Qodex

What is Qodex?

Qodex is an “API Assurance Layer” that creates a system of record for an organization’s APIs by starting from the codebase and continuously assuring API visibility, behavior, and security posture.

The stated goal is to close gaps that typically appear when teams rely on separate tools for API discovery, scanning, and cataloging. Qodex focuses on what those tools can’t see—such as internal, shadow, and dead-but-callable endpoints—and it updates documentation and test coverage as APIs drift over time.

Key Features

• API discovery from code: Connect a repository to generate a map of endpoints, including internal, shadow, and “dead-but-callable” routes that gateways and existing catalogs may miss.
• Tests generated from plain English: Describe test intent in plain English; Qodex generates multi-step test scenarios and produces test code.
• Tests as version-controlled code: Generated tests are transparent, editable, and committed to Git, so they can run in Qodex, in CI/CD, or on the user’s own infrastructure.
• Continuous posture visibility: Track ownership, test recency, coverage gaps, and security posture from one control plane with current status.
• OWASP-aligned security checks in CI: Run “Top 10” security assertions alongside functional tests as part of standard CI pipelines, aiming to catch security issues before production.
• Repository and CI/CD integrations: Integrates with GitHub, GitLab, Bitbucket, and CI/CD pipeline workflows rather than replacing existing tools.

How to Use Qodex

1. Connect your code repository to enable Qodex to discover endpoints from your API source.
2. Review the discovered API surface to understand endpoint coverage, ownership, and data sensitivity as captured by Qodex.
3. Generate and maintain tests by describing desired checks in plain English; Qodex generates test code and commits it to your Git repository.
4. Run tests in your workflow by executing the tests in Qodex, in CI/CD, or on your own infrastructure.
5. Use continuous reporting and alerting to monitor test results and security assertions, and to see when API behavior or security posture changes.

Use Cases

• Build an up-to-date API inventory: Answer “How many APIs do we have?” by discovering endpoints directly from the codebase, including internal and shadow routes.
• Detect coverage drift after releases: Identify which APIs changed and whether tests and documentation have caught up, reducing the risk of “safe” schema or behavior changes breaking downstream clients.
• Produce a data-backed security response: Quickly determine which endpoints handle PII or match security requirements, rather than relying on outdated wikis or manual investigations.
• Automate regression and security testing at scale: Validate functional/regression and security assertions continuously across production workloads, with security checks aligned to OWASP categories.
• Move from manual scripting to tests-in-repo: Eliminate manual test scripts by generating editable, version-controlled tests that can be run in CI/CD.

FAQ

• What does Qodex discover? Qodex discovers API endpoints from your codebase, including internal, shadow, and dead-but-callable routes that may not appear in gateways or existing catalogs.

• How are tests created? Qodex generates tests from plain English descriptions, producing test code that can be committed to Git.

• Where can the generated tests run? The site states tests can run in Qodex, in CI/CD, or on the user’s own infrastructure.

• Does Qodex include security testing? Yes. Qodex runs OWASP-aligned security checks alongside functional tests in CI pipelines, described as “Top 10 security assertions” per build.

• What integrations are supported? Qodex integrates with GitHub, GitLab, Bitbucket, and CI/CD pipeline workflows.

Alternatives

• API scanners and vulnerability management tools: These may focus on runtime findings or known vulnerability categories, but they typically don’t generate version-controlled functional/security tests from code in the same unified workflow described for Qodex.
• API gateways and API catalogs: Gateways and catalogs can provide visibility into routes they capture, but Qodex explicitly targets endpoints those systems might miss (e.g., internal/shadow/dead-but-callable routes).
• API documentation tooling with manual review: Documentation tooling can help teams map endpoints, but Qodex emphasizes continuous assurance tied to code and test recency rather than static documentation updates.
• General-purpose test automation frameworks (manual authoring): Tools in this category help run automated tests, but they generally require teams to write and maintain test cases themselves rather than generating tests from plain English and committing them to Git as described by Qodex.