Documentation Index
Fetch the complete documentation index at: https://docs.usedino.dev/llms.txt
Use this file to discover all available pages before exploring further.
Discovers your API surface (GraphQL introspection or OpenAPI parsing), runs the shipped quality modules, builds an API Intelligence catalog, and saves a schema snapshot. This is the primary command.
Usage
# Ad-hoc mode (GraphQL — zero tenant file)
dino scan
# Tenant mode (GraphQL and/or REST from tenants/<id>.yml)
dino scan --tenant <id> [flags]
In ad-hoc mode, Dino reads endpoint and protocol from .dino.yml — no --tenant required. The operation registry is built from GraphQL introspection.REST is configured in tenants/<id>.yml (apis[].type: rest, source: openapi, specPath). The --protocol flag does not switch the CLI to REST; use a tenant file instead.
Flags
| Flag | Type | Default | Description | |
|---|
--tenant | string | — | Tenant ID (or set in .dino.yml). Optional in ad-hoc GraphQL mode | |
--env | string | Tenant default | Target environment (must match tenant config) | |
--format | `“markdown" | "json”` | "json" | Output format for the Intelligence Report |
--quiet | boolean | false | Suppress stdout output | |
--verbose | boolean | false | Print resolved config defaults and debug info | |
--fail-on-high | boolean | false | Exit 1 when any finding is HIGH or CRITICAL (CI severity gate) | |
--tools | string[] | All modules | Comma-separated: input-fuzzer, response-validator, rbac-matrix, error-code-validator, deprecation-tracker, rate-limit-validator, rest-fuzzer | |
--modules | string[] | All modules | Comma-separated list of modules to scope the scan | |
--reasoning | boolean | false | Enable AI reasoning strategies (requires DINO_AI_KEY) | |
--timeout | number | 300000 | Pipeline timeout in milliseconds | |
--snapshot-dir | string | .dino/snapshots | Directory to save schema snapshots | |
--endpoint | string | From config | Override the API endpoint URL | |
--protocol | "graphql" | "graphql" | Ad-hoc GraphQL only. REST uses tenant OpenAPI discovery — see Configuration | |
Authentication flags
| Flag | Type | Default | Description |
|---|
--auth | object | { enabled: false } | Enable authenticated scanning |
--ai-key | string | DINO_AI_KEY env var | API key for AI reasoning (Pro tier) |
When --reasoning is passed without an API key (via --ai-key or DINO_AI_KEY env var), the command exits with code 1.
Pipeline steps
- Discover: GraphQL introspection or OpenAPI 3.0/3.1 parsing; build the operation list
- Execute: Run quality modules against discovered operations
- Catalogue: Build an API Intelligence catalogue with health scores
- Snapshot: Save a schema snapshot for
dino diff / dino changelog
- Report: Render the catalogue as JSON or Markdown
Quality modules
| Module | What it verifies |
|---|
input-fuzzer | Input validation: null injection, type confusion, boundary violations |
response-validator | Schema-response conformance: extra fields, execution errors, structural drift |
rbac-matrix | Authorisation: auth bypass, permission escalation, missing auth on mutations |
rate-limit-validator | Rate limiting: missing limits, misconfigured thresholds, header inconsistencies |
error-code-validator | Error handling: stack trace leaks, information disclosure, inconsistent formats |
deprecation-tracker | Schema evolution: deprecated field usage, migration progress |
rest-fuzzer | REST hardening: 19 strategies across six surfaces, type confusion, oversized/deep bodies, injection, path/query manipulation, method confusion, content-type abuse, schema bypasses (enum/format/numeric/string/mass-assignment/readOnly), and header probes (auth bypass, host, IP spoofing, CORS) |
Content-Type, required fields, extra fields, writeOnly, JSON types), the agents package exposes validateResponseAgainstSpec, useful in custom integrations today; it is not wired as its own dino scan module yet.
Examples
Ad-hoc scan (GraphQL)
echo 'endpoint: https://api.example.com/graphql
protocol: graphql' > .dino.yml
dino scan
Tenant scan with environment
dino scan --tenant acme --env production
REST API scan
dino scan --tenant my-rest-api --env production
JSON output for CI
dino scan --tenant acme --format json --quiet > report.json
CI gate: fail on HIGH or CRITICAL
dino scan --tenant acme --fail-on-high --format json --quiet
Scoped run with specific modules
dino scan --tenant acme --tools input-fuzzer,rbac-matrix,rest-fuzzer --modules users,billing
With AI reasoning
export DINO_AI_KEY="sk-ant-..."
dino scan --tenant acme --reasoning
Use --verbose to see which defaults Dino applied (format, timeout, snapshot directory, concurrency).
RBAC behavior
When authentication is not configured, the rbac-matrix The module is automatically excluded: even if passed via --tools. This prevents false-positive RBAC findings on unauthenticated APIs.
Degraded mode
If all modules fail during a pipeline run, the run completes in degraded mode. The report is generated but contains no test data. Exit code is 1.
Exit codes
| Code | Meaning |
|---|
0 | Success: pipeline completed and (when --fail-on-high) no HIGH or CRITICAL findings |
1 | Pipeline failed, degraded mode, missing required config, or (when --fail-on-high) at least one HIGH or CRITICAL finding |
