REST API Scanning

Dino now scans REST APIs. Point it at an OpenAPI spec and get the same depth of analysis you already get for GraphQL — security fuzzing, correctness checks, and catalog reporting with health scores.

Added

• REST/OpenAPI support — OpenAPI 3.0 and 3.1 discovery. Dino parses your spec, extracts operations, and runs them through the full quality pipeline.
• 19 fuzz strategies across 6 attack surfaces — body, path, query, method, content-type, and headers. Schema-constraint strategies test enum bypass, format bypass, numeric boundaries, string length, mass assignment, and read-only injection.
• Header injection fuzzing — four new strategies: auth bypass (empty/malformed/JWT-none tokens), host injection (reflection detection), IP spoofing (seven proxy headers), and CORS probing (origin reflection in Access-Control-Allow-Origin).
• Response validation — validateResponseAgainstSpec checks API responses against your OpenAPI schema. Status codes, content types, and response shapes are all verified.
• --fail-on-high flag — dino scan --fail-on-high exits 1 when any finding is HIGH or CRITICAL. Use it as a CI gate to block deploys with serious issues.
• Quick and full scan modes — quick mode runs a focused strategy set with a 3-minute budget (ideal for CI). Full mode runs all 19 strategies with adaptive rate limiting and concurrency control.
• Protocol-aware discovery — Dino auto-detects whether your API is GraphQL or REST and routes to the right plugin. Mixed-protocol projects work out of the box.

Fixed

• Scan always exited 0 regardless of findings — only total pipeline failure caused non-zero exit. Now --fail-on-high gives you proper CI gating.
• REST operations now appear in the scan report with health scores and per-tool findings.