API discovery from code

New
  • Updated on Sep 10, 2025
  • Published on Sep 10, 2025
  • 4 minute(s) read
Prev Next

Code repositories often contain APIs that remain undocumented or unnoticed. These can include Shadow APIs (endpoints that exist outside of governance) and Zombie APIs . Scanning repositories allows you to automatically discover these APIs, generate specifications, and enrich your inventory with precise details such as contributors, commit history, and sensitive data types. This visibility enables you to understand your API footprint, monitor changes over time, and strengthen your security posture without requiring manual review of the source code. By connecting repository insights with actionable scans, you gain both awareness and control.

What you will learn in this topic

In this topic, you will learn:

  • How to connect and scan private repositories.

  • How to run scans on open-source repositories and through the CLI.

  • What information is available at the repository and API levels?

  • Which frameworks and languages are supported for code scanning?

Getting started with private repository scans

Most users begin by scanning their private repositories. Connecting a repository is the first step, as it allows Traceable to access and analyze the code securely.

To connect a private repository:

  1. In the Traceable UI, go to the Integrations page. For more information, see Integrations.

  2. Select GitHub as your version control system provider and follow the steps.

    Note

    Currently, only GitHub integration is supported through the UI. For other VCS providers, use the CLI method to scan repositories.

  3. Authorize Traceable to connect with your organization or user account. This establishes a secure connection with the repository.

  4. After authorization, your private repositories appear under Catalog → Inventory → Repositories as entries. These entries do not contain scan results until you trigger a scan from the UI.

Connecting the repository ensures that Traceable can identify it and make it available for scanning. Once this step is complete, you are ready to initiate scans and start discovering APIs.

Triggering scans

After connecting your repositories, the next step is to trigger scans. Depending on your workflow, you can do this either from the UI or through the CLI. Both methods are considered on-demand scans. The UI is suited for quick scans, while the CLI is useful if you want to run scans locally or integrate them manually into automation.

Triggering via UI

You can trigger a scan directly from the Traceable UI once a repository appears in Traceable.

  1. After configuring the integration (for private repositories) or once an open-source repository appears in the dashboard, go to Catalog → Inventory → Repositories.

  2. Select a repository and click Trigger Scan.

  3. Traceable temporarily pulls the repository’s source code into an ephemeral container, analyzes it, and deletes the code immediately after the scan.

Triggering via CLI

Scans can also be run locally or as part of build pipelines using the Traceable CLI Docker image.

Before you begin

Before you run a scan through the CLI, ensure that the following requirements are met:

  • System requirements — Minimum 8 CPU cores and 16 GB RAM.

  • Supported frameworks/languages:

    • Java — JAX-RS, Spring (Boot) – High detail

    • C# — .NET (Web APIs) – High detail

    • Python — Django, Flask – Low detail

    • JavaScript — Express, Koa – Low detail

Note

High-detail support generates more exhaustive OpenAPI specifications, including routes, parameters, and schemas.

Steps to run a scan

The following steps guide you through downloading the CLI, preparing your repository, and executing a scan. At the end of this process, the scan results and any generated OpenAPI specifications will be uploaded to Traceable.

  1. Pull the CLI Docker image:

    docker pull traceableai/traceable-cli:1.12.8-rc.0

  2. Navigate to your Git repository:

    cd /path/to/your/git/repository

    The directory must be a valid Git repository with metadata.

  3. Run the scan:

    docker run -it --rm -v $PWD:/target \
  traceableai/traceable-cli:1.12.8-rc.0 code apis \
  -cp /target \
  --traceable-server api.traceable.ai \
  --token $TRACEABLE_TOKEN

When the scan completes, identified APIs and any generated OpenAPI specifications are uploaded to Traceable. If the repository was not already listed, a repository entity is automatically created in the Traceable.

Exploring scanned repositories

All scanned repositories appear under Catalog → Inventory → Repositories. The repository list view provides a high-level summary of each repository:

  • Name of the repository

  • Scan method

  • Project - Repository owner on VCS provider

  • Languages discovered during the scan

  • Number of APIs detected

  • Last Scan timestamp

  • Last Commit timestamp

  • VCS provider (for example, GitHub, GitLab, Bitbucket, Harness Code, etc.)

  • API frameworks discovered

Selecting a repository opens the repository details page. This page consolidates all information available from the list view and adds further context:

  • Contributors active in the last 90 days since the latest commit at the time of scan

  • Details of the latest commit

  • List of APIs discovered in the repository

Each API entry displays the HTTP method, path, type, data types, and last scan time.

Note

Traceable only supports REST APIs discovery through code scanning.

Selecting an API opens its generated OpenAPI specification. The specification can be rendered in either YAML or JSON and includes:

  • Path and method

  • Response codes

  • Request body schema

  • Data type annotations such as email, password, or token

Note

You can click the button at the top right corner to go directly to the exact line of code in the hosting service.

This workflow gives you visibility into which APIs exist in your code, the data they process, and their implementation details in source.