IAST using the REST API
Configure and start an IAST scan, including agent deployment, through the REST API.
Before you begin
See also the following resources on
Swagger:
Procedure
- Get an API Key.
-
Get the ID for the application in which you want to run the scan by doing one of the
following:
- In the user interface, open the tab for the specific application, and look at the URL. The
last section before the word "scans" is the ID. For example, in this
case:
the application ID is:cloud.appscan.com/AsoCUI/serviceui/main/myapps/app01/123456a-78b-90c-123ab4c/scans
123456a-78b-90c-123ab4c
- Alternatively, you can get a list of all application IDs for your User (API key)
through the REST API GetApps endpoint:
request URL: GET https://cloud.appscan.com/api/v4/Apps headers: "Authorization=Bearer <api key>" Parameters: “$select=Id"
- In the user interface, open the tab for the specific application, and look at the URL. The
last section before the word "scans" is the ID. For example, in this
case:
-
Create an IAST scan using the CreateIastAnalyzerScan endpoint:
request URL: POST https://cloud.appscan.com/api/v4/Scans/IASTAnalyzer headers: " Authorization=Bearer <token>, Accept: application/json, Content-Type: application/json" Json: { "ConnLostStopTimer": true, "ScanName": <scanName>, "EnableMailNotification": true, "Locale": "en-US", "AppId": <appId>, "Personal": false }
The body is input parameter scanModel, a json structure with the following fields:ScanName
is the name you give the scanAppId
(see previous step)ConnLostStopTimer
is an optional timeout (in minutes) to stop the scan if the agent connection is lost. If left empty the scan will continue even if the agent connection is lost and there is nothing to report. A possible use case for this would be to prevent the license being taken by another user in the meantime.Personal
should be set tofalse
unless you want to run the scan as a personal scan.
ScanId
. Save this to use in the next step. -
Download an agent preconfigured to report issues to the scan created in the previous
step. Do this using the Tools/DownloadWithKey endpoint.
request URL: GET https://cloud.appscan.com/api/v4/Tools/IastAgentWithKey?scanId==<scan_id> headers: "Authorization=Bearer <api key>, Accept: application/zip"
scan_id
is the ID saved at the end of the previous step. -
Deploy the IAST agent on your application
server.
The agent is now monitoring traffic to the application, and reports to ASoC on vulnerabilities it detects.
-
Send traffic to the application for IAST to monitor. This can be your regular system tests
or a DAST scan.
Issues discovered are now recorded in the IAST scan.