MCPcopy Index your code
hub / github.com/akto-api-security/akto

github.com/akto-api-security/akto @v2.11.5

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.11.5 ↗ · + Follow
23,548 symbols 88,573 edges 2,646 files 1,568 documented · 7%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Akto.io API Security

Contributors

What is Akto?

How it worksGetting-StartedAPI InventoryAPI testingAdd TestJoin Discord community

Akto is an instant, open source API security platform that takes only 60 secs to get started. Akto is used by security teams to maintain a continuous inventory of APIs, test APIs for vulnerabilities and find runtime issues. Akto offers coverage for all OWASP top 10 and HackerOne Top 10 categories including BOLA, authentication, SSRF, XSS, security configurations, etc. Akto's powerful testing engine runs variety of business logic tests by reading traffic data to understand API traffic pattern leading to reduced false positives. Akto can integrate with multiple traffic sources - burpsuite, AWS, postman, GCP, gateways, etc. Here is our public roadmap for this quarter.

Akto enables security and engineering teams to secure their APIs by doing three things:

  1. API inventory
  2. Run business logic tests in CI/CD
  3. Find vulnerabilities in run-time

https://user-images.githubusercontent.com/91306853/216407351-d18c396b-5cd0-4cbc-a350-10a76b1d67b3.mp4

How it works?

Step 1: Create inventory

Step 2: Run tests

How to get Started?

Using docker-compose (works for any machine which has Docker installed)

Run the following commands to install Akto. You'll need to have curl and Docker installed in order to run the container.. 1. Clone the Akto repo by using this command git clone https://github.com/akto-api-security/akto.git 2. Go to the cloned directory cd akto 3. Run docker-compose up -d

If you are setting this up in your own Cloud (AWS/GCP/Heroku), read this section

Please ensure the following for good security practices 1. Open inbound security rule for port 9090 only. And restrict the source CIDR to VPC CIDR or your IP only. 2. Use an EC2 from a private subnet -

a. This way, no one will be able to make an inbound request to your machine.

b. Ensure this private subnet has access to Internet so that outbound calls can succeed!

c. You might have to set up tunneling to access instance via VPN using `ssh -i pemfile ec2-user@vpn-public-instance -L 9090:private-instance:9090`

d. In your browser, visit `http://private-instance:9090`
  1. Use an EC2 from a public subnet - please don't! If you still want to do this, you can skip 2.b and 2.c. Simply access your instance via http://ip:9090

Akto is really powerful in Cloud deployment if you can provide your application's mirrored traffic (0 performance impact). You would also be able to schedule tests in CI/CD and invite more team members on the dashboard. For that, you should install Akto Enterprise edition available here. Read more about it here

API Security testing tutorials

Title Link
Introduction https://www.youtube.com/watch?v=oFt4OVmfE2s
Tutorial 1: SSRF Port Scanning (OWASP API7:2023) https://www.youtube.com/watch?v=WjNNh6asAD0

Develop and contribute

Quicksetup using VSCode Devcontainers

Prerequisites:

  1. Install VSCode
  2. Install VSCode Dev Containers extension
  3. Windows: Docker Desktop 2.0+ on Windows 10 Pro/Enterprise. Windows 10 Home (2004+) requires Docker Desktop 2.3+ and the WSL 2 back-end.
  4. macOSDocker Desktop 2.0+.
  5. LinuxDocker CE/EE 18.06+ and Docker Compose 1.21+.

Note: If using Docker Desktop, consider changing the memory allocation to 8 GB for better performance

Steps:

Clone repo and open in vscode

  1. Open terminal
  2. mkdir ~/akto_code
  3. cd ~/akto_code
  4. git clone https://github.com/akto-api-security/akto
  5. Open in VScode: code akto

Start Dev Container

  1. Go to View > Command Palette and type: Dev Containers: Reopen in Container
  2. Wait for the Dev Container to set up.
  3. Open localhost:9090 in your web browser to see the Akto dashboard

Manual Setup Instructions

Prerequisites

OpenJDK 8, node(v18.7.0+ link), npm(v8.15.0+), maven (v3.6.3 link), MongoDB (v5.0.3+ link)

Clone repo

  1. mkdir ~/akto_code
  2. cd akto_code
  3. git clone https://github.com/akto-api-security/akto

Setup database

  1. Open a new terminal tab
  2. cd ~
  3. mkdir ~/akto_mongo_data
  4. <path_to_mongo_folder>/bin/mongod --dbpath ~/akto_mongo_data

Setup Frontend

  1. Open a new terminal tab
  2. cd ~/akto_code/akto
  3. cd apps/dashboard/web/polaris_web
  4. npm install
  5. npm run hot

Setup Dashboard

  1. Open a new terminal tab
  2. cd ~/akto_code/akto
  3. export AKTO_MONGO_CONN="mongodb://localhost:27017"
  4. export DASHBOARD_MODE="local_deploy"
  5. mvn clean install
  6. mvn --projects :dashboard --also-make jetty:run -Djetty.port=9090

Setup Testing

  1. Open a new terminal tab
  2. cd ~/akto_code/akto
  3. cd apps/testing
  4. export AKTO_MONGO_CONN="mongodb://localhost:27017"
  5. mvn compile; mvn exec:java -Dexec.mainClass="com.akto.testing.Main"

