Zero-Config Setup (nat init)
nat init inspects your project and generates a .natrc configuration file automatically — no manual editing required.
Quick use: Run nat init in your project root. NAT detects your framework, finds your OpenAPI spec, and writes .natrc — one command, zero config.
What it does
nat init performs three steps automatically:
- Detects your framework — scans
package.json,requirements.txt,pom.xml,Gemfile, etc. - Finds your OpenAPI spec — searches common locations (
openapi.yaml,swagger.json,docs/api.yaml, etc.) - Generates
.natrc— writes a ready-to-use configuration file in the current directory
Usage
nat init [flags]Flags
| Flag | Description |
|---|---|
--ci | Generate a CI-optimized config (adds --fail-on high, SARIF output, --no-color) |
--force | Overwrite an existing .natrc |
--template <name> | Use a starter template (express, fastapi, django, spring, rails) |
Framework detection
nat init recognizes the following frameworks automatically:
| Framework | Detection signal |
|---|---|
| Express / Node | package.json with express dependency |
| FastAPI | requirements.txt or pyproject.toml with fastapi |
| Django | manage.py or django in requirements |
| Spring Boot | pom.xml or build.gradle with spring-boot |
| Rails | Gemfile with rails |
| Go (chi / gin) | go.mod with chi or gin |
| Laravel | composer.json with laravel/framework |
If your framework is not detected automatically, use --template to select the closest match:
nat init --template expressOpenAPI spec detection
nat init searches these locations in order:
./openapi.yaml/./openapi.json./swagger.yaml/./swagger.json./docs/openapi.yaml./api/openapi.yaml./src/openapi.yaml- Running server at
http://localhost:<port>/openapi.json(common FastAPI/Springdoc endpoint)
If a spec is found, the path is written to .natrc automatically. If none is found, a placeholder is written and a warning is shown.
Generated .natrc example
Running nat init on a FastAPI project produces something like:
# .natrc — generated by nat init v1.5.0
# Edit this file to customize your NAT configuration.
mode: saas
spec: ./openapi.yaml
base_url: http://localhost:8000
auth:
type: bearer
token: "${NAT_API_TOKEN}"
scan:
fail_on: medium
output_format: text
max_findings: 50
export:
type: noneCI-optimized .natrc
Running nat init --ci generates an extended config ready for pipeline use:
# .natrc — generated by nat init --ci v1.5.0
mode: saas
spec: ./openapi.yaml
base_url: "${BASE_URL}"
auth:
type: bearer
token: "${NAT_API_TOKEN}"
scan:
fail_on: high
output_format: sarif
no_color: true
max_findings: 100
export:
type: github
github_token: "${GITHUB_TOKEN}"
github_repo: "${GITHUB_REPOSITORY}"
export_min_severity: highCI/CD integration
Run nat init --ci locally
nat init --ciThis creates a .natrc tuned for CI: SARIF output, high severity threshold, no color codes.
Commit .natrc to your repository
git add .natrc
git commit -m "chore: add NAT zero-config CI setup"
git pushUse in GitHub Actions
Because .natrc is committed, the nat-action picks it up automatically — no workflow inputs required:
- name: Run NAT scan
uses: nat-testing/nat-action@v1
with:
api-key: ${{ secrets.NAT_API_KEY }}The action reads fail_on, output_format, and all other settings from .natrc.
Troubleshooting
| Problem | Fix |
|---|---|
nat init says "framework not detected" | Use --template <name> to specify manually |
nat init says "spec not found" | Pass --spec <path> or edit the placeholder in .natrc after generation |
.natrc already exists and nat init refuses to overwrite | Add --force to overwrite the existing file |
Generated base_url is wrong | Edit .natrc directly or re-run with --force after updating your env |