Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From nightvision
Guide for agents to help users extract OpenAPI specs from source code using NightVision API Discovery. Use when running swagger extract, identifying framework support, troubleshooting extraction, handling unresolved variables, comparing API specs, or understanding Code Traceback.
npx claudepluginhub anthropics/claude-plugins-official --plugin nightvisionHow this skill is triggered — by the user, by Claude, or both
Slash command
/nightvision:api-discoveryThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill when helping users generate OpenAPI specifications from their source code using `nightvision swagger extract`. API Discovery performs static analysis — no running application or compilation needed — and annotates the spec with source file paths and line numbers (Code Traceback) so that vulnerabilities found during DAST scans trace back to exact code locations.
Extracts OpenAPI specs from existing API codebases in FastAPI, Flask, Django REST, Spring Boot, NestJS, Hono, Rails, and Laravel using framework-specific guides.
Generates or updates OpenAPI 3.0 specifications by analyzing codebase routes. Supports Express, Flask, Django, FastAPI, Go, Spring, Rails.
Generates OpenAPI 3.0+ specs from existing API code, enhances with schemas/examples/errors, creates interactive docs/SDKs, and validates compliance.
Share bugs, ideas, or general feedback.
Use this skill when helping users generate OpenAPI specifications from their source code using nightvision swagger extract. API Discovery performs static analysis — no running application or compilation needed — and annotates the spec with source file paths and line numbers (Code Traceback) so that vulnerabilities found during DAST scans trace back to exact code locations.
When a user asks to extract or document their API:
nightvision --help)--lang flag and whether the framework is supported (see references/framework-support.md)nightvision swagger extract with the appropriate flags. On success, the CLI prints "Swagger file extracted successfully." and writes the spec to the output path (default: openapi-spec.yml)nv.config was created alongside the specnightvision swagger diff to show what was discovered vs. what was documentedRelated skills: Use scan-configuration for target/auth setup, ci-cd-integration for pipeline integration, scan-triage for interpreting scan results.
| Language | Flag | Frameworks |
|---|---|---|
| Python | --lang python | Django, DRF, Flask, Flask-RESTful, FastAPI |
| Java | --lang java | Spring Boot, JAX-RS/Jersey, Micronaut, Java EE/Jakarta EE |
| JavaScript | --lang js | Express, NestJS, Fastify |
| C# | --lang dotnet | ASP.NET Core (controllers, minimal APIs) |
| Go | --lang go | Gin, httprouter, net/http (experimental) |
| Ruby | --lang ruby | Rails, Grape |
See references/framework-support.md for detailed component coverage per framework.
# Basic extraction (output defaults to openapi-spec.yml)
nightvision swagger extract . --lang python
# Specify output file and format
nightvision swagger extract . --lang java -o api-spec.json --file-format json
# Extract and upload directly to a NightVision target
nightvision swagger extract . -t my-api -p my-project --lang python
# Extract without uploading
nightvision swagger extract . -o openapi-spec.yml --lang java --no-upload
# Scan multiple source directories
nightvision swagger extract ./service-a ./service-b --lang python
# Extend an existing spec (add discovered endpoints to it)
nightvision swagger extract . --lang python --extend existing-spec.yml
# Exclude directories from analysis
nightvision swagger extract . --lang python --exclude vendor,generated
# Include code snippets in the spec (useful for debugging)
nightvision swagger extract . --lang python --dump-code
Extraction can fail if language detection fails or the framework isn't supported. Always guard against this in pipelines:
nightvision swagger extract . -t $TARGET --lang java || true
if [ ! -e openapi-spec.yml ]; then cp backup-openapi-spec.yml openapi-spec.yml; fi
When static analysis can't resolve a variable (e.g., an API prefix read from an environment variable), it appears as a literal placeholder in the spec. NightVision generates an nv.config file to fix this.
Steps:
nv.config is created alongside the spec (in the first source directory passed to the command)nv.config — find the replacements object with null valuesnull with the actual values (check the app's config files, environment vars, etc.)nv.config and substitutes the values. You can also use -c / --config to explicitly specify the config file path: nightvision swagger extract . --lang python -c path/to/nv.config// nv.config example
{
"replacements": {
"Microsoft.AspNetCore.Builder.WebApplication.Services...ApiPrefix": null
}
}
The agent should help the user find the actual value by searching their config files (appsettings.json, .env, settings.py, etc.) and updating nv.config.
Use swagger diff to measure coverage or detect breaking changes:
# Summary diff (paths and schemas counts)
nightvision swagger diff original-spec.yml discovered-spec.yml
# Show only path-level changes (endpoints added/removed/modified)
nightvision swagger diff original-spec.yml discovered-spec.yml --paths
# Show only schema changes
nightvision swagger diff original-spec.yml discovered-spec.yml --schemas
# Show the full diff (paths and schemas together, with details)
nightvision swagger diff original-spec.yml discovered-spec.yml --full-diff
# Save diff output to file
nightvision swagger diff original-spec.yml discovered-spec.yml -o diff-report.txt
Common use cases:
Search the codebase for existing OpenAPI/Swagger files. The detect command takes no positional arguments — use -p to specify the root folder:
# Detect project roots in the current directory
nightvision swagger detect
# Detect in a specific directory
nightvision swagger detect -p ./path/to/code
# Save detection results as JSON
nightvision swagger detect -o detection-results.json
The generated spec includes x-source annotations on each endpoint with the file path and line number where the route is declared. When this spec is used for DAST scanning:
This is why using NightVision-generated specs (vs. hand-written ones) significantly improves the triage experience.
| Issue | Cause | Fix |
|---|---|---|
| No endpoints found | Wrong --lang flag, or unsupported framework | Verify the framework is supported, check --lang value |
| Unresolved variables in paths | Config values read from env vars without defaults | Fill in nv.config replacements and re-run |
| Incomplete routes | Custom routing, non-standard framework usage | NightVision relies on standard framework patterns; custom routing may not be detected |
| Extraction fails entirely | Syntax errors in source, missing files | Use --diagnostics to get language-level error details |
| Spec missing sub-routes | Code in subdirectories not scanned | Pass multiple paths: nightvision swagger extract ./src ./lib |
For unsupported frameworks or components, contact support@nightvision.net.