Using Testing CLI tool

Run the following command to run testing CLI tool

docker run -v ./:/out  \ # needed to generate test report on host machine
    -e TEST_IDS='JWT_NONE_ALGO REMOVE_TOKENS' \ # space separated test ids
    -e AKTO_DASHBOARD_URL='<AKTO_DASHBOARD_URL>' \ 
    -e AKTO_API_KEY='<AKTO_API_KEY>' \ 
    -e API_COLLECTION_ID='123' \ # api collection id on which you want to run tests
    -e TEST_APIS='https://demo.com/api/books https://demo.com/api/cars' \ # space separated apis from the api collection on which you want to run tests. If not present, all apis in the collection will be tested. [optional]
    -e OVERRIDE_APP_URL='https://dummy.com' \ # If you want to test on a separate host. [optional] 
    aktosecurity/akto-api-testing-cli

Play around

  1. Open localhost:9090 in your favourite browser
  2. You will need to signup when logging in for the first time, next time onwards you can login

Debug

  1. To debug front end, install Vue.js Chrome extension from here.
  2. To debug backend, run the following before running web server - a. Set MAVEN_OPTS variable to enable debugging on your Java process
    export MAVEN_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8081, -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=9010 -Dcom.sun.management.jmxremote.rmi.port=9010 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
    

b. In Visual Studio code, click on any line number to set a breakpoint.

c. Attach the Java debugger from Run and Debug mode. If you are doing this for the first time, click on “Create launch.json file” and then “Add configuration”. Choose “Java: Attach process by ID” and save the file.

 <img width="426" alt="img1" src="https://user-images.githubusercontent.com/91221068/217048839-dbb00c48-00df-419b-8f32-cdb2d47a2218.png">

d. A list of running Java processes with show up. Select the web server process to attach the debugger

Hits

Contributing

We welcome contributions to this project. Please read our CONTRIBUTING.md for more information on how to get involved.

License

This project is licensed under the MIT License.

Extension points exported contracts — how you extend this code

TrafficPublisher (Interface)
Abstraction over where traffic messages are delivered. Implementations: TopicPublisher (Kafka), {@link HttpTraff [5 implementers]
apps/data-ingestion-service/src/main/java/com/akto/utils/TrafficPublisher.java
FileProcessor (Interface)
FileProcessor extracts text content from a file for guardrail validation. [5 implementers]
apps/guardrails-service/container/src/pkg/fileprocessor/processor.go
Task (Interface)
(no doc) [81 implementers]
apps/threat-detection/src/main/java/com/akto/threat/detection/tasks/Task.java
DataPublisher (Interface)
Interface for publishing ingestion data to external systems (e.g., Kafka) This allows Gateway to publish data without de [4 …
apps/akto-gateway/src/main/java/com/akto/gateway/DataPublisher.java
Filter (Interface)
(no doc) [14 implementers]
apps/dashboard/src/main/java/com/akto/action/gpt/data_extractors/filters/Filter.java
ARouter (Interface)
(no doc) [7 implementers]
apps/threat-detection-backend/src/main/java/com/akto/threat/backend/router/ARouter.java
JSONRPCMessage (Interface)
(no doc) [6 implementers]
libs/utils/src/main/java/com/akto/mcp/McpSchema.java
RoleStrategy (Interface)
(no doc) [14 implementers]
libs/dao/src/main/java/com/akto/dto/rbac/RoleStrategy.java

Core symbols most depended-on inside this repo

get
called by 5100
apps/threat-detection/src/main/java/com/akto/threat/detection/cache/CounterCache.java
put
called by 4544
apps/dashboard/src/main/java/com/akto/action/gpt/cache/VulnerabilityAnalysisCache.java
add
called by 2093
apps/api-runtime/src/main/java/com/akto/dependency/store/Store.java
isEmpty
called by 2013
libs/dao/src/main/java/com/akto/dto/type/TrafficRecorder.java
info
called by 1458
libs/utils/src/main/java/com/akto/log/LoggerMaker.java
set
called by 1454
apps/threat-detection/src/main/java/com/akto/threat/detection/cache/CounterCache.java
errorAndAddToDb
called by 1160
libs/utils/src/main/java/com/akto/log/LoggerMaker.java
now
called by 1006
libs/dao/src/main/java/com/akto/dao/context/Context.java

Shape

Method 15,734
Function 5,579
Class 1,912
Enum 176
Struct 65
Interface 49
Route 31
FuncType 1
TypeAlias 1

Languages

Java74%
TypeScript19%
Python5%
Go2%

Modules by API surface

apps/threat-detection/src/test/java/com/akto/threat/detection/hyperscan/HyperscanPayloadDetectionTest.java726 symbols
libs/utils/src/main/java/com/akto/mcp/McpSchema.java263 symbols
libs/dao/src/main/java/com/akto/dto/Config.java221 symbols
libs/protobuf/src/main/java/com/akto/proto/http_response_param/v1/HttpResponseParam.java184 symbols
apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java166 symbols
apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/settings/api.js161 symbols
apps/dashboard/web/polaris_web/web/src/util/func.js159 symbols
apps/dashboard/src/main/java/com/akto/listener/InitializerListener.java145 symbols
libs/dao/src/main/java/com/akto/dto/type/SingleTypeInfo.java129 symbols
apps/database-abstractor/src/main/java/com/akto/action/DbAction.java129 symbols
apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api.js128 symbols
apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java118 symbols

Datastores touched

(mongodb)Database · 1 repos
adminiDatabase · 1 repos

For agents

$ claude mcp add akto \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact