shadow APIs | ✅ Yes, from code | ⚠️ Only after they receive traffic | ❌ No, only what the spec lists |
| Works before code ships (in CI) | ✅ Pre-production | ❌ Needs production traffic | ⚠️ Only if the spec is current |
| Needs a running app or live traffic | ✅ No | ❌ Yes | ✅ No |
| Needs an existing OpenAPI spec | ✅ No, it generates one | ✅ No | ❌ Yes |
| Time to a complete spec | ✅ Seconds | ❌ Hours to days of traffic | ⚠️ However long you maintain it |
| Your source & data exposure | ✅ Stays local, no LLM | ❌ Vendor sees your traffic (tokens, PII) | ✅ Not applicable |
From repo to tested API surface in three steps.
1. Point at your code
Connect a repo or run the CLI against your source tree. No running application, no agents, no instrumentation, no code changes.
2. Get the spec in <20 seconds
API eNVy™ statically analyzes routes, parameters, and response shapes, then writes a complete OpenAPI/Swagger specification, flagged by documented vs undocumented.
3. Test everything it found
The spec feeds NightVision's DAST engine directly: every discovered endpoint is dynamically tested in 10–15 minutes, with validated findings tied to the exact file and line.
Discovers REST APIs across the 7 most widely used backend languages.
Source-based discovery understands each framework's real routing model, so it maps endpoints accurately instead of guessing, across the languages most modern API codebases are actually written in.
Across dozens of frameworks and hundreds of components. For the framework-by-framework detail, see the full support matrix in the docs.
Deterministic, local, and private by design.
API eNVy™ is a pure static-analysis engine: it reads your framework's routing model directly. No LLM guessing at your endpoints, no cloud service ingesting your traffic.
Your code never leaves your environment
The engine runs locally, as a CLI or inside your CI. Only lightweight metadata, an endpoint's existence and its file and line, is used. Your business logic and source are never uploaded.
Deterministic, not probabilistic
It works like a compiler: the same code produces the same spec every time, with no LLM hallucinating endpoints that don't exist or missing ones that do.
No running app, no traffic, no agents
No deployment, no instrumentation, no waiting to collect "enough" production traffic. Point it at a repo and get a complete spec in seconds.
Traced to the exact line of code
Every endpoint is annotated with its origin in source, so when DAST finds a vulnerability it points developers to the exact file and line, with proof it's exploitable.
What teams use API discovery for
Shadow API detection
Find the endpoints running in your environment that no spec, gateway config, or security tool knows about, before an attacker enumerates them.
Instant API documentation
Generate accurate, current OpenAPI/Swagger documentation for legacy services and fast-moving codebases where specs never keep up.
Pre-production security testing
Feed the generated spec into DAST on every pull request so new endpoints are tested the moment they're written, not after they're deployed.
Feeding your existing tools
Export the OpenAPI spec into gateways, runtime protection platforms, and spec-driven scanners that are blind without it.
"NightVision discovered 200%+ more API endpoints than the documentation said existed, including the ones that mattered most."NightVision customer benchmark · see it on your own repo with a free trial
API discovery, explained.
What is API discovery?
The process of finding and inventorying every API endpoint in your applications, including undocumented, shadow, and zombie endpoints missing from your OpenAPI specs. With 70–90% of REST APIs undocumented, discovery is the prerequisite for any API security program.
How does NightVision generate an OpenAPI spec from source code?
API eNVy™ statically analyzes your source to identify every route, parameter, and response shape, then emits a complete OpenAPI (Swagger) spec, in under 20 seconds, with no running app, no traffic capture, and no code changes.
What is a shadow API?
An endpoint running in your environment that your security and documentation tooling doesn't know about, shipped without spec updates, left over from previous versions, or created implicitly by frameworks. Untested, unmonitored, and a primary attack vector.
How is source-code discovery different from traffic-based discovery?
Traffic-based tools find APIs by watching production traffic, after deployment, after exposure. Source-code discovery finds every endpoint before it ships, including ones that haven't received a single request yet.
What languages and frameworks does API eNVy™ support?
The most widely used backend languages, Python, Java, JavaScript & TypeScript, C#, Ruby, and PHP, plus experimental Go support, across dozens of frameworks and hundreds of components. See the full framework-by-framework matrix in the docs.
Does API discovery support GraphQL or gRPC APIs?
Source-based API discovery generates OpenAPI specs for REST APIs. NightVision's DAST scanner itself isn't limited to REST, so non-REST APIs can still be tested when you provide or import a spec.
Does NightVision upload my source code?
No. API eNVy™ runs locally as a CLI or in your CI pipeline using deterministic static analysis, with no LLM. Only lightweight metadata (an endpoint's existence and its file path and line number) is used; your business logic and source code never leave your environment.
Can I test the discovered APIs immediately?
Yes, the generated spec feeds NightVision's DAST engine directly, dynamically testing every endpoint in 10–15 minutes with findings pinpointed to file and line.
Your spec is 20 seconds away.
Run API eNVy™ against one of your repos, free, no credit card, and count the endpoints you didn't know you had.