Skip to main content
Version: latest

Vulnerability Scanning

API7.ai prioritizes the security of our gateway products. We employ comprehensive security testing and vulnerability scanning throughout the software development lifecycle to identify and address potential threats proactively.

Security Testing Practices

  • Static Application Security Testing (SAST): Automated tools scan the API7 Gateway codebase for insecure coding patterns and common vulnerabilities.
  • Dynamic Application Security Testing (DAST): We perform runtime analysis of our platform to detect vulnerabilities like injection flaws or configuration errors.
  • Dependency Scanning: Continuous monitoring of all open-source dependencies (see Open Source Licenses) for known CVEs.
  • Container Image Scanning: All official API7 Gateway container images are scanned for OS-level vulnerabilities before being signed and released.

CVE Reporting and Patching

When a vulnerability is identified, API7.ai follows a structured response process:

  1. Assessment: The security team evaluates the severity and impact of the vulnerability.
  2. Patching: We develop and test a security patch to address the vulnerability.
  3. Release: The patch is released as part of a security update or included in the next version release.
  4. Advisory: A security advisory is published to notify our customers of the vulnerability and provide guidance on applying the fix.

Vulnerability disclosure policy

We welcome reports from independent security researchers and our community. If you believe you have found a security vulnerability in API7 Gateway, please email security@api7.ai with a detailed description, reproduction steps, and any supporting evidence. Our security team will acknowledge your report and work with you on coordinated disclosure. For general inquiries about our security program or to request additional disclosure channels, contact your API7 support representative.

Third-Party Audits

In addition to our internal testing, API7 Gateway undergoes periodic security audits by reputable third-party security firms. These audits provide an objective assessment of our security posture and help us maintain the highest standards of protection for our enterprise customers.

Next Steps

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation