Changelog

All notable changes to NAT are documented here.

v1.3.0 — 2025-01-15

New features

GraphQL subscription testing — NAT can now test GraphQL subscriptions for authorization flaws and data leakage
SARIF 2.1.0 support — improved SARIF output with rule metadata and fix guidance, compatible with GitHub Advanced Security and SonarQube
Scan comparison — dashboard now supports side-by-side comparison of two scan results
nat checks list command — new CLI command to list all available security checks and their status

Improvements

Improved BOLA detection accuracy — 15% reduction in false positives on APIs with UUID-based IDs
Faster endpoint discovery when using OpenAPI 3.1 specifications
CLI --verbose output now includes timing information for each request
Dashboard findings page loads significantly faster for workspaces with large numbers of findings

Bug fixes

Fixed: OAuth2 token refresh failed silently when token URL returned non-standard response format
Fixed: --exclude pattern with trailing slash didn't match correctly
Fixed: Report generation failed for scans with more than 1,000 findings

v1.2.0 — 2024-10-28

New features

GitHub Action v1 — official bg-playground/nat-action now available
Multi-spec support — provide multiple --spec files in a single scan to cover multiple API versions
Compliance profiles — built-in profiles for OWASP API Top 10, PCI DSS, HIPAA, and SOC 2
Webhook notifications — configure webhooks to receive scan results in your own systems

Improvements

Improved mass assignment detection — now covers JSON Merge Patch (PATCH with application/merge-patch+json)
SSRF check now tests common cloud metadata endpoints (AWS IMDSv1/v2, GCP, Azure)
Dashboard now supports team-level finding management and assignment
Self-hosted server now exposes Prometheus metrics at /metrics

Bug fixes

Fixed: Scanner hung indefinitely when API returned chunked responses without a terminating chunk
Fixed: --rate-limit flag was applied globally instead of per-host when multiple base URLs were provided
Fixed: Dashboard session expired after 30 minutes even when actively in use

Breaking changes

nat report --scan is now nat report --scan-id — update any scripts using the old flag name

v1.1.0 — 2024-07-22

New features

Demo mode — nat demo runs a complete scan against a built-in example API
Self-hosted server mode — nat server start serves the dashboard and REST API locally
Basic auth support — --auth-type basic for APIs using HTTP Basic authentication
Markdown report format — --format markdown for embedding reports in wikis and PRs

Improvements

Significantly improved injection detection — now covers all parameter locations (path, query, header, body)
Added detection for API9 (Improper Inventory Management) — NAT now probes for undocumented endpoints and deprecated API versions
Report HTML is now fully self-contained — can be shared as a single file without external dependencies

Bug fixes

Fixed: Bearer token containing = characters caused request signing to fail
Fixed: Very long endpoint paths caused the report sidebar to overflow

v1.0.0 — 2024-04-30

Initial public release.

Core features

REST API security scanning against OWASP API Top 10
OpenAPI 3.x and Swagger 2.x specification support
Specless crawl mode for APIs without a specification
Bearer token, API key header, and OAuth2 client credentials authentication
HTML and JSON report formats
CI/CD integration via CLI (pip install nat-engine)
Docker image (natengine/nat)
GitHub Actions workflow example

Upcoming

Features in active development:

Scheduled scans — run scans on a cron schedule from the dashboard
Custom check plugins — write your own security checks in Python
gRPC API testing — security testing for gRPC-based services
Postman collection import — use Postman collections as an alternative to OpenAPI specs
Slack / Teams notifications — native integration with team communication tools

Have a feature request? Contact us.