SpecShield

SpecShield is a web app + CI/CD integration that blocks risky APIs at the contract level. You upload or connect your OpenAPI/Swagger specs, and it continuously checks for breaking security issues: missing auth, overly broad scopes, insecure defaults, mass-assignment risks, sensitive fields exposed, weak rate-limit policies, and inconsistent error handling that leaks internals. It then generates actionable pull-request comments and a “security diff” for every spec change. The product is not a full API gateway or WAF; it’s a guardrail for teams that already have too many microservices and inconsistent standards. It also includes a lightweight policy engine (e.g., “all endpoints must require OAuth2 + least-privilege scopes”) and a spec-to-tests exporter so teams can automatically create baseline negative tests. Expect pushback: many orgs don’t keep specs accurate, so onboarding must include spec hygiene tooling.