Proof · GitHub REST API · June 2026
From 40 to 80 on GitHub’s riskiest REST endpoints
We ran APIThreshold on five of the most dangerous operations in GitHub’s official REST API. A typical happy-path test suite scored 40 out of 100 and did not pass the quality check. After APIThreshold generated tests, the suite scored 80 out of 100, covered security cases across all five endpoints, and passed the same check — in about 15 minutes.
Summary
GitHub publishes a 600+ operation OpenAPI description. We scoped APIThreshold to five highest-risk endpoints — repo deletion, ownership transfer, collaborator permissions, branch protection, and deploy-key creation. The risk assessor auto-flagged all five as P0 critical.
Our naive baseline only checked success responses. APIThreshold generated the auth, permission, and guardrail tests a production reviewer would expect — then scored the result and ran a warning-mode quality check (80% bar, free tier).
Before / after
| Dimension | Without APIThreshold | With APIThreshold |
|---|---|---|
| Overall quality score | 40/100 | 80/100 |
| Security score | 20 | 80 |
| Coverage gaps | 6 (branch protection untested, no 401/403) | 5 (residual schema polish) |
| Quality check (warning, 80%) | Did not pass (40%) | Passed (80%) |
| Time to production-ready suite | Hours–days, manual | ~15 minutes generate + extract |
Five endpoints under test
| Endpoint | Why it matters |
|---|---|
DELETE /repos/{owner}/{repo} | Irreversible data destruction |
POST /repos/{owner}/{repo}/transfer | Ownership change and authorization |
PUT /repos/{owner}/{repo}/collaborators/{username} | Permission escalation |
PUT /repos/{owner}/{repo}/branches/{branch}/protection | Security-control bypass |
POST /repos/{owner}/{repo}/keys | Deploy-key credential creation |
What it caught
The baseline only asserted happy paths. Generated tests added the cases a security review would demand:
Auth failure (401/403) — baseline had none:
# tests-generated/test_POST_repo_keys_security_unauthenticated_and_permission_checks.py resp_unauth = requests.post(endpoint, json=payload) # no Authorization header assert resp_unauth.status_code == 401 # ... assert resp_forbidden.status_code == 403 # authenticated but not admin
Branch protection — entirely absent in baseline:
# tests-generated/test_PUT_branch_protection_security_auth_and_admin_enforcement.py assert r_unauth.status_code == 401 # unauthenticated assert r_forbidden.status_code == 403 # no admin permission
Destructive delete guardrails — baseline only accepted 204/404:
# tests-generated/test_DELETE_repo_security_unauthenticated_and_unauthorized.py assert resp_unauth.status_code in (401, 403) # ... verify repo still exists after unauthorized delete attempt
How it works
Executed with APIThreshold CLI v0.1.0 and gpt-5-mini. Warning mode (80% threshold) on the free tier — enforcing mode (95%) requires Starter+.
Reproduce it
Full runbook, Makefile, and scored artifacts live in the public reproduction repo. Prereqs: OpenAI API key, APITHRESHOLD_MODEL=gpt-5-mini, then make all.
Caveats
- Static analysis: tests are generated and scored, not executed against live GitHub. No GitHub token required.
- Realistic baseline: the “without” suite is a representative naive suite we authored — not a scrape of GitHub’s internal tests.
- Model matters: results use
gpt-5-mini; weaker or local models score lower. Pin model + APIThreshold version for reproducibility. - Free tier: this run used warning mode (80% bar). Enforcing (95%) requires Starter+.