GOAT (GraphQL Assessor Tool) is an open-source utility for analyzing and securing GraphQL APIs.
It aims to detect misconfigurations, security risks, and performance issues in GraphQL endpoints β with an extensible design inspired by the OWASP GraphQL Security guidelines.
Currently at Milestone 0, the focus is on building a solid foundation: environment setup, minimal vulnerable GraphQL app for testing, and the first utility (introspect.py) to fetch and display GraphQL schemas.
- CLI-first design (Typer + Rich)
- Schema introspection & parsing
- Initial security checks: introspection exposure, query depth, overfetching
- Reports in JSON and CLI-friendly formats
- Modular structure for future OWASP GraphQL checks