Entry Point Analyzer
Automate and integrate Entry Point Analyzer to identify and optimize code entry points
Category: productivity Source: trailofbits/skillsEntry Point Analyzer is a community skill for identifying and mapping application entry points, covering API endpoint discovery, route mapping, event handler detection, CLI command analysis, and attack surface assessment for security review and codebase understanding.
What Is This?
Overview
Entry Point Analyzer provides patterns for discovering all points where external input enters an application. It covers API endpoint discovery that scans route definitions in web frameworks to build a complete endpoint map, route mapping that traces URL patterns to handler functions with parameter types and authentication requirements, event handler detection that identifies message queue consumers, webhook receivers, and scheduled task triggers, CLI command analysis that maps command-line argument parsers to their execution paths, and attack surface assessment that evaluates which entry points accept untrusted input and lack validation. The skill enables security teams and developers to understand an application attack surface comprehensively.
Who Should Use This
This skill serves security engineers performing application attack surface analysis, developers onboarding to unfamiliar codebases who need to understand the API surface, and architects auditing exposed interfaces across microservices.
Why Use It?
Problems It Solves
Large applications have entry points scattered across multiple files and frameworks making manual discovery error-prone. Undocumented endpoints create security blind spots that attackers can exploit. Event-driven entry points through queues and webhooks are easy to overlook in route-focused analysis. Understanding which entry points lack input validation requires tracing data flow from the handler inward.
Core Highlights
Route scanner extracts endpoint definitions from web framework configurations. Handler tracer maps entry points to their processing functions with parameter details. Event detector identifies non-HTTP entry points including queue consumers and cron triggers. Surface reporter generates a complete inventory with authentication and validation status.
How to Use It?
Basic Usage
import ast
import re
from pathlib import Path
from dataclasses\
import dataclass
@dataclass
class EntryPoint:
type: str
path: str
method: str
handler: str
file: str
class RouteScanner:
PATTERNS = [
r'@app\.(get|post|'
r'put|delete)\('
r'[\'"](.+?)[\'"]',
r'router\.(get|post|'
r'put|delete)\('
r'[\'"](.+?)[\'"]']
def scan_file(
self,
filepath: str
) -> list[EntryPoint]:
content = Path(
filepath)\
.read_text()
entries = []
for pattern\
in self.PATTERNS:
for match\
in re.finditer(
pattern,
content):
entries.append(
EntryPoint(
type='http',
path=match\
.group(2),
method=match\
.group(1),
handler='',
file=filepath))
return entries
Real-World Examples
class SurfaceReport:
def __init__(self):
self.entries = []
def add(
self,
entry: EntryPoint,
has_auth: bool,
has_validation: bool
):
self.entries.append({
'type': entry.type,
'path': entry.path,
'method':
entry.method,
'auth': has_auth,
'validated':
has_validation})
def risk_summary(
self
) -> dict:
unauth = [
e for e
in self.entries
if not e['auth']]
unvalidated = [
e for e
in self.entries
if not
e['validated']]
return {
'total':
len(self.entries),
'unauthenticated':
len(unauth),
'unvalidated':
len(unvalidated),
'high_risk': [
e for e
in self.entries
if not e['auth']
and not
e['validated']
]}
Advanced Tips
Scan for decorator-based route definitions as well as configuration-file-based routing to capture all framework patterns. Include middleware analysis to determine which entry points have authentication applied at the middleware level rather than inline. Combine static analysis with runtime traffic logs to identify entry points that receive traffic but were missed by the code scanner.
When to Use It?
Use Cases
Generate a complete API surface inventory for a security audit of a web application. Identify unauthenticated and unvalidated entry points that need remediation. Map all event-driven handlers across a microservice architecture for threat modeling.
Related Topics
Attack surface analysis, API discovery, security auditing, route mapping, and threat modeling.
Important Notes
Requirements
Access to application source code for static analysis. Understanding of the web framework routing conventions used in the target codebase. Python or equivalent runtime for executing scanning scripts.
Usage Recommendations
Do: scan for both decorator and configuration-based route definitions to capture all routing patterns. Include non-HTTP entry points like queue consumers and webhook handlers in the analysis. Cross-reference static scan results with runtime logs for completeness.
Don't: rely solely on regex-based scanning for dynamic route registration which requires runtime analysis. Assume framework middleware covers all routes without verifying per-route authentication configuration. Skip internal service-to-service endpoints which may lack the same validation as public-facing routes.
Limitations
Static analysis cannot detect dynamically registered routes created at runtime through programmatic configuration. Framework-specific routing patterns require scanner rules tailored to each framework. Authentication and validation detection depends on recognizable patterns and may miss custom implementations.