GraphQL Security (GQL)

Analyze GraphQL APIs for security vulnerabilities including introspection enabled in production, missing query depth limits, no complexity analysis, batching abuse, alias-based denial of service, and missing per-field authorization. GraphQL's flexibility makes it a rich attack surface when default configurations are deployed to production without hardening.

Supported Flags

Read ../../shared/schemas/flags.md for the full flag specification. This skill supports all cross-cutting flags. Key flags for this skill:

• --scope determines which files to analyze (default: changed)
• --depth standard reads code and checks GraphQL configuration
• --depth deep traces resolvers to data sources and maps authorization coverage
• --severity filters output (GraphQL issues range from medium to critical)

Framework Context