{"id":13503778,"url":"https://github.com/blst-security/cherrybomb","last_synced_at":"2025-04-10T02:13:48.196Z","repository":{"id":36953265,"uuid":"428941557","full_name":"blst-security/cherrybomb","owner":"blst-security","description":"Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.","archived":false,"fork":false,"pushed_at":"2024-10-25T10:04:00.000Z","size":2754,"stargazers_count":1178,"open_issues_count":33,"forks_count":83,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-04-10T02:13:40.807Z","etag":null,"topics":["api","api-security","best-practices","blst","business-logic","cli","cyber","cybersecurity","firecracker","http","open-source","openapi","openapi3","security","security-tools","web-sec-scanner","web-security","websecurity"],"latest_commit_sha":null,"homepage":"https://www.blstsecurity.com/cherrybomb","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blst-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-17T07:02:22.000Z","updated_at":"2025-04-08T21:57:51.000Z","dependencies_parsed_at":"2023-01-17T08:01:35.306Z","dependency_job_id":"3e0365cc-7604-47d5-91c8-390ca1438539","html_url":"https://github.com/blst-security/cherrybomb","commit_stats":{"total_commits":429,"total_committers":20,"mean_commits":21.45,"dds":0.5081585081585082,"last_synced_commit":"c37520abfe7abb8409596c205abb3ddf83d3554b"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blst-security%2Fcherrybomb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blst-security%2Fcherrybomb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blst-security%2Fcherrybomb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blst-security%2Fcherrybomb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blst-security","download_url":"https://codeload.github.com/blst-security/cherrybomb/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248142902,"owners_count":21054671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","api-security","best-practices","blst","business-logic","cli","cyber","cybersecurity","firecracker","http","open-source","openapi","openapi3","security","security-tools","web-sec-scanner","web-security","websecurity"],"created_at":"2024-07-31T23:00:45.080Z","updated_at":"2025-04-10T02:13:48.171Z","avatar_url":"https://github.com/blst-security.png","language":"Rust","readme":"\n\u003cdiv  align=\"center\"\u003e\n\n![cherry_bomb_v1.0](https://raw.githubusercontent.com/blst-security/cherrybomb/main/images/cherrybomb_github_art_v2-1%20(1).png)\n\n  \n\n\u003ch1\u003eStop half-done API specifications\u003c/h1\u003e\n\n[![Maintained by blst security](https://img.shields.io/badge/maintained%20by-blst%20security-4F46E5)]()\n\n[![docs](https://img.shields.io/badge/docs-passing-brightgreen)]()\n\n[![Discord Shield](https://discordapp.com/api/guilds/914846937327497307/widget.png?style=shield)](https://discord.gg/WdHhv4DqwU)\n\n\u003c/div\u003e\n\n  \n\n# 💣 What is Cherrybomb?\n\nCherrybomb is an CLI tool written  in Rust that helps prevent incorrect code implementation early in development. It works by validating and testing your API using an OpenAPI file. Its main goal is to reduce security errors and ensure your API functions as intended.\n\n  \n  \n\n# 🔨 How does it work?\n\n\nCherrybomb makes sure your API is working correctly. It checks your API's spec file (OpenAPI Specification) for good practices and makes sure it follows the OAS rules. Then, it tests your API for common issues and vulnerabilities. If any problems are found, Cherrybomb gives you a detailed report with the exact location of the problem so you can fix it easily.\n\n  \n\n# 🐾 Get Started\n\n## Installation\n\n\n\n##### Linux/MacOS:\n\n```\n\nDEPRECATED FOR NOW\n```\n\nThe script requires sudo permissions to move the cherrybomb bin into \u003cb\u003e/usr/local/bin/\u003c/b\u003e.\u003c/br\u003e\n\n(If you want to view the shell script(or even help to improving it - [/scripts/install.sh](/scripts/install.sh))\n\n ##### Containerized version\n You can get Cherrybomb through its containerized version which is hosted on AWS ECR, and requires an API key that you can get on that address(the loading is a bit slow) - DEPRECATED FOR NOW\n\n```\ndocker run --mount type=bind,source=[PATH TO OAS],destination=/home public.ecr.aws/blst-security/cherrybomb:latest cherrybomb -f /home/[OAS NAME] --api-key=[API-KEY]\n```\n\n#### Get it from crates.io\n\n```bash\n\ncargo install cherrybomb\n\n```\n\nIf you don't have cargo installed, you can install it from [here](https://doc.rust-lang.org/cargo/getting-started/installation.html)\n\n\n\n#### Building from Sources\n\nYou can also build Cherrybomb from sources by cloning this repo, and building it using cargo.