Skip to main content

Overview

Krait’s API Inventory is the foundation of the platform, working the moment you connect a repository. Instead of relying on traffic, Swagger files, or manual documentation, Krait derives your entire API surface directly from your source code. This makes the inventory a living reflection of your application, always one commit away from reality.
API Inventory showing discovered routes and endpoint details

How it works

When a scan begins, Krait reads your controllers, routers, middleware chains, validation layers, and underlying service functions. Supported frameworks provide a predictable structure that Krait interprets to reconstruct both the externally visible routes and the internal execution paths they rely on.

Supported frameworks

FastAPI

Spring

ASP.NET

Laravel

Express

Flask

Django

Supported languages

Java

Python

PHP

Python-pyright

JavaScript

TypeScript

C#

What you get

The result is a complete, code-derived map of your API. Every endpoint is annotated with:
  • HTTP method
  • Route pattern
  • Handler function
  • Middleware chain
  • Return types
  • Potential status codes
  • Relevant data structures
Nothing is guessed. Nothing relies on runtime conditions. The API surface you see is the API surface your application actually exposes.

Change tracking

Krait’s inventory system tracks evolution over time. When a route changes, Krait automatically highlights it:
Applied when the signature shifts, middleware is added, or handler logic changes
Newly added endpoints receive a “new” tag until reviewed
This streamlines change-aware security reviews and ensures teams never miss an endpoint that quietly altered its behavior.

Benefits

The inventory becomes the backbone for risk analysis, architecture understanding, and downstream DeepScan. By grounding security in real code structure instead of approximations, Krait eliminates the blind spots that plague traditional scanners.