Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications and running API security tests.

Cherrybomb reads your API spec file (Open API Specification) and validates it for best practices and the OAS specification, then it tests to verify that the API follows the OAS file and tests for common vulnerabilities.
The output is a detailed table with any issues found, guiding you to the exact problem and location to help you solve it quickly.

curl https://cherrybomb.blstsecurity.com/install	| /bin/bash

The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.
(If you want to view the shell script(or even help to improving it - /scripts/install.sh)

cargo install cherrybomb

If you don't have cargo installed, you can install it from here

You can use our docker container that we host on our public repo in aws, though we require an API key for it, you can get it at our CI pipeline integration wizard(after you sign up)

docker run --mount type=bind,source=PATH_TO_OAS_DIR,destination=/home public.ecr.aws/t1d5k0l0/cherrybomb:latest cherrybomb oas -f home/OAS_NAME --api-key=API-KEY

You can also install Cherrybomb by cloning this repo, and building it using cargo(*only works with the nightly toolchain):

git clone https://github.com/blst-security/cherrybomb && cd cherrybomb
cargo build --release
sudo mv ./target/release/cherrybomb /usr/local/bin

After installing the CLI, verify it's working by running

cherrybomb --version

cherrybomb oas --file <PATH> --format <cli/txt/json> 

cherrybomb param-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

cherrybomb ep-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

• OAS 3 support
• Passive checks
• Parameter table
• Improve installation script
• Endpoints table
• YAML support (currently only JSON is supported)
• Custom scans - optional checks + optional output
• Active scans
• Ignore alerts + don't fail on info
• More passive checks
• Swagger 2 support (currently only version 3 is supported)
• Homebrew/apt/crates.io support
• GraphQL schema support

You can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our website, sign up, go through the CI pipeline integration wizard, and copy the groovy/GitHub actions snippet built for you.
Example:

If you have any questions, please send us a message to [email protected] or ask us on our discord server.
You are also welcome to open an Issue here on GitHub.

You can find contribution options from our open issues, you should look for the "More passive checks" issue(it's a great issue to start from). You can also find info about contributing new checks to Cherrybomb here.
If you have any question or need any help talk to us over at our discord server to see where and how can you contribute to our project.