\n\n```\n\ngit clone https://github.com/blst-security/cherrybomb \u0026\u0026 cd cherrybomb\n\n```\nThe main branch's Cargo.toml file uses `cherrybomb-engine` and `cherrybomb-oas` from crates.io. \n\nif you want build those from source too, you can change the following files:\n\n(remove the version number and replace with the path to the local repo)\n\n\n\n```\ncherrybomb/Cargo.toml:\ncherrybomb-engine = version =\u003e { path = \"cherrybomb-engine\" }\n```\n \n```\ncherrybomb/cherrybomb-engine/Cargo.toml:\ncherrybomb-oas = version =\u003e { path = \"../cherrybomb-oas\" }\n```\n\n```\ncargo build --release\nsudo mv ./target/release/cherrybomb /usr/local/bin # or any other directory in your PATH\n```\n  \n\n  \n### Profile \n \nProfiles allow you to choose the type of check you want to use.\n```\n- info: only generates param and endpoint tables\n- normal:  both active and passive\n- intrusive: active and intrusive [in development]\n- passive: only passive tests\n- full: all the options\n```\n\n### Config \n\n\n\nWith a configuration file, you can easily edit, view, Cherrybomb's options.\nThe config file allows you to set the running profile, location of the oas file, the verbosity and ignore the TLS error.\n\nConfig also allows you to override the server's URL with an array of servers, and add security to the request [in development]. \n\nNotice that CLI arguments parameter will override config options if both are set.\n\nYou can also add or remove checks from a profile using `passive/active-include/exclude`. [in development]\n\n```\ncherrybomb --config  \u003cCONFIG_FILE\u003e\n```\n\n\nStructure of config file:\n```\n{\n\"file\" : \"open-api.json\",\n\"verbosity\" : \"normal, \n\"profile\" : \" \"Normal\",\n\"passive_include\" : [\"check1, checks2\"],\n\"active_include\": [\"check3, check4\"],\n\"servers_override\" , [\"http://server/\"],\n\"security\":  [{\n    \"auth_type\": \"Basic\",\n    \"auth_value\" : token_value,\n    \"auth_scope\" : scope_name\n    }],\n\"ignore_tls_errors\" : true, \n\"no_color\" : false,\n}\n```\n\n\n\n# Usage\n\nAfter installing, verify it's working by running\n\n```\ncherrybomb --version\n\n```\n\n### OpenAPI specification\n\n\n``` cherrybomb --file \u003cPATH\u003e --profile passive ```\n\nPassive Output example:\n\n![passive_output](https://raw.githubusercontent.com/blst-security/cherrybomb/main/images/passive1_0.png)\n\n\n### Generate Info Table\n\n\n```\ncherrybomb --file \u003cPATH\u003e --profile info\n\n```\nParameter table output:\n\n  ![parameter_output](https://raw.githubusercontent.com/blst-security/cherrybomb/main/images/param_v1.png)\n\nEndpoint table output:\n\n  ![endpoint_output](https://raw.githubusercontent.com/blst-security/cherrybomb/main/images/endpoint_v1.png)\n\n\n\n\n# 🍻 Integration\n\nDEPRECATED FOR NOW - WILL BE REPLACED SOON\n\nYou can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our [website](), sign up, go through the [CI pipeline integration wizard](), and copy the groovy/GitHub actions snippet built for you.\n\n\u003c/br\u003eExample:\n\n![CI pipeline builder output](https://raw.githubusercontent.com/blst-security/cherrybomb/main/images/ci_output.png)\n\n# 💪 Support\n\n  \n\n### Get help\n\nIf you have any questions you can ask us on our [discord server](https://discord.gg/WdHhv4DqwU).\n\n\nYou are also welcome to open an Issue here on GitHub.\n","funding_links":[],"categories":["Applications","Rust","Tools","Application Security","应用程序 Applications","cli","API Web Scanners","Rest API Testing"],"sub_categories":["Security tools","API Fuzzing","安全工具 Security tools","Desktop"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblst-security%2Fcherrybomb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblst-security%2Fcherrybomb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblst-security%2Fcherrybomb/lists